An investigation by the Office of the Information and Privacy Commissioner found that the Edmonton Public School District did not follow its own policies and guidelines in the loss of a USB memory stick containing personal information of more than 7,000 individuals. The memory stick was not password protected or encrypted.
The School District notified the Commissioner and affected individuals regarding the loss in March 2011. The Commissioner received a number of complaints from affected individuals.
The investigation determined that even though the School District had policies and guidelines, training and practices in place, they were not followed in this incident. The Investigation Report also found that the School District had retained the personal information on a computer hard drive for a longer period of time than was necessary. The Investigation Report acknowledges the steps taken by the School District to prevent a similar recurrence and includes recommendations to further enhance the security of personal information. All of the recommendations have been accepted by the School District.
The Commissioner’s office reminds public bodies that the loss of personal information has both monetary and other costs, and emphasizes the importance of collecting only the personal information that is required and necessary, that the information only be retained for as long as necessary and that information must be properly protected while it’s in the control of the public body.