A hard drive containing the personal information of 900 University of Ottawa (U of O) students has disappeared, prompting an investigation by the school.
The hard drive was from the university’s Student Academic Success Services (SASS), and temporarily stored data about students who received academic accommodation.
The school apologized in a press release on Sept. 21, and has since contacted students affected and set up a support line for them with information about the breach.
“Measures have been put in place at SASS to reduce the risk of the situation recurring,” the school said. The U of O has contacted the police, but they still don’t know what type of personal information was on the hard drive.
Privacy breaches at universities are not uncommon. This May, the Ottawa Citizen reported that Algonquin College accidentally emailed test scores and other personal information of 1,400 health students to 40 applicants. In 2008, a Carleton University student stole personal and financial data from 32 people to expose problems with the school’s information security.
Carlisle Adams, a U of O professor specializing in data security and cryptography, said the best way to protect data is through encryption.
“It’s hard for a policy to prevent an incident from happening 100 [per cent] of the time,” he said in an email. “This is why strong encryption of the data on the drive is highly recommended . . . so that if the device is lost or stolen the data on it will be unreadable.”
At Carleton, strict policies of encryption are set in place to avoid these problems, according to Bruce Winer, the assistant vice president for the university’s Institute of Research and Planning.
“You don’t store confidential information on desktop computers or USB keys unless it is encrypted,” he said. “That’s the policy at Carleton. I’m sure it’s the policy at U of O too but it’s difficult to enforce.”
Winer works with student data from the Student Academic Success Centre, similar to SASS, and said the data could be anything from a list of names to financial or personal information. He said protecting this kind of data is important for both ethical and legal reasons.
“An instructor shouldn’t necessarily know that a student has declared a disability,” he said. “You have an obligation as part of an institution to keep confidential data confidential. Plus, there’s legislation that requires you to.”
The breach has also left Carleton students concerned about their own privacy, said fifth-year Carleton communications student Taylor Hewitt.
“I think students rely on the school to keep their information private,” she said. “They put a huge amount of trust in the school when they give [information] and they’re breaking a promise . . . even if it’s not their fault.”
Adams said he hopes the U of O has strict policies, strong encryption, and a training program for employees working with sensitive data.
“My guess is that the university already does much of this, but it’s essential to stay vigilant because incidents can happen so easily.”