01 July 2013

BC Data Breach

Australia's national Data Breach Bill - the Privacy Amendment (Data Alerts) Bill 2013 (Cth) - appears to have got the tick from the Constitutional & Legal Affairs Committee last week but fizzled thereafter amid excitement about 'who gets to play prime minister'. (My submission to the Committee commented that the Bill was overall disappointing but a useful step to a more effective mandatory data breach reporting regime.)

In Canada the British Columbia Privacy Commissioner has meanwhile recommended changes to the BC Ministry of Health’s privacy practices following three data breaches affecting millions of people in that province.

The Commissioner's investigation report assessed the ministry’s response to the breaches and the ministry’s overall data-handling practices in relation to health research. It highlighted "serious deficiencies" in those practices, with the absence of  "operational and technical safeguards" meaning that employees were able to copy a large volume of personal health data onto unencrypted flash drives and share that data with other parties without detection. That absence was contrary to requirements under section 30 of the BC Freedom of Information and Protection of Privacy Act (FIPPA) for "reasonable security" to protect personal information.

The Commissioner has made 11 recommendations to improve the ministry’s privacy practices "to both facilitate access to information for health research and to address the privacy and data security compliance issues".

They are -
R1 The Ministry should develop and implement additions to the BC Government policy on the use of portable storage devices to require the use of other, more secure, forms of information transfer. Portable storage devices should only be used as a last resort and must always be encrypted. 
R2 The Ministry should ensure user privileges are granted and managed based on the need to know and least privilege principles, ensuring that employees have access only to the minimum amount of personal information they require to perform their employment duties. Access permissions should be assigned consistently and kept up to date. 
R3 The Ministry should implement technical security measures to prevent unauthorized transfer of personal information from databases. 
R4 The Ministry executive should implement an effective program for monitoring and auditing compliance by employees with privacy controls, and by contracted researchers and academic researchers with privacy provisions in agreements, to enable proactive detection of unauthorized use and disclosure of Ministry information. 
R5 The Ministry should ensure that all contracts with contracted researchers and research agreements with academic researchers involving the disclosure of personal health information provide for an appropriate level of security, including privacy protection schedules. These requirements should include limiting the use and disclosure of personal information to specified contractual purposes; taking reasonable security measures to protect personal information; requiring compliance with privacy policies and controls with respect to storage, retention and secure disposal; and requiring notice to the Ministry in the event of a privacy related contractual breach. The Ministry also should use information sharing agreements wherever the substance of an agreement is about information sharing, rather than the provision of services to the Ministry. 
R6 The Ministry should develop a comprehensive inventory of all databases containing personal health information. The inventory should be updated regularly and should set out associated information flows relating to collection and disclosure for research purposes. 
R7 The roles and responsibilities for privacy belonging to the OCIO and branches throughout the Ministry should be documented and effective overall leadership for the Ministry’s privacy management program clarified. There is a particular need to enhance the Ministry’s internal privacy resources. 
R8 The Ministry should develop a Ministry privacy policy that establishes the basic principles of privacy for Ministry employees. 
R9 The Ministry should ensure that the Ministry privacy policy specifically incorporates the collection, use and disclosure of health information for research, including addressing when it may be appropriate to release personal information for health research under s. 35 of FIPPA. It should indicate the kind of information that the Ministry can provide to researchers and the security requirements that need to be met. 
R10 The Ministry should continue to streamline its information access request approval and delivery processes to reduce time delays in access to information for health research. 
R11 The Ministry should ensure that employees with access to databases containing personal health information participate in mandatory privacy training sessions and that their participation is documented.
The Commissioner, in noting that "Privacy and research are allies, not adversaries, in the pursuit of better health outcomes", also released Accountable Privacy Management in B.C.’s Public Sector. It is a new guidance document that "provides a blueprint and step-by-step instructions for public bodies to develop comprehensive privacy programs and protect citizens’ personal information".