Skip to primary navigation.
Skip to secondary navigation.
Skip to page content.

Return to top of page.
Skip to secondary navigation.
Skip to page content.
Return to top of page.
Return to primary navigation.
Skip to secondary navigation.

Privacy breach at UVic

Personal information theft: release of external review report

Over the weekend of January 7 and 8, 2012, a break-in at the University of Victoria’s Administrative Services Building resulted in the theft of personal information about current and former employees. Those affected include all individuals who had received pay through UVic payroll since January 2010.

In the wake of the break-in, the university took immediate action to address the situation and to implement practical measures to improve the security of confidential and highly confidential personal information.

UVic President David Turpin also commissioned an external review examining the security of sensitive personal information at the university, carried out by Dr. David Flaherty, an internationally-recognized expert in privacy issues. On Dr. Flaherty’s recommendation an internal assessment was conducted. It was carried out by Prof. Jamie Cassels of the Faculty of Law.

Dr. Flaherty's report is now available (PDF). It includes the internal assessment, as well as an introductory letter by President Turpin, indicating that the university has accepted the report. An overview of the many actions already taken and other measures underway or planned had been provided to Flaherty and Cassels; this overview is included in the report as an appendix, as are a number of other related documents.

Following the breach, the Office of the Information and Privacy Commissioner of BC (OIPC) launched its own investigation into the incident. The Commissioner is authorized to investigate the circumstances of privacy breaches to ensure compliance with the Freedom of Information and Protection of Privacy Act. The OIPC released its investigation report (see tab below) into the privacy breach on March 29, 2012. It contains five recommendations to the university.

To date, there have been no confirmed cases of fraud or identity theft linked to the university privacy breach.

Additional information about privacy and access to information can be found on the privacy page on the University Secretary's website.

Media release

June 1, 2012

University-commissioned privacy review available

The University of Victoria today released the report of an external review it had commissioned on the privacy breach at the university earlier this year. The breach resulted from a break-in at the Administrative Services Building on the weekend of January 7-8 and the theft, from a safe, of a storage device containing payroll information.

The review was conducted by former BC information and privacy commissioner David Flaherty, an internationally-recognized privacy expert, who examined how the university protects personal information across campus. UVic law professor and former Vice-President Academic Jamie Cassels was also asked to look at what led to the specific incident, to assess the steps the university has taken in response, and to report his findings to Flaherty.

Flaherty’s report contains recommendations for strengthening privacy and security protection through measures including: improvements in training and education; widening of encryption practices; additional enforcement of existing standards and policies; and the development of campus-wide physical security standards. The report also recommends greater coordination of policies; clarification of roles and responsibilities; and a review of business continuity and disaster recovery plans on campus.

The report notes that UVic started making systemic changes immediately after the incident and is already acting on many of the recommendations.

Flaherty describes the university’s overall initial response as “exemplary” and suggests that by applying the lessons learned from its recent experience, UVic can “become a leader in North American higher education on privacy and security protection.”

UVic has accepted Flaherty’s report and is considering how best to implement the recommendations.

The university also responded to a report on the incident from the Office of the Information and Privacy Commissioner for BC in March, accepting its findings and recommendations. All of those recommendations have been implemented or are in process. 

External report

Dr. Flaherty's report is now available (PDF). It includes the internal assessment, as well as an introductory letter by President Turpin, indicating that the university has accepted the report.

An overview of the many actions already taken and other measures underway or planned had been provided to Flaherty and Cassels; this overview too is included in the report as an appendix, as are a number of other related documents.

OIPC report

March 29, 2012

Office of the Information and Privacy Commissioner review

Following the privacy breach, the Office of the Information and Privacy Commissioner of BC (OIPC) launched its own investigation into the incident. The Commissioner is authorized to investigate the circumstances of privacy breaches to ensure compliance with the Freedom of Information and Protection of Privacy Act.

The OIPC released its investigation report into the privacy breach on March 29, 2012. It contains five recommendations to the university. To read the report, visit the OIPC website.

University response to Privacy Commissioner's Report

The University of Victoria has reviewed the investigation report into the January 2012 privacy breach at the university which was released March 29, 2012 by the Office of the Information and Privacy Commissioner of BC (OIPC) and accepts its findings and recommendations, says UVic President David Turpin.

“We appreciate the Commissioner’s thorough and thoughtful report and recognize that it identifies areas in which the university can improve the protection of personal information,” says Turpin. “We will be implementing the commissioner’s recommendations and, in fact, in a number of areas we are already taking significant steps.”

Measures already taken or underway include:

  • the B-wing of the Administrative Services Building containing Financial Services has been alarmed, and an assessment of the storage of personal information in other buildings and the adequacy of the physical security of those buildings has been initiated
  • technical safeguards are being put in place, encryption has been mandated for all new university computers, including laptops, and encryption standards are being developed for existing devices;
  • policies, procedures and practices around personal information are being reviewed; tools are being developed to identify where personal data are being stored and assess the risk; and awareness and training programs will be enhanced.

As a result of the OIPC recommendations, the university has committed to reviewing its privacy and security policies every three years to ensure they stay up to date with technological developments and will establish an annual cycle of risk assessments on personal information data banks on campus with reporting to the president.

President Turpin has also commissioned an external review examining the security of sensitive personal information at the University of Victoria, carried out by Dr. David Flaherty, an internationally-recognized expert in privacy issues.

“We are expecting Dr. Flaherty’s report later this spring,” says Turpin, “and will no doubt be taking further action following his recommendations.”

“I would like to thank the OIPC again for its prompt and helpful recommendations and would also like to acknowledge again the hard work of our university community in mounting the response as well as the patience and support of all those affected,” says Turpin.

To date, there have been no confirmed cases of fraud or identity theft linked to the university privacy breach.

Return to top of page.
Return to primary navigation.
Skip to page content.
Return to top of page.
Return to primary navigation.
Return to secondary navigation.
Return to page content.