The Information and Privacy Commissioner for BC has released a special report about how the government manages privacy breaches and if it does so effectively.
There have been recent high profile cases about hackers exploiting not only government accounts but card payment systems, encrypted USBs and employees snooping at person records. As a result the Commissioner, Elizabeth Denham, has conducted the report to look at the impact on citizens and the government’s response and management of the breaches.
“I have chosen to focus on core government because public institutions occupy a trusted position in the lives of citizens,” said Denham. “Individuals often have no choice but to hand over their personal information in exchange for the services such as health care, education or other social benefits. This privileged position of trust leads to a heightened expectation that government will have appropriate safeguards in place to protect personal information.”
Information and Privacy Commissioner Elizabeth Denham (Photo Credit: OCIO)
The review revealed that the government has a solid foundation in place for managing privacy breaches and the majority of them are reported to the Office of the Chief Information Officer (OCIO) within a day or two of discovery. The government ministries provide notification to affected individuals when appropriate and the OCIO provides advice on preventative measures in almost every investigation.
But Denham says there are gaps in relation to audits of security safeguards, analysis of public reporting of breaches and follow up implementation of preventative measures. She goes on to say there is also a lack of clarity around when breaches should be reported. There are no specific standards that delineate when public bodies need to report suspected breaches to the OPIC, or when to notify affected people.
Photo Credit: OCIO
Since 2010 privacy breaches have been reported to the OCIO and the number of cases has increased considerably. Between April 1st, 2010 and December 31st, 2013 there were 3,770 suspected privacy breaches reported to the OCIO, of which 2,718 were found to be actual breaches. The majority of these government breaches, 83 per cent, involved the personal information of government clients. Most breaches, 72 per cent, concerned only one individual.
Photo Credit: OCIO
The majority of breaches have been the result of administrative errors and are considered minor in nature by the OCIO. Most of these errors occur because of misspent emails and account errors, according to the report. Just over one-in-10 privacy breaches from 2010 to 2013 occurred in-person where personal information was physically handed to an unauthorized person during an interaction, such as a cheque or other documents being issued to the incorrect individual.
Photo Credit: OCIO
The ministries with the largest amount of breaches as found by the OCIO include; Social Development and Social Innovation, Health, Children and Family Development, and Justice.
Photo Credit: OCIO
The report offers five recommendations to improve the province’s privacy breaches.
1. The Government of British Columbia establish an ongoing privacy compliance monitoring function within the OCIO that: a) Reviews processes, policies and training government-wide, to ensure that breaches are promptly reported to the OCIO and that affected individuals are notified without delay; b) Conducts regular follow-up with ministries to ensure full implementation of prevention strategies and recommendations provided through the breach investigation process; c) Reviews privacy and security safeguards within ministries and service providers; d) Conducts regular cross-government analysis of the causes and potential solutions to privacy breaches; and e) Publicly reports detailed information relating to breaches, bodies responsible, types and causes, and preventative measures annually.
2. The Government of British Columbia to adopt the following interim breach reporting requirements: a) Document risk evaluation processes and decisions regarding notification of affected individuals and reporting to the OIPC; and b) Report all suspected breaches to the OIPC if the suspected breach: o involves personal information; and o could reasonably be expected to cause harm to the individual and/or involves a large number of individuals.
3. The Office of the Chief Information Officer to: a) Review and amend breach categories and category definitions; b) Ensure fulsome and accurate collection and documentation of privacy breach incidents; c) Ensure ministry tracking of the OCIO file number; and d) Ensure OCIO tracking of the OIPC file number
4. The Office of the Chief Information Officer to: a) Review and amend policy documents relating to privacy breach management; and b) Provide basic guidance or training for privacy breach investigative staff as well as ministry information and security staff relating to amendments made.
5. The Government of British Columbia to: a) Provide ongoing training and awareness of the importance of protecting personal information and breach management processes; and b) Increase staff (and service provider, if applicable) participation rates in this training.
The full report by Denham and recommendations can be found online here and includes in depth information about the commissioner's findings.
If you get value from KelownaNow and believe local independent media is important to our community we ask that you please consider subscribing to our daily newsletter.
If you appreciate what we do, we ask that you consider supporting our local independent news platform.
