(AlbertaIndex, March 11, Tuesday) --- DeVry Institute of Technology has been found responsible for failing to protect the personal information of a student whose identity was later stolen for possible fraudulent purposes.

Following an investigation, the Office of the Information and Privacy Commissioner (OIPC) said it found that the institute had contravened the Personal Information Protection Act (PIPA) when it collected photocopies of students’ drivers’ licenses and social insurance cards, and failed to properly protect the information.
 

The OIPC stepped in after a student reported to police that someone had submitted a fraudulent credit application to a furniture rental company using his name, some false information, and a photocopy of his actual driver’s license, social insurance card and DeVry student card.

The complainant believed that an employee of DeVry was responsible for this misuse of his personal information. The employee had made a copy of the complainant’s identification in the past in order to assist the student with submitting loan documents to provincial and federal loan centres.

While the Calgary Police Service conducted a criminal investigation into the activities of the employee in question, the OIPC investigator examined whether DeVry had authority to collect the information in the first place.

To assist students, the OIPC said DeVry was photocopying student identification on their behalf and mailing it to the loan centers with the loan documents, to save students the trouble of doing so themselves. However, DeVry began collecting extra copies of students’ identification to keep on its own files in order to process any future loan documents.

The OIPC said its investigator found that DeVry did not have authority to collect its own copies of the identification for its files and that the institute had failed to implement reasonable security measures to protect the personal information once collected.

The OIPC said that even if security measures had been implemented, the employee still had authorized access to the complainant’s identification cards if the complainant asked him to photocopy them to mail to the loan centres.

Even if extra copies were not being made for DeVry’s files, the employee still had the opportunity to make himself an extra copy when the complainant gave the employee his identification. However, OIPC ruled that DeVry did not fulfil its responsibility to protect personal information to the extent reasonable. Therefore, the organization was in breach of the PIPA whether or not the employee committed identity theft.

As a result of the case, OIPC said DeVry has agreed to implement a number of recommendations made by the investigator, including:

•    Cease photocopying student identification for loan files.

•    Remind students concerned about having identification photocopied that they also have the choice of making the photocopy themselves and mailing it with loan documents, or, authenticating their identity at Canada Post.

•    Ensure that all employees who manage personal information receive periodic privacy and security refresher training which includes reminders about organizational policy. New employees should be trained on hire and informed of how to access DeVry’s policies.

•    Require all staff to sign confidentiality agreements.

While some employees have legitimate or authorized access to sensitive personal information to perform their jobs, OIPC said an organization must make reasonable efforts to ensure that employees do not abuse their rightful access to personal information, and that all reasonable steps have been taken to protect personal information in the organization’s custody.

Did you enjoy this article? Please share it!