May 7, 2026

Policy on paper, reality in production

Data Series
| Part
2

Reading time:

5 min read

Nova Scotia Power was storing social insurance numbers it had no reason to keep. Follow one record through four copies and three environments to see where privacy actually breaks.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

Nova Scotia Power was storing social insurance numbers it had no reason to keep.

The SINs sat in a data repository connected to an energy usage insights programme. Not the billing system. Not the regulated customer record. A side project that collected social insurance numbers for purposes that, when the breach forced the question, nobody could fully justify (Nova Scotia Power compliance letter to the Privacy Commissioner of Canada, March 2026).

In March 2025, an attacker got in through a compromised website and a piece of malware called SocGholish. They were inside for 37 days before anyone noticed. By the time Nova Scotia Power discovered the breach, personal data belonging to 900,000 customers (current and former) had been exfiltrated. Names, dates of birth, account histories, driver’s licence numbers, and those social insurance numbers that never should have been there (CBC News, March 2026).

The breach was a security failure. The reason the breach was catastrophic was a privacy failure. Data collected beyond what was needed, retained beyond what was justified, stored with access controls that didn’t match the sensitivity of what was inside. Nova Scotia Power has since committed to deleting the SINs. The right move. Also a move that would have cost nothing 3 years earlier.

The gap between the policy and the environment is where the real exposure lives

In theory, every organisation has privacy policies. In reality, the data lives wherever it was last left.

Multiple departments with overlapping ownership and ambiguous accountability. Outdated documentation that describes a data environment from 3 versions ago. Classification that exists in a policy document but not in the systems the policy governs. And test environments full of real data that nobody knew they had to mask, because the person who set them up left 2 years ago and the handoff was a Slack message and a Tim Hortons gift card for the trouble.

In Canada, that gap carries regulatory weight now. Quebec’s Law 25 is fully in force, with administrative penalties reaching $10 million or 2% of worldwide turnover and penal fines up to $25 million or 4%. The Commission d’accès à l’information received 444 confidentiality incident reports in 2023–2024 alone (CAI Annual Report, October 2024). Active enforcement, not a warning letter regime. Law 25 applies to any organisation handling data from Quebec residents, regardless of where the organisation sits.

PIPEDA doesn’t carry the same teeth yet. But the Privacy Commissioner has been increasingly direct. Following the Nova Scotia Power breach, Commissioner Philippe Dufresne publicly stated that proactive data protection must be prioritised by all organisations. The regulatory floor is moving up.

Follow one record, see where privacy breaks

Follow one piece of sensitive data through a typical environment.

It starts in production. A customer record, collected with consent, stored with access controls, classified correctly. So far, compliant.

Then someone in development needs realistic test data. They copy the production table to dev. The access controls don’t follow. The masking doesn’t happen. A third-party integrator has access to that environment for a systems integration project. Credentialed. Doing legitimate work. Now looking at unmasked customer data nobody approved them to see.

That’s not malicious. That’s just ungoverned. Gary needed data for a build. He copied what was available. The privacy policy says nothing about dev environments because the privacy policy was written for production.

Meanwhile, analytics extracted the same customer data into a reporting layer. That extract feeds a dashboard and a quarterly export that lands as a spreadsheet on a shared drive with broader access than the source system.

Four copies. Three environments. Two departments unaware of each other’s copies. One privacy policy that covers none of it.

Now add offshore teams, vendors, staff turnover, remote access, and integrated architectures where your data touches systems you don’t administer. If your privacy controls only live in production, they cover about a third of the places your data actually goes.

Regulators stopped asking whether you have a policy

The question now is: can you prove your systems are doing what the policy says they do?

That means continuous, automated validation. Not a manual review once a year.

Address privacy upstream. If sensitive data is handled correctly at creation, every downstream copy inherits the protections. Handle it at the end and you’re chasing a problem that multiplied while nobody was looking.

Automate the enforcement. Manual masking doesn’t scale. Microsoft Purview handles data classification and sensitivity labelling. Protegrity handles fine-grained data protection across platforms. The tooling is the straightforward part. Wiring it into every environment, not just production, is the part that separates the organisations that survive incidents from the ones that become the cautionary tale at next year’s conference.

Design privacy into the workflow. When it’s wired into the pipeline from the start, approvals happen as work progresses. Legal doesn’t receive a PDF dump 2 days before go-live.

Govern every environment. Production, dev, test, archive, and the forgotten file server that survived 2 migrations. Nova Scotia Power’s SINs weren’t in a production system. They were in a repository for an insights programme. The breach didn’t care about the distinction. Neither did the Privacy Commissioner.

Where this leads

Privacy tells you what to protect. Security tells you how. The data doesn’t care about your firewall covers the architecture that enforces privacy controls across environments.

The governance layer that makes privacy enforceable rather than aspirational: Nobody gets promoted for governance work.

And if your data needs to stay under Canadian law and Canadian courts, that’s the Data Sovereignty service.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA