uVic accepts Privacy Commissioner’s Report

March 31, 2012

BC’s Information and Privacy Commissioner released a report on the January 2012 theft of a USB key containing the banking information of 12,000 University of Victoria employees. The report argues that the university “failed to implement reasonable safeguards” to protect the stolen data, but that it satisfied its legal obligations once the breach was discovered. The recommendations include updating privacy and security policies every 3 years, increasing the physical security of buildings that store personal information, stronger security measures for laptops and USB keys, and an external review of uVic’s privacy policies. uVic has accepted the findings, and has already implemented many of the suggestions, including alarming the Financial Services wing, and requiring all new laptops to be encrypted.  uVic News Release  |  BC Information and Privacy Commissioner News Release (PDF)

Postscript June 5, 2012 : UVic external review argues that the privacy breach was avoidable: A review commissioned by the University of Victoria suggests methods to increase security after a USB key containing payroll information was stolen in January. It suggests improved training and education, a wider use of encryption for sensitive data, enforcing existing policies, and developing campus-wide security standards. UVic has accepted this report and has already implemented many of its recommendations. UVic News Release