Sensitive personal information about millions of students is at risk because British Columbia's Ministry of Education has misplaced a hard drive containing documents that were stored without a fundamental safety measure: data encryption.
Now, two investigations have been launched across the B.C. government to determine whether other private information is similarly jeopardized by sloppy data management.
"No doubt a mistake has been made," Amrik Virk, the minister responsible for government data security, told reporters Tuesday.
He said there is no indication the information has been misused, but the data should have been encrypted for security reasons: "It was contrary to policy and it was wrong."
The serious security breach includes student records detailing not just exam results but in some cases custody orders and files documenting substance abuse and mental-health issues. In the wrong hands, B.C. government officials warned, the information could lead to identify theft, damaged reputations or threats to an individual's employment opportunities.
The data was gathered in 2011 with good intentions. Files related to 3.4 million students and teachers who attended schools in B.C. and the Yukon between 1986 and 2009 were backed up onto two external hard drives to ensure that they would be preserved in case of a catastrophic failure of the central database.
In July, a records review by education ministry staff triggered a search for the hard drives – each device smaller than an average shoe box. It was only when the other hard drive was located in late August – also unencrypted – that B.C. government officials realized just how significant the data loss was.
The ministry sent a team of 50 people to tear open hundreds of sealed boxes in a warehouse near Victoria, but when that effort failed to locate the missing hard drive, officials notified Mr. Virk and Elizabeth Denham, B.C.'s independent privacy commissioner, on Sept. 18.
Mr. Virk said he has ordered a review of data privacy protection measures across the B.C. government. As well, Ms. Denham has launched an investigation, noting that the government had been repeatedly warned that it is not doing enough to protect citizens' private information.
"It is deeply concerning to learn about another case of a major privacy breach involving unencrypted data," Ms. Denham said in a statement. "The magnitude of this breach is especially troubling given that the education records on the external hard drive contained the personal information of more than three million students."
In an audit published in January, Ms. Denham identified gaps in the B.C. government's handling of data security and she is calling for legislation to ensure that citizens are told when their personal information has been compromised.
Rob Fleming, the NDP education critic, said the incident is likely the province's biggest personal data breach in history, touching "virtually every British Columbian between the age of 22 and 47."
He added, "It's about time there was some accountability here." He noted that British Columbia's ministry of education in particular was challenged about student records in the spring, but insisted on collecting and sharing even more data. "They were warned about the risks of unsecured data … and they assured British Columbians that student information was absolutely protected."
Jim Iker, president of the B.C. Teachers' Federation, noted that his union has opposed the B.C. government's increasing appetite for student data. "The government insists on collecting more and more data and maintaining centralized databases. But we have seen today how easily mistakes happen."
Mr. Virk said he is still studying the risk of the data breach before deciding who should be contacted.