B.C.’s independent privacy watchdog called on the provincial government Wednesday to start reporting all major privacy breaches to her office.
Elizabeth Denham issued a 60-page report showing that the government investigated more than 3,700 suspected privacy breaches and confirmed 2,700 between April 2010 and December 2013.
Yet, she said, fewer than 45 of those cases were reported to her office.
“I’m concerned that we only heard about one per cent of the breaches that the government investigated over a four-year period,” she said.
Denham said the government is not even telling her about confirmed breaches caused by malicious viruses, hacking or phishing. There were seven such breaches from 2010 to 2013, her report says.
“We’re not hearing about some of the cyberattacks,” she said. “We’re not hearing about the numbers of people that were affected.
“Even when we went in to do our audit, and we took a deep dive into 300 breach files that are held by the chief information officer, they had very little detail on the numbers of people affected.”
Denham recommended the government fix the problem by reporting all breaches that affect large numbers of people or where the release of sensitive personal information could cause an individual harm.
“Do we need to hear about every single double-stuffed envelope? No. Do we need to hear about every misdirected fax? No.
“But I think we need to hear about the disclosure of sensitive information and any breach that involves a large number of people.”
Denham plans to investigate privacy breaches at other public bodies and may recommend legislation that would make reporting mandatory.
“In the meantime, this report establishes an interim standard for reporting privacy breaches to my office,” she said. “I expect government to follow this standard going forward.”
Citizens’ Services Minister Amrik Virk refused to commit to that Wednesday, saying he wants to have further discussions with his staff and with Denham before deciding whether to act on her report.
“We’re going to attempt to do our best to see which one of those recommendations that we can implement,” he said.
Virk noted that most of the privacy breaches in Denham’s report were the result of administrative errors, such as faxes or emails that were sent to the wrong person.
“These were incidents in themselves, but not breaches of government’s technical data,” he said.
Despite the reporting issues, Denham said the government generally did a good job of containing and investigating the privacy breaches.
The report shows that most of the breaches occurred in the ministries of Social Development and Social Innovation, Health, Children and Family Development, and Justice.
“The four ministries with the largest numbers of breaches process a large volume of sensitive personal information,” Denham said. “Consequently, these four ministries also have the largest numbers of administrative errors.”
