UVic Responds To Privacy Commissioner's Report

The University of Victoria has reviewed the investigation report into the January 2012 privacy breach at the university which was released today by the Office of the Information and Privacy Commissioner of BC (OIPC) and accepts its findings and recommendations, says UVic President David Turpin.

“We appreciate the commissioner’s thorough and thoughtful report and recognize that it identifies areas in which the university can improve the protection of personal information,” says Turpin. “We will be implementing the commissioner’s recommendations and, in fact, in a number of areas we are already taking significant steps.”

Measures already taken or underway include:

• the B-wing of the Administrative Services Building containing Financial Services has been alarmed, and an assessment of the storage of personal information in other buildings and the adequacy of the physical security of those buildings has been initiated;
• technical safeguards are being put in place, encryption has been mandated for all new university computers, including laptops, and encryption standards are being developed for existing devices;
• policies, procedures and practices around personal information are being reviewed; tools are being developed to identify where personal data are being stored and assess the risk; and awareness and training programs will be enhanced.

 As a result of the OIPC recommendations, the university has committed to reviewing its privacy and security policies every three years to ensure they stay up to date with technological developments and will establish an annual cycle of risk assessments on personal information data banks on campus with reporting to the president.

President Turpin has also commissioned an external review examining the security of sensitive personal information at the University of Victoria, carried out by Dr. David Flaherty, an internationally-recognized expert in privacy issues.

“We are expecting Dr. Flaherty’s report later this spring,” says Turpin, “and will no doubt be taking further action following his recommendations.”

“I would like to thank the OIPC again for its prompt and helpful recommendations and would also like to acknowledge again the hard work of our university community in mounting the response as well as the patience and support of all those affected,” says Turpin.

To date, there have been no confirmed cases of fraud or identity theft linked to the university privacy breach.
 

-- 30 --