Edmonton Public School District Data Breach (2011)

Edmonton Public School District did not follow its own policy in the loss of memory stick containing personal information of more than 7,500 employees, says the Alberta privacy commissioner. An investigation by the Office of the Information and Privacy Commissioner found information on the USB memory stick was not protected by a password or encryption. The data included employment applications, resumes, transcripts, completed direct deposit forms (including cheques), copies of identity verification (i.e. driver’s licenses, first page of passports, birth certificates, etc.), injury forms, payroll correspondence, pension correspondence, benefits forms and correspondence, education credentials (i.e. certificate, degree, diploma etc.), job information history, pay-benefits history, performance evaluations, police criminal records check reports, etc., the report said. While the stick contained personal information of 7,662 employees, for 4,836 of these individuals there was minimal personal information (i.e. demographic information, employee ID number), the report said. However, for 2,826 individuals, the images on the USB stick "included considerable personal information, including social insurance numbers, banking information or both."