Unprotected network called “privacy nightmare”

IQALUIT – Nunavut’s information and privacy commissioner calls an unprotected government network drive he discovered last year a “privacy nightmare,” and says most of the departments affected by the breach have done little to respond to the problem. “I was shocked by what I was able to see,” Graham Steele (pictured) said to Nunatsiaq News, following his release of a Jan. 28 report about his findings.

Steele began a review following a complaint he received in July about a file-sharing system called the “V: drive,” which allowed Government of Nunavut employees to share information between departments.

Each Nunavut community had its own drive, and, when used correctly, it limited who could see files to those with correct permission. But the drive was “often used incorrectly,” and when this occurred, any GN worker from that community could view any document contained within.

Steele said he found “dozens, and maybe hundreds, of files with privacy-invasive content.”

“I saw files with personal information touching on health, education, corrections, child protection, human resources, and more,” the report states.

“Some of it was highly sensitive, like diagnoses, prescriptions, and medical photographs. Some of it, if publicly released, could have endangered the health and safety of GN employees and others. None of it should have been left unprotected on the V: drive.”

Steele is unsure of how long there was open access to the drive, but it was “at minimum, a number of years.”

The network drive served a useful purpose, Steele’s report said: “it allowed cross-departmental collaboration within a community.”

But there were no controls to ensure the drive was being used correctly. Some files could have been uploaded to the V: drive by accident, or because the person uploading didn’t understand privacy risks, states the report. And once a file was up, there was nobody making sure it would get deleted, which led to sensitive documents accumulating over time.

When Steele learned about the issue, he contacted the Department of Community and Government Services, which runs the government’s computer systems. Within several days, access was restricted to the network drive.

In early September, he recommended the government plan to replace and to reconfigure the drive. On Nov. 1, the government shut down the V: drive and replaced it with something more secure.

Yuri Podmoroff, the territorial ATIPP manager, then contacted each public body that had unprotected files on the network drive and told them they should do a privacy breach assessment and, where appropriate, file a privacy breach report.

“That is what the law requires,” Steele’s report states. “I then waited for the privacy breach reports to roll in. And waited. And waited.”

In the end, he said he only received two reports – one from the Department of Economic Development and Transportation, the other from the Justice Department.

The Justice Department found a breach in operational information that, Steele said, “if it got into the wrong hands, could have had significant negative consequences, and might even have put people at risk of harm.”

The Justice Department’s audit found “a surprisingly large number of GN employees had viewed the information, even though there was no operational need for them to do so,” the report states.

“The department would not have known that if it hadn’t investigated. That is exactly why other departments need to do the same.”

Steele is still waiting for Finance, Education, Family Services, Health and Social Services and Community and Government Services to submit their reports, said Angela Petru, a spokesperson for the Department of Executive and Intergovernmental Affairs. Her department is responsible for administration of the Access to Information and Protection of Privacy Act.

“The list is not exhaustive and other GN departments may be asked to conduct their own investigation into the matter,” she said in an email.

Nunatsiaq News asked the affected departments about the status of their investigations. Education spokesperson Troy Rhoades was the only official to respond, with a confirmation that one is underway in his department.

Steele said he published his report to light a fire under other GN departments and public bodies that haven’t submitted their privacy breach reports.

“You owe it to the people of the territory to get that work done,” he said.