After the latest data breach in the N.W.T.’s health department, David Wasylciw says there needs to be clear steps for departments and outside organizations to follow after privacy breaches, including notifying those affected, and a review to prevent future breaches. (Jonathan Hayward/Canadian Press) Data theft. Privacy breach. Information leak. Even just a few years ago, these terms didn’t raise eyebrows or affect most of us, but times are changing. In the digital age we’re used to hearing these terms as part of regular life.
In late June, the Government of the Northwest Territories announced that due to the theft of a laptop there had been a health record breach that affected up to 80 per cent of N.W.T. residents. That it happened isn’t a surprise — health and other personal records have been lost, stolen or inappropriately accessed several times in the N.W.T.
In 2014, a USB stick with 4,000 patient records was lost (then eventually found); in 2010 and 2012 medical records were accidentally faxed to CBC . To top it off, the N.W.T.’s Information and Privacy Commissioner, Elaine Keenan Bengts, has steadily flagged other personal and health record breaches in her annual report. In October 2017, the Hay River Health and Social Services Authority started a review of patient files, after an internal audit revealed 41 ‘irregularities,’ including instances where non-essential patient information was improperly shared with heath care providers, (Jimmy Thomson/CBC) Any of these bits of data might not be significant on their own, but when compiled with other information, someone out there can put together a profile and end up knowing more about you than you do.
This information could be used to steal your identity, to harass, blackmail or stalk someone, steal online accounts and more. You can’t change fingerprints, or health records — these things represent you forever. In the case of health records, they might even impact your children or other family members.
In the digital age, governments and companies need to become more protective of the information they hold. When records were stored on paper, a breach meant a page, or a single record, but when a privacy breach can impact tens of thousands or even millions of people it’s a different story. EU law better protects residents
Understanding the importance of privacy and digital records, the European Union recently implemented the General Data Protection Regulation (GDPR). This seeks to ensure companies and organizations that hold data on European Union residents do so securely.
The fines for a breach can be up to four per cent of global annual revenue in a given year. A privacy breach affecting an EU citizen requires that individuals be notified within 72 hours. Notifications must include likely consequences, details of the information breached, and efforts taken to mitigate any impacts.
These rules go far beyond anything in the N.W.T. or Canada. In November 2014, a doctor at Yellowknife’s Stanton Territorial Hospital lost a USB drive containing names, health care numbers and personal medical information for over 4,000 patients. (Sara Minogue/CBC) Notably, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) sets a minimum privacy protection bar for corporations and organizations in provinces and territories — but, we have an opportunity to be leaders in privacy and protection of personal information by moving the bar higher for N.W.T.-based organizations and applying the same requirements to our government.
What’s needed now is action from the N.W.T. — there need to be strict regulations, significant penalties and clear steps for government departments and outside organizations to follow in case of a privacy breach.
These steps should include mandatory notification of individuals affected by the breach within […]
(Visited 6 times, 1 visits today)