Latest N.S. privacy breach reveals names, medical conditions, sexual abuse details
Government saying little about unredacted Workers' Compensation Board appeal decisions that were posted online
The Nova Scotia government is saying very little about another privacy breach, this one involving an unknown number of Workers' Compensation Board appeal decisions that include the names of workers and some intimate personal information about them.
The government removed the documents after being informed by CBC that the decisions were unredacted and contained workers' names and their personal information, as well as the names of their employers.
"It's terrible to hear. I was shocked more than anything," said one of the workers whose long-forgotten 2009 Workers Compensation Appeals Tribunal (WCAT) decision was posted with his name as well as personal information about his health, medications and family.
CBC is not identifying the man in order to protect his privacy.
- CBC InvestigatesMore than 2,500 privacy breaches at N.S. health authority in recent years, report says
The province issued a statement about the breach from Sandy MacIntosh, chief appeals commissioner of the Workers' Compensation Appeals Tribunal.
"The Workers' Compensation Appeals Tribunal (WCAT) is aware of this situation, and WCAT is following the Province's privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer," it said.
MacIntosh did not answer questions about how the breach happened or how many people were impacted, saying the full investigation will answer those questions.
Intimate details on display
The 1998-2009 decisions by the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) were posted by the province this month on the Canadian Legal Information Institute (CANLII) website, which promotes "free, open publication of law throughout the world." Court and quasi-judicial decisions are routinely posted there.
More recent decisions, all since 2010, have the names of the worker and their employer redacted.
One of the unredacted 1999 decisions included the employee's name and a discussion of their sexual abuse at a very young age.
It said the worker "grew up with rigid authority, physical abuse and subsequent fear and passive tolerance to authority figures."
It noted the person had "finally come to a crisis due to alleged ongoing sexual harassment and verbal discrimination by his boss at [his place of employment]."
A 2002 decision deals with the case of a man who was injured on the job.
The decision outlines his mental health struggles, including PTSD symptoms such as nightmares, flashbacks, tearfulness, and suicidal ideation.
It said he was "readmitted to the Nova Scotia Hospital in March 2001, and the chart notes from the hospital document that the Worker 'had been behaving irrationally, including stalking ... and having homicidal thoughts about ...other employees.'"
Privacy lawyer weighs in
Halifax privacy lawyer David Fraser said the unredacted decisions were most likely the result of human error or a process that wasn't followed. He said the breach merits investigation and he was disappointed, but not surprised by the province's limited response.
"Just saying, 'It's being investigated,' really does seem like kicking the can down the road," he said, adding the government should provide the information it has now, which is subject to being confirmed by the investigation.
"I'm willing to bet there's hundreds of people whose information might have been published on the internet briefly who are concerned about that. Who had access to it, who is responsible for it, what gave rise to it?" Fraser said.
He said governments and public bodies should be held to higher a standard than private organizations when it comes to protecting privacy.
"You can choose which bank you go to based on how much you trust them and how they manage your personal information — but you have no choice about which government or court you deal with," Fraser said,
A spokesperson in the office of the information and privacy commissioner said it was notified of the breach on Tuesday.
"Obviously all breaches of privacy are concerning to us," Carmen Stuart, director of investigations in the privacy commissioner's office said.
Stuart said when breaches occur, ideally the office allows the body to investigate its breach and monitor their efforts. She said there may be other situations where they learn of a potential breach and launch an investigation.
"That's not happened in this case; not to say it wouldn't happen in the future," she said.
Those affected not required to be notified
Stuart said while the Personal Health information Act requires people be notified when the privacy of their health information is breached, the Freedom of Information and Protection of Privacy (FOIPOP) Act does not require people who are affected to be notified but "ideally they will be," she said.
Fraser says "most definitely" FOIPOP legislation needs to change so breach notification is mandatory where it creates a real risk of significant harm.
"I'm confident that this — what's been described to me — crosses that threshold. If it was your bank, your cable company, if they had done this — they would have to notify you," he said.
As for the man whose decision was posted, he said he's not pleased because he doesn't know how many people saw his name and personal information. He said his case was bad enough but it may be even worse for others whose information was released.