Insights Header image
Insights Header image
Insights Header image

The Case of the Missing Computers: Lessons Learned from Health Canada

September 21, 2022 Privacy Law Bulletin 3 minute read

An audit of Health Canada’s information technology (“IT”) systems (the “Audit”) found a long list of problems, including, among others, insufficient or inefficient tracking of IT assets, lack of proper maintenance of IT hardware assets, outdated IT hardware assets decommissioning processes, and overall inadequate governance and support for planning and engagement for IT asset management.[1] This bulletin aims at the lessons companies can learn from the Audit and highlights the importance of having and implementing a robust internal IT and cybersecurity program.

The Audit and Its Findings

The Audit included the examination and assessment of systems, records, personnel, and physical properties related to IT assets of Health Canada and the Public Health Agency of Canada (collectively, the “Department”) up to June 2019.  Although the Audit was completed in 2019, it was not made public until June 2022.  The Audit was not the first audit of the Department’s IT assets; an initial 2009 audit found several issues, and a subsequent 2013 audit found that improvements had been insufficient and the management of the applicable IT assets had not been adequately improved.  These earlier audits led to an overhaul of the Department’s IT related protocols in 2017, which the Audit was intended to evaluate.

Material findings from the Audit include the following:

  • Insufficient documentation and tracking of IT hardware assets, with certain IT hardware assets not tracked at all.  Ultimately, the auditors could not confirm the existence and location of approximately 74% of the IT hardware assets or a total of 35,000 devices;
  • Insufficient and error-prone tracking of software assets, where the purchase orders for 51% of the software assets tested could not be located;
  • Lack of process to ensure the management of low dollar value IT assets such as USB sticks, servers, laptops, tablets, computers, and monitors;
  • Insufficient controls for the maintenance of IT hardware assets; and
  • Lack of adherence to the Department’s requirements and process for decommissioning IT assets and lack of oversight of the said process.

Risks for Companies

Poor IT inventory management and a lack of robust IT and cybersecurity program can lead to massive risks to both public and private organizations, including the following.

  • Loss of data: Poor IT asset tracking and management reduce organizations’ ability to accurately account for, maintain, and properly safeguard their IT assets, which can lead to the loss of both confidential information of the organizations and personal information in the organizations’ custody.  This can lead to both financial and legal liabilities to the organizations.
  • Breach of contractual obligations: Many agreements, whether related to IT assets, have requirements to properly safeguard confidential information and personal information.  As soon as such information is exposed to poorly managed IT assets, it is at risk of theft and/or misuse, which may lead to substantial liability to organizations.  Further, the use of software is governed by software licenses.  The absence of appropriate tracking of the use of software assets can lead to breach of software licenses and intellectual property infringement claims.
  • Privacy complaints: Under Canadian privacy laws, individuals can complain to the applicable privacy commissioners about organizations for their mishandling of personal information, failure to provide access to personal information, or failure to correct mistakes in personal information.  Poorly managed IT assets reduces organizations’ ability to handle personal information in accordance with applicable privacy laws and increases the likelihood that a complaint is filed against the organizations.
  • Breach of privacy laws: Under private sector privacy laws, businesses are responsible for personal information in their custody.  Under public sector privacy laws, these obligations are also owed by service providers to public entities.  Failing to properly safeguard personal information as a result of poorly managed IT assets may amount to a breach of these obligations, which may lead to reputation loss as well as financial and legal liabilities.

In sum, failing to properly track, maintain, manage, and dispose of IT asset, whether laptops, mobile devices, servers, or USB drives (among others), increases the risk that an organization will be in breach of any applicable agreements tied to those assets, and any data residing on such assets cannot be appropriately monitored, maintained, or safeguarded.


Proper management of IT assets is a critical component of a robust IT and cybersecurity program.  All businesses should ensure that their IT and cybersecurity policies and procedures extend to IT asset management, and address the risks of not properly tracking and safeguarding any device containing personal, confidential or proprietary information.  This may include IT inventory tracking systems, regular audits of IT assets, and policies and/or procedures for managing the lifecycle of IT assets.

If you have any questions about any IT and cybersecurity related policies, practices or procedures, or Canadian privacy laws more generally, a member of our Privacy & Data Protection Group would be happy to assist you.

[1] Health Canada, Audit of Information Technology Asset Management (2022 June), online: Government of Canada.

by Robert Piasentin, Yue Fei, and Kristen Shaw

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Insights (5 Posts)View More

Featured Insight

Nothing Casual about it: Hotel Faces Employees’ Class Action over Employment Benefit Changes

Hotel faces employees' class action over employment benefit changes.

Read More
Sep 29, 2023
Featured Insight

“Mend your speech a little, lest it may mar your fortunes”: Are Employee Defamation Cases A Fool’s Errand?

This bulletin discusses the recent decision in Williams v. Vac Developments Limited regarding gag defamation proceedings commenced by employers.

Read More
Sep 27, 2023
Featured Insight

Overholding in Commercial Leasing

The concept of overholding is often misunderstood and deserves more attention in commercial leases, given the significant consequences for landlords and tenants.

Read More
Sep 27, 2023
Featured Insight

Competition Act Amendments on a Rocket Docket

Bill C-56 introduces amendments to the Competition Act, which are described as addressing rising grocery prices, but which have much broader implications.

Read More
Sep 26, 2023
Featured Insight

A Shopping Cart of Competition Law Changes

The Government announced amendments to the Competition Act as part of its announcement regarding combatting escalating grocery prices.

Read More
Sep 18, 2023