Privacy policies were breached in the disappearance of a hard drive containing personal information about Yukon and B.C. students, B.C.’s privacy commissioner has found.

Elizabeth Denham said Thursday in a 40-page report while the disappearance of the hard drive remains unsolved, it’s clear employees of the B.C. Ministry of Education breached privacy policies.

The report by the B.C. Information and Privacy Commission contains nine specific recommendations and numerous observations.

The B.C. Ministry of Education went public with the privacy breach last September.

At the time, the Yukon’s Department of Education indicated the information regarding approximately 8,000 Yukon high school students was restricted to academic information.

The Yukon files did not contain the more personal information provided in some B.C. files regarding health matters and information about students who were under the care of the B.C. Ministry of Children and Family Development, the department indicated.

As the Yukon uses the B.C. curriculum, information about Yukon students such as their grades and exam marks is shared with the province.

Yukon privacy commissioner Diane McLeod-McKay said today while the information regarding Yukon students is supposedly restricted to marks and grades, there is still cause for serious concerns.

It does not take a lot of personal information for thieves to steal identity, and she understands the information on the Yukon files is enough to get a thief started, she said. (See separate story.)

The office of B.C.’s privacy commissioner maintains there’s been no indication the information contained on the missing hard drive has been used in any way.

The investigation into the breach found information about 3.4 million B.C. and Yukon students was transferred in 2011 by the Ministry of Education from secure government servers to two portable hard drives, in part to reduce storage costs.

One hard drive was kept for office use. It was said the other backup drive was delivered to a long-term storage facility and placed in a secure file cabinet, though that particular hard drive has never been located.

It was during a general information review by the ministry last July that the missing hard drive was discovered.

Faded employee recollections remembered the hard drive. One employee even recalled delivering it to the storage facility, though there is no record at the facility of the drive being received or catalogued, says the report.

There were several intense searches of the storage facility and offices used by ministry staff, to no avail.

While it’s unknown whether the hard drive was protected by a security encryption or password, it likely was not, as the twin hard drive kept for office use was not encrypted, the report concludes.

The report says failures in policy occurred at the very beginning when the sensitive information was stored on portable hard drives, and not secure servers.

The existing Ministry of Education policy says personal information must be stored on secured servers.

Where there is a need to use portable hard drives, the information is to be transferred to secured servers as soon as possible, and the information on the portable drive is to be securely destroyed.

That the hard drive containing personal information was not encrypted was also a contravention of policy, as was storing the drive at a facility other than a secure government facility.

“The key message in this report is that, while it is essential to have strong privacy and security policies, these policies alone are not sufficient to constitute reasonable security measures,” Denham concludes in her report.

“The government had clear and appropriate policies in place that would have prevented the breach, if Ministry employees had followed them. These employees had received privacy training and appeared to be aware of the policies, but they did not abide by them.”

The report points out some of the information about B.C. students contained on the hard drive was quite personal, including the success rate and identification of students who were cancer survivors, or who had been living as wards of the province. There was information regarding a survey of teachers and their retirement plans.

None of the student files from the Yukon contain the more personal information, Jason Mackey of the Yukon’s Department of Education confirmed again this morning.

Nor were any Yukon teachers involved in the retirement survey, the department has said in the past.

The missing hard drive, says the report, did not contain financial information or social insurance numbers.

The most sensitive information on the hard drive was contained in the files pertaining to students who were receiving services from or under the direct care of the B.C. Ministry of Children and Family Development, the report points out.

Once the breach was discovered, it says, the Ministry of Education’s response was appropriate, though direct notification to individuals affected should have been much quicker.

As the breach occurred sometime in the last five years, the impact of the delay in notification was probably minimal, the report suggests.

Nonetheless, the privacy commissioner recommended: “Ministries should ensure that they conduct direct notification of affected individuals without delay, even in cases where there is not compelling urgency for immediate notification.”

B.C.’s privacy commissioner says there are lessons to be learned by all provincial ministries because the breach was completely preventable.

Denham did applaud the Ministry of Education’s steps to ensure such a breach does not occur again, including the appointment of a privacy officer to watch over the Ministry of Education.

McLeod-Mackey said the Yukon is still waiting for a list of the students whose information has gone missing.

Once the list is received, the Yukon will notify the students and conduct its own risk assessment, he said.

In a prepared statement issued late Thursday afternoon, Judith Arnold, the Yukon’s deputy minister of Education, says the Yukon continues to work with B.C. on the matter.

Arnold said the Yukon has been assured student information is being protected and is stored at a secure government facility in Kamloops.