N.W.T. needs to improve protection of health data — before another breach
David Wasylciw says there should be clear safeguards in place, including notifying those affected
Data theft. Privacy breach. Information leak. Even just a few years ago, these terms didn't raise eyebrows or affect most of us, but times are changing. In the digital age we're used to hearing these terms as part of regular life.
In late June, the Government of the Northwest Territories announced that due to the theft of a laptop there had been a health record breach that affected up to 80 per cent of N.W.T. residents. That it happened isn't a surprise — health and other personal records have been lost, stolen or inappropriately accessed several times in the N.W.T.
In 2014, a USB stick with 4,000 patient records was lost (then eventually found); in 2010 and 2012 medical records were accidentally faxed to CBC. To top it off, the N.W.T.'s Information and Privacy Commissioner, Elaine Keenan Bengts, has steadily flagged other personal and health record breaches in her annual report.
Any of these bits of data might not be significant on their own, but when compiled with other information, someone out there can put together a profile and end up knowing more about you than you do.
This information could be used to steal your identity, to harass, blackmail or stalk someone, steal online accounts and more. You can't change fingerprints, or health records — these things represent you forever. In the case of health records, they might even impact your children or other family members.
There need to be strict regulations [and] significant penalties.
In the digital age, governments and companies need to become more protective of the information they hold. When records were stored on paper, a breach meant a page, or a single record, but when a privacy breach can impact tens of thousands or even millions of people it's a different story.
EU law better protects residents
Understanding the importance of privacy and digital records, the European Union recently implemented the General Data Protection Regulation (GDPR). This seeks to ensure companies and organizations that hold data on European Union residents do so securely.
The fines for a breach can be up to four per cent of global annual revenue in a given year. A privacy breach affecting an EU citizen requires that individuals be notified within 72 hours. Notifications must include likely consequences, details of the information breached, and efforts taken to mitigate any impacts.
These rules go far beyond anything in the N.W.T. or Canada.
Notably, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) sets a minimum privacy protection bar for corporations and organizations in provinces and territories — but, we have an opportunity to be leaders in privacy and protection of personal information by moving the bar higher for N.W.T.-based organizations and applying the same requirements to our government.
What's needed now is action from the N.W.T. — there need to be strict regulations, significant penalties and clear steps for government departments and outside organizations to follow in case of a privacy breach.
These steps should include mandatory notification of individuals affected by the breach within a fixed period of time. These notifications need to include what information was breached, why it matters and what is being done about it. Reviews addressing what steps will be taken to prevent this from happening in the future need to be completed and communicated to residents.
Gov't has duty to protect data
Before another breach happens (and it surely will), our government needs to take stock of its approach to information and privacy overall. What steps can be taken system-wide to better protect N.W.T. residents' personal information? What happens when there is a breach?
Our governments hold the key to information that isn't available anywhere else — this means that there is an even greater duty to protect our information.
In an age where the entire financial and medical history for all northerners (and likely all Canadians) fits on a single USB memory stick, we need to have strict controls and steps in place to protect our privacy.
Do you have an opinion to share with CBC North? Contact email@example.com