The privacy commissioner’s inquiry into data breaches in the sa¹ú¼Ê´«Ã½ Health Ministry is a sobering reminder to government and citizens alike that technology is outrunning our efforts to protect personal information.
The report by information and privacy commissioner Elizabeth Denham sheds some light on the strange case in which seven ministry employees were fired and the government suspended data access for researchers at the University of Victoria and University of British Columbia. Most of that affair is still a mystery, but Denham’s report delves into three unauthorized transfers of personal health data on British Columbians that show a serious lack of controls in the ministry.
The first transfer occurred when a service provider under contract to the ministry asked an employee for information on about four million people in sa¹ú¼Ê´«Ã½, including 19 different pieces on information on each person, such as number of hospital stays, mental-health incidents and all health services billed for that person. The contractor asked that the personal health numbers of the people be deleted or masked.
After he got the flash drive, he discovered the health numbers had not been deleted. He removed the data from his computer and gave the flash drive back to the employee.
In the second case, a researcher was contracted by the ministry to do data analysis and applied for access to the necessary data. An employee, who was not authorized to release data, put information about 20,000 people on an unencrypted device and passed it along.
The information included personal health numbers, diagnoses and pharmaceutical histories.
The third case involved data from Statistics sa¹ú¼Ê´«Ã½â€™s Canadian Community Health Survey, in which people volunteer to share a wealth of sensitive information about things including sexual health, drug and alcohol use, mental health, Medical Services Plan billings and hospital records. It is linked to personal health numbers and full postal codes. Participants in the survey are promised their information will only be used in specific ways and for specific purposes.
Again, an employee who was not allowed to release such information put the data on a portable device and gave it to another employee.
Clearly, too many flash drives are wandering around the Health Ministry — as they are probably wandering most businesses and government agencies. The ubiquitous little storage devices are wonderfully handy, but a nightmare from the standpoint of data security.
The privacy commissioner had several times warned the ministry about the dangers of the drives. In the new report, she said they should be used only when unavoidable, and should always be encrypted.
But drives are only part of the problem. The common thread in these cases is people: regular workers who didn’t know or didn’t put a priority on the rules about handling sensitive personal information, and managers who didn’t install proper safeguards to ensure those rules were being followed.
It’s easy to forget that the masses of data on your computer screen represent real people and some of their most personal information, information that could be damaging if it fell into the wrong hands.
Both the ministry and the commissioner are satisfied that in these three cases, the information was used only for research purposes. The ministry has been shocked enough to adopt all 11 of the commissioner’s recommendations. They include making sure employees have access to only the information they need for their jobs, using security measures to prevent downloading information without permission, auditing compliance, training employees in privacy policy and tightening the rules for contracted researchers.
Denham said many of the problems could be erased by ensuring all research is done using a secure system such as PopDataBC, which controls access to information.
It’s up to the ministry to turn recommendations into reality.