The following information was shared with Bow Valley College employees and students at an information session and through email and voicemail on the afternoon of October 22, 2012. The media has also been updated.
Update -- October 22, 2012 PM
The records discussed in the letter below included College's students, staff, and contractors from 1991-2010 as follows:
Students: March 13, 1991-Jan 21, 2010
Employees: July 1, 1998-Jan 6, 2010
Suppliers/Non-student customers: July 1/6, 1998-Jan. 14, 2010
October 22, 2012
Dear Bow Valley College Community member,
The College has been advised by the Office of the Information and Privacy Commissioner that a conscientious private citizen who purchased a computer server formerly owned by the College discovered computer records on the server that contain personal information regarding the College's students, staff, and contractors from 1991-2009.The decommissioned computer server had been sent by the College to an electronic recycler contracted to wipe the server of all data prior to them disposing of it.
The College immediately took steps to acquire the computer server from the citizen and the College now has the computer server in our possession. Through our ongoing investigation, we have determined that there is a low risk that the personal information contained on the computer server has been used or shared by any external source. However, the College is recommending that given the nature of the personal information contained on the computer server that those impacted may want to take the precautionary action of contacting appropriate financial and governmental institutions. As well, we are advising affected individuals of their right to file a complaint with the Office of the Information and Privacy Commissioner, who has begun an investigation.
As the College has used this electronic recycler for many years without incident, we are surprised and disappointed that their normal processes appear to have failed. I apologize on behalf of Bow Valley College and its Board of Governors for this matter. Further, I want to assure you that the College is taking every step possible to fully investigate this matter, cooperate with the Office of the Information and Privacy Commissioner, and ensure policies and procedures are in place to safeguard all personal information the College is mandated to protect.
Today, the College has begun, through email and the post, contacting those individuals whose records were stored on the computer server. We are sharing this information with you as we want the entire College community to be aware of the matter. We will also be posting information to the website and providing information to the media.
I want to share with you that upon notification of this very serious matter, the College immediately began an investigation. It should be noted that Bow Valley College is one of many public agencies that at one time has used an independent contractor for data wiping of decommissioned computer equipment. Moving forward we will no longer use any third party in the decommissioning of computer servers at the College. Instead, the College will handle every step of this process internally.
The College takes data security seriously and has, and continues to ensure safeguards are in place including use of encryption software, restricted access to sensitive data, data security agreements with third parties, and a highly secure data room.
As part of our investigation, we are following up on the status of any other computer servers that were provided to the electronic recycler during this time. We have determined that 13 of the 21 computer servers provided to the independent contractor on April 30, 2012 contained absolutely no personal or private information. Of the remaining eight computer servers, the most critical server has been recovered. The College is vigorously investigating to ensure that the other seven computer servers were fully wiped and properly recycled, as is the normal practise of the contractor. We have been advised by the electronic recycler that this has occurred. We anticipate that the seven computer servers did not contain the same level of personal information as contained on the recovered server; however, until our investigation is complete we cannot verify this as fact.
Again, on behalf of Bow Valley College and our Board of Governors, I apologize for the impact this has had on all members of the College community. You have my word that we are taking every step to not only resolve this matter, but also ensure it never happens again.
We understand that you may have questions and you can call 403-476-2222 - a phone line set up solely for the purpose of answering any questions those impacted might have. If you prefer, you can email your questions to firstname.lastname@example.org
President and CEO
"What can I do to protect my information?"
The Office of the Information and Privacy Commissioner website has links to a variety of resources that can help in protecting your information, visit: http://oipc.ab.ca/pages/Links/API.aspx
Financial Consumer Agency of Canada
The Financial Consumer Agency of Canada (FCAC) is an independent body working to protect and inform consumers of financial products and services. Visit: http://www.fcac-acfc.gc.ca/