The federal bureaucracy's reliance on wireless technology, including BlackBerries and WiFi networks, is jeopardizing the confidentiality of the personal information that Canadians entrust to the government.
The annual report of Privacy Commissioner Jennifer Stoddart, released Tuesday, included an audit of five federal departments responsible for storing many details of the lives of private citizens. Ms. Stoddart found that none has fully assessed the threats posed by wireless communication.
Her report says government employees are not required to safeguard information when they use cellphones and other wireless devices, nor are most of them instructed on the best ways of doing so.
None of the five organizations audited - Health Canada, Human Resources and Skills Development Canada, the Correctional Service of Canada, Indian and Northern Affairs, and the Canada Mortgage and Housing Corporation - require the encryption of the data stored on the smart phones used by their staff.
Just two of those departments have protected their local WiFi networks with the level of encryption recommended by the Communications Security Establishment Canada (CSE). And, even though the CSE has warned that peer-to-peer messaging, also known as PIN-ing, is vulnerable to interception, the technology is popular among bureaucrats and none of the departments has addressed the security issues it poses.
"We certainly want to trust the government. They have a lot of personal information that we're required to give. But sometimes they seem slow to learn the lessons …" Ms. Stoddart said in a telephone interview.
Even in cases where formal procedures have been developed to protect information, those rules are sometimes ignored.
Ms. Stoddart's office found that more than four in 10 of the surplus computers donated by the government to schools had not been wiped clean of information, some of which was highly sensitive and even classified.
In 1995, Ms. Stoddart's predecessor, Bruce Phillips, conducted a similar audit of the Computers for Schools program and found that about 90 per cent of machines had not been wiped.
Canadians don't have much choice about the kind of information they give to the government, said Ms. Stoddart. So "the government has a huge responsibility to make sure it's always up on the latest safeguards, the latest technology and the ways of protecting personal information."
Avner Levin, the director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto, said the world is at the beginning of a learning curve in its use of both the Internet and mobile platforms.
"I expect that, with time, everyone, government included, will grow better at managing these platforms," Dr. Levin said. "At the same time, we are experiencing a major change in the way our data are stored and managed. And our legislation, and the Privacy Act in particular, written for the mainframes and databases of 30 years ago, are ill-equipped to protect us and to guide government."
Rene Hamel, a former RCMP computer forensic expert who now works for Digital Wyzdom Inc., a Toronto-based computer technology company, said the reality is that governments do not have time to adjust to the rapid changes in technology.
Ms. Stoddart, meanwhile, has been investigating a complaint lodged by Sean Bruyea, a veteran who says his personal health records were included in a briefing note to a former Veterans Affairs minister. The results of that investigation should be released within a couple of days, she said.
That will be followed by an audit of the Veterans Affairs Department's handling of private information. "We have seen just in the discussion in the press," said Ms. Stoddart, "that there could be some problems, some serious problems."