Watchdog says eHealth breached privacy by sharing personal information with Elections Sask.
eHealth shared Saskatchewan residents' information to help Elections Sask. keep voter registry up to date
Elections Saskatchewan should not have received personal health information about residents as part of a data-sharing agreement with eHealth, according to a report by the provincial privacy watchdog.
In a report released on June 23, Saskatchewan information and privacy commissioner Ron Kruzeniski says eHealth had no legislative authority to share the information.
- Saskatoon police say no personal information to be shared from 2 new licence plate readers
- 'Culture of caution': Digital world concerns Sask. privacy commissioner
Starting in August 2015, eHealth — the provincial agency that collects, combines, stores and manages the electronic health records of people in Saskatchewan — provided the name, date of birth, health services number, address and residency status of Saskatchewan residents as part of a data-sharing agreement with Elections Saskatchewan.
According to eHealth, no clinical health information was shared with Elections Saskatchewan.
The election management organization had been using the information to revise its voter registry, including keeping track of deaths and name changes.
Issue uncovered after self-reported breach
The breach was uncovered after eHealth contacted the commissioner's office to report a breach of its own data-sharing agreement.
EHealth had mistakenly released the personal health information of between 50,624 and 83,403 individuals under the age of 16 to Elections Saskatchewan. The agreement was only supposed to apply to people aged 16 and older.
But the self-reported breach raised concerns within the commissioner's office about the overall practice of sharing the information.
An investigation by the privacy commissioner's office, outlined in the June report, found that eHealth did not have the legislative authority to release the information to Elections Saskatchewan.
Commissioner urges amendment to legislation
The commissioner recommended an amendment to the Health Information Protection Act regulations to allow the practice of data sharing with Elections Saskatchewan, saying it was important for democracy to have an up-to-date register of voters.
But the commissioner's report said safeguards would need to be in place, especially protections surrounding an individual's health services number, or HSN.
Those measures would include a privacy-impact assessment before data sharing occurs, destruction of data generated and allowing citizens to find out if their information is being shared.
"I recommend that eHealth and ESK have discussions on the need for the HSN but if they conclude the HSN is essential, then eHealth should ensure most of these safeguards have been put in place," said the report.
"Because there is a data-sharing agreement, some of these safeguards are there, so the recommendation is one to ensure that the discussion of safeguards continues."
The commissioner urged eHealth and Elections Saskatchewan to promote and support the legislative change needed to allow the sharing of information to keep the voting register up to date.
In a statement on its website, eHealth said that it plans to comply with the commissioner's recommendations, including notifying people whose information was shared.
Chief executive officer Susan Antosh apologized to those affected by the breach in which information was shared about people under 16.
"EHealth is committed to ensuring the privacy and security of personal health information, which is why we are taking this incident seriously and immediately informed the office of the information and privacy commissioner," Antosh said.