Staff won’t face discipline after UVic private data stolen
The president of the University of Victoria says nobody will lose their job after administrative staff failed to properly secure and store all employees’ sensitive information prior to it being stolen during a January break-in.
Nearly 12,000 employees past and present at UVic had their names, social insurance numbers and banking details taken when an unencrypted flash drive containing this info was stolen on Jan. 7 or 8 from the Administrative Services Building.
“We’re not going to be taking any discipline,” president David Turpin said, following the release of a report by the province’s information and privacy commissioner last week.
Elizabeth Denham’s report concluded UVic breached the Freedom of Information and Protection of Privacy Act when it failed to protect employees’ personal information.
“Given the amount and the sensitive nature of personal information contained on the university mobile storage device, coupled with the ease of encrypting the information, there is simply no rationale for failing to encrypt this information,” she said.
Turpin defended his employees simply by saying they were responding to an internal audit that asked that a backup device be made, in the event of an emergency.
“They prepared that, they stored it in a locked box, in a locked safe, it was bolted to a concrete floor in a locked room in a locked building, and they viewed that as a reasonable security arrangement. … Unfortunately it turned out to be inaccurate,” Turpin said.
The university has already taken steps toward improving security on campus, including adding alarms and mandating encryption standards for all electronic devices.