The Newfoundland and Labrador Office of the Information and Privacy Commissioner recently released a report investigating a breach involving a stolen laptop containing student information. From the summary:
On 3 November 2008 Eastern School District (“ESD”) notified this Office that a break-in had occurred at a teacher’s home and the teacher’s laptop computer containing the personal information of 79 students had been stolen. The information consisted of student names, addresses, phone numbers and grades. The teacher had taken the information from the school on an encrypted USB drive and it was subsequently “backed up” on the laptop’s hard drive, without ESD’s knowledge. The teacher failed to realize the necessity of working directly from the encrypted USB drive in order to keep the information secure. The Commissioner found that section 36 of the Access to Information and Protection of Privacy Act (the “ATIPPA”) had been breached, as ESD had not taken proper administrative measures to protect the personal information in its custody or control. ESD has now distributed a brochure to all users of encrypted USB drives, clarifying the use and the role of these USB drives in protecting personal information. The Commissioner made no recommendations, as he found that this action satisfied section 36 of the ATIPPA in this case.
The full report is available here.