Opinion

N.W.T. needs to improve protection of health data — before another breach

David Wasylciw says departments and outside organizations must notify those affected after privacy breaches and begin a review to prevent future breaches.

David Wasylciw says there should be clear safeguards in place, including notifying those affected

After the latest data breach in the N.W.T.'s health department, David Wasylciw says there needs to be clear steps for departments and outside organizations to follow after privacy breaches, including notifying those affected, and a review to prevent future breaches. (Jonathan Hayward/Canadian Press)

Data theft. Privacy breach. Information leak. Even just a few years ago, these terms didn't raise eyebrows or affect most of us, but times are changing. In the digital age we're used to hearing these terms as part of regular life.

In late June, the Government of the Northwest Territories announced that due to the theft of a laptop there had been a health record breach that affected up to 80 per cent of N.W.T. residents. That it happened isn't a surprise — health and other personal records have been lost, stolen or inappropriately accessed several times in the N.W.T.

In 2014, a USB stick with 4,000 patient records was lost (then eventually found); in 2010 and 2012 medical records were accidentally faxed to CBC. To top it off, the N.W.T.'s Information and Privacy Commissioner, Elaine Keenan Bengts, has steadily flagged other personal and health record breaches in her annual report.

In October 2017, the Hay River Health and Social Services Authority started a review of patient files, after an internal audit revealed 41 'irregularities,' including instances where non-essential patient information was improperly shared with heath care providers, (Jimmy Thomson/CBC)

Any of these bits of data might not be significant on their own, but when compiled with other information, someone out there can put together a profile and end up knowing more about you than you do.

This information could be used to steal your identity, to harass, blackmail or stalk someone, steal online accounts and more. You can't change fingerprints, or health records — these things represent you forever. In the case of health records, they might even impact your children or other family members.

There need to be strict regulations [and] significant penalties.

In the digital age, governments and companies need to become more protective of the information they hold. When records were stored on paper, a breach meant a page, or a single record, but when a privacy breach can impact tens of thousands or even millions of people it's a different story.

EU law better protects residents

Understanding the importance of privacy and digital records, the European Union recently implemented the General Data Protection Regulation (GDPR). This seeks to ensure companies and organizations that hold data on European Union residents do so securely.

The fines for a breach can be up to four per cent of global annual revenue in a given year. A privacy breach affecting an EU citizen requires that individuals be notified within 72 hours. Notifications must include likely consequences, details of the information breached, and efforts taken to mitigate any impacts.

These rules go far beyond anything in the N.W.T. or Canada.

In November 2014, a doctor at Yellowknife's Stanton Territorial Hospital lost a USB drive containing names, health care numbers and personal medical information for over 4,000 patients. (Sara Minogue/CBC)

Notably, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) sets a minimum privacy protection bar for corporations and organizations in provinces and territories — but, we have an opportunity to be leaders in privacy and protection of personal information by moving the bar higher for N.W.T.-based organizations and applying the same requirements to our government.

What's needed now is action from the N.W.T. — there need to be strict regulations, significant penalties and clear steps for government departments and outside organizations to follow in case of a privacy breach.

These steps should include mandatory notification of individuals affected by the breach within a fixed period of time. These notifications need to include what information was breached, why it matters and what is being done about it. Reviews addressing what steps will be taken to prevent this from happening in the future need to be completed and communicated to residents.

Gov't has duty to protect data

Before another breach happens (and it surely will), our government needs to take stock of its approach to information and privacy overall. What steps can be taken system-wide to better protect N.W.T. residents' personal information? What happens when there is a breach?

Our governments hold the key to information that isn't available anywhere else — this means that there is an even greater duty to protect our information.

In an age where the entire financial and medical history for all northerners (and likely all Canadians) fits on a single USB memory stick, we need to have strict controls and steps in place to protect our privacy.

In February 2016, the Beaufort Delta Health Authority confirmed there was a breach of patients' health records by employees at the Inuvik Hospital. (CBC)

Do you have an opinion to share with CBC North? Contact katherine.barton@cbc.ca

This column is part of CBC's Opinion section. For more information about this section, please read this editor's blog and our FAQ.

About the Author

David Wasylciw

David Wasylciw has lived in Yellowknife with his daughter for nearly 10 years. He is a small business owner and an advocate for more open and accountable government. In 2014, he founded OpenNWT, a non-profit that develops tools to make government information accessible to the public.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.