Protect personal health info with security measures: privacy commissioner - Macleans.ca
 

Protect personal health info with security measures: privacy commissioner


 

VICTORIA – The illegal release of personal information about nearly five million British Columbians by Health Ministry staff was a massive breach, says the province’s privacy commissioner, who has released 11 recommendations to protect the public.

Elizabeth Denham conducted an investigation after government employees downloaded large amounts of personal health data onto unencrypted flash drives and provided it to unauthorized individuals.

Seven government employees were fired last year, sparking two lawsuits, in connection with $4 million worth of drug research contracts between the ministry and the University of B.C. and the University of Victoria.

Denham, who released a report Wednesday, said the ministry did not discover the unauthorized disclosures until a whistleblower came forward, leading to a review of thousands of emails and files on the hard drives of several employees.

She said the Health Ministry must develop a policy for more secure ways to transfer information and that while citizens support research they expect their data to be handled with adequate safeguards.

Information about sexual health, alcohol and drug use, birth dates, postal codes, personal health numbers and mental health was included in three breaches in October 2010 and June 2012 because the ministry failed to use proper security measures or review employees handling sensitive information, Denham said.

She said the ministry had no way of ensuring employees were taking appropriate privacy training and following policies in accordance with the Freedom of Information and Protection of Privacy Act, which was introduced 20 years ago.

One incident breached an agreement with Statistics Canada involving 38,000 people whose information in the Canadian Community Health Survey was collected from census data between 2000 and 2010, said a Health Ministry spokesman.

Denham said her office instructed the ministry to contact each person whose personal information was breached, and letters were sent out in January.

“Individuals participated in that survey and shared their most sensitive information such as sexual health and sexual preferences on the basis that that information would not be shared,” she said.

“There was an agreement and a consent to have that information used only for specific purposes within the Ministry of Health. When that information was disclosed that was really a breach of an agreement and it goes to the issue of trust that individuals have in the health-care system.”

Denham recommended that the government ensure employees have access to only the minimum amount of personal information required for their jobs and implement security measures to prevent its unauthorized transfer from databases.

She also called on the ministry to develop an inventory of its personal-information databases and come up with a program to monitor any unauthorized use and disclosure of citizens’ information by contracted and academic researchers.

Health Minister Terry Lake said his ministry has accepted Denham’s report and will implement all the recommendations to protect B.C. residents’ personal information.

“It was a serious breach, in terms of policy,” he said. “People’s private information was beached. We take that very seriously. We want to make sure that we do a through investigation, and, as the privacy commissioner has recommended, put further strengths to ensure that people’s privacy is respected and protected.”

Lake said the government has not released many details about the breaches pending its investigation, which may be completed by the end of the summer, and that police are also involved.

“We have been sharing information with the RCMP, as we have with the privacy commissioner and the auditor general, who first brought this to our attention. So it will be up to the RCMP to determine next steps based on their conclusions from the investigation.”

The Health Ministry is facing lawsuits from two of the fired employees, including the director of research and evidence development with the Pharmaceutical Services Division.

Along with her recommendations to prevent future privacy breaches in the Health Ministry, Denham issued similar guidelines for 2,500 public bodies and health agencies across B.C. on Wednesday.

Her next step is be to ask the Health Ministry for a compliance plan to ensure issues in the report are addressed.

 

Note to readers: This is a corrected story. An earlier version reported five employees were fired.


 
Filed under:

Comments are closed.