Information & Ethics Committee on Oct. 4th, 2016

For the most part, the majority of the breaches reported to us—and we have mandatory reporting of all breaches under ATIPPA—are incidental, accidental, careless, and generally things that don't involve an intent to abuse, share, or disclose somebody's personal information.

We do have a number of instances where people have deliberately accessed other people's personal information and that has been shared or disclosed. The impact on the people who are affected by it is profound. Once you've been deprived of your sense of privacy and your dignity, depending on the nature of the information, it makes it difficult to move forward in your relationship with a particular public body or a government in general.

Conversely, we would note that we've experienced situations where the unnecessary notification of individuals that their privacy has been breached can cause a lot of damage, as well. Once you've been notified it's hard to put the genie back in the bottle. People have a hard job being convinced that the breach didn't have any impact on them.

In Nova Scotia, we do not have mandatory breach notification for significant breaches. Instead, what we see are the minor breaches I mentioned. I think we received reports of in the neighbourhood of 900 minor breaches of personal health information last year. About a third of those are missent faxes or the high-tech version of that, which is selecting the wrong provider code in a database so that health information goes to the wrong provider. It's these types of breaches that tend not to cause significant harm. Occasionally, we hear about more significant breaches. These are the snooping in databases. In small communities, that's quite significant both in terms of finding locations for individuals or finding medical information, including mental health information, which is quite embarrassing.

I mentioned briefly the kinds of breaches that we've seen in government. I'd like to highlight a couple that resulted in investigations. One was with the University of Victoria and involved an unencrypted hard drive containing employee personal information. The other was with our Ministry of Education and also involved an unencrypted hard drive. Although it was lost, it contained student data for over 300,000 students in B.C. These are serious circumstances where people may need to take action.

I'd like to add a further note on the need for thresholds in reporting. We have identified that the threshold in the public sector is when a breach could be reasonably expected to cause harm to an individual or if it involves a large number of individuals. We've set that for the notification of the commissioner, and when notifying individuals, we've recommended that the threshold be when it's expected to cause significant harm to the individual. Again, significant harm is contextual. We don't have experience with it yet. We've set the two thresholds to be slightly different in that a lower threshold for reporting to the commissioner would allow us to work with public bodies to make sure they have programs in place to prevent disclosure of this information to the unauthorized access user. It would also ensure that individuals are informed without unreasonable delay so that they may protect themselves.

In terms of infrastructure from a technical perspective, nothing is required. It's merely a process to receive the complaints. I would note that in B.C., even though it is not mandatory, we already do receive, track, and investigate, if required, voluntary reports. We have the administrative processes established already. I also know that the federal privacy office has the process in place for receiving reports because I made those, unfortunately, from time to time when I was in the private sector.

I don't think we've had the circumstance where there's been a breach that turned out to be something notable that wasn't reported to our office. You're correct that there are no penalties built into the act in cases where a public body fails to report a breach to our office. I guess that might be worth considering. We've had this for about a year and a half now, our new law, and we have noted that some public bodies seem to be reporting more breaches than others. It's something that we have inquired about, and I would suspect it's something we will probably follow up on in due course, but at this point I can't conclude that any public body has been purposely not reporting breaches to us. I guess that's something we'll have to look into.

At this point in time we're still awaiting the legislation to determine how it will actually be implemented. However, what we can do is order a public body to take the appropriate steps to mitigate the harm. In some cases that mitigation may involve credit monitoring or other steps depending on the circumstances.

As the information and privacy commissioner I do have an education mandate, but the government itself also has a central group who manages access in privacy, and they provide privacy training within the government departments proper. Most of the training that I do is for the smaller public bodies, the municipalities and the agency boards and commissions, because they have no other source of training. I have a bunch of tools available, including security standards and recommendations for steps to be taken. I have tools on how to manage a privacy breach. We offer privacy breach training to any public body, including government departments. We just completed that training. I know the government does send out these warnings about spam. The IT group central within government sends out regular kinds of warnings about activities to avoid. That's certainly happening at the government level, but privacy awareness is a big issue and one that requires quite a bit of training.

As I noted in my opening comments, the oversight in the public sector in British Columbia extends to over 2,900 public bodies. Those include the central core operations of government, but they also include municipal governments, schools, crown corporations, hospitals, and municipal police forces. It has a pretty broad covering.

I will note that there is an area that is not covered currently, and we have made recommendations that it be amended. There are some organizations associated with public bodies. Typically they are associated with universities. They are companies that are created by universities, but they are not currently covered under the act, and we believe they should be. That's a gap in our law.

I think it's difficult to speak to the circumstances of the federal Privacy Commissioner.

In terms of our own experience, it would not be practical, because we have limited resources. Splitting the office would, I think, result in us being unable to fully effect our mandate under ATIPPA.

The model we have, whereby we make a recommendation that can become an order if it's not appealed to the court within 10 days, is very effective. It places the burden on the public body. It also allows us to participate in the court hearing, which is invaluable, because we get to give our own objective perspective in court. Sometimes in the case of a person who doesn't have the resources to have their own counsel, that is really the only substantive quality argument the court hears, other than the arguments that are filed on behalf of the public body.

If I understood your question correctly, if I imagine my office split so that there's access and there's privacy, your question is whether they have the same oversight authorities.

My view very strongly at the federal level, having been there, and thinking of it in the Nova Scotia context, is that the two offices are regulating the same entities. I would think it would be very important that they have the same authorities, either order-making or not, because day to day you're dealing with these two oversight agencies. I think it would undermine the authority of one if the other had order-making authority and it didn't, so I can see the practical reasons why they should be the same. Certainly, from my perspective as an oversight agency, I would want consistency across those two roles.

Our experience in B.C., of course, is having access to information and protection of privacy in a single statute with the order-making powers.

I can't tell you what it would be like to have two separate agencies, but in our case we have a holistic view of the operations of government from both perspectives and we can ensure that the appropriate recommendations are made, and in the case when we need it, we have the ability to implement orders.