Failure to properly wipe or destroy computer servers results in unauthorized disclosure of personal information

August 20, 2013

An investigator with the Office of the Information and Privacy Commissioner found that Bow Valley College (BVC) failed to protect personal information stored on its decommissioned computer servers as required by the Freedom of Information and Protection of Privacy Act. This failure resulted in the unauthorized disclosure of personal information when a decommissioned computer server was purchased by an individual. However, the investigator also found that BVC took reasonable steps in response to this incident including steps to prevent a similar recurrence.

On September 19, 2012, an individual notified the Information and Privacy Commissioner about the purchase of a used computer server. The personal information of approximately 183,900 students and 3,500 employees of BVC was stored on the server.

The investigation revealed that the server was one of 21 decommissioned servers that BVC had asked the Electronic Recycling Association (ERA) to pick-up. BVC believed it had contracted ERA to wipe the data from the servers. However, BVC had no signed contract or agreement in place with ERA, and received no written assurance that the data was wiped, or that the devices were physically destroyed.

In addition to the steps already taken to respond to this matter, BVC agreed to conduct an independent audit of the controls implemented in response to this incident, and to report the audit results back to the Commissioner’s office by February 7, 2014.