An investigator into a possible leak of personal information of nearly 200,000 Bow Valley students has found that the institution had indeed failed to protect that information.
However, it also says that the school took reasonable steps to protect it and prevent a recurrence once the leak was discovered.
On September 19, 2012, an individual notified the Information and Privacy Commissioner about the purchase of a used computer server.
The server was one of 21 decommissioned servers that were scheduled to be picked up by the Electronic Recycling Association (ERA).
It contained personal information of approximately 183,900 students and 3,500 staff.
Bow Valley College thought that it had contacted the ERA to wipe the data from the servers, but there was no contract or agreement in place and no assurance that the data was wiped or devices destroyed.
When alerted of this incident, investigators say that Bow Valley College administrators took reasonable steps to prevent a recurrence.
The institution will also be conducting an independent audit of the controls implemented in response to the incident and report the results to the Commissioner’s office by February 7, 2014.