B.C.’s privacy watchdog says the Health Ministry’s procedures for protecting personal information were deficient last year when it accused employees and contractors of a privacy breach.
A report by B.C. information and privacy commissioner Elizabeth Denham, released Wednesday, concludes the Health Ministry did not have reasonable security in place to protect personal information from unauthorized access or disclosure, as required by privacy laws.
The main deficiency was a lack of effective management and controls over access to personal health information, the report says.
“It’s not good enough anymore to think about the kind of controls that would have worked in a paper environment. These are 1980s controls for 21st-century technology,” Denham said in an interview. “I’m frustrated with finding these kinds of basic deficiencies.”
Even the ministry’s 1980s-style paper contracts failed to meet the test, the report says, noting there were contracts that didn’t include oaths or agreements for confidentiality.
In May 2012, the Health Ministry began an investigation into alleged conflict of interest, along with inappropriate conduct, data management and contracting focused on its pharmaceutical services division. That investigation was made public in September 2012, and since then the Health Ministry has released three examples of breaches. It concluded all the information was used by researchers for research only.
At the same time, the privacy commissioner launched an investigation focused on these examples and a broader review of ministry data-handling practices.
The absence of adequate safeguards allowed ministry employees and researchers to copy and share personal health data on unencrypted flash drives without detection, the report says.
“There was no one person in charge of privacy,” Denham said.
“There was no monitoring of compliance with law and policy including making sure contracts were signed. There were no technical controls in the system to prevent someone from sticking a USB key into a computer and copying a large amount of data without technical red flags going off,” she said.
“We’re talking about no audit, no compliance review, not enough training and anecdotal evidence of a slow labourious process to get access to data.”
The only thing the ministry seemingly did right, the report says, was respond to the crisis.
“This report shows an abject failure to use even basic means to protect our health information,” said Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association.
The privacy commissioner’s report makes 11 recommendations, including: only using encrypted portable storage devices (USB sticks) as a last resort, ensuring employees have access only to the minimum personal information needed, monitoring and auditing employees and contracted and academic researchers with regard to privacy rules, spelling out privacy obligations for employees, and mandatory participation in privacy training sessions.
B.C. Health Minister Terry Lake said the ministry will implement all 11 recommendations. Last year, the government hired Deloitte and Touche Canada for about $600,000 to review its data handling. Much of what the commissioner wrote mirrors Deloitte’s review, Lake said.
NDP health critic Judy Darcy said the government appears to have failed to learn from previous reports and recommendations issued by privacy commissioners and must be held to account, with clear timelines for change.
Denham said she will request a compliance plan from the ministry.
