Security of personal information requires more attention

October 18, 2012

By Gary Dickson, Q.C., Saskatchewan Information and Privacy Commissioner

In recent years we have had a number of serious privacy breaches in Saskatchewan. Given the frequency and size of these breaches and the public reaction, there can be no doubt that the people of this province expect that the organizations to which they entrust their personal information in order to obtain health care or other services should respect their privacy and protect their personal information.

This expectation is apparently shared by many other Canadians. A 2012 survey done for Canada Health Infoway by Ipsos revealed much about the attitudes of citizens to privacy breaches. The Ipsos report stated in part: “specific concerns about unauthorized access and distrust of the computer systems are more common now than in the past.” Also, “the results of the survey suggest that public trust in health care professionals to safekeep their personal health information may be softening.” The same survey revealed that the measures that most increase the comfort of Canadians when it comes to electronic health records are:

• Being able to find out who accessed their health record and when (70% “more comfortable”)
• New legislation making unauthorized access of health records a serious offence (66%)
• Knowing they would be informed of any breach that occurred (65%)

It is imperative that Canadian organizations that collect, use and disclose personal information pay particular attention to the safe storage and destruction of that information. In April 2011, our office issued the “Advisory for Saskatchewan Health Trustees for Record Disposition.” The purpose was to assist all health trustees with their compliance efforts by listing eight steps each of them should take. As an oversight office, in determining what physical, technical and administrative measures are reasonable to safeguard personal information, we are guided by industrial standards and best practices. The work done by NAID has significantly influenced our approach to oversight of not only health trustees but also public bodies.

In our “Investigation Report H-2011-001” dealing with the largest breach in the nine-year history of The Health Information Protection Act, we made extensive use of the tools and standards for appropriate destruction of records that have been developed by NAID and our colleagues in the Ontario Information and Privacy Commissioner office.

We all need to do a better job in recognizing the privacy risk associated with records of personal information that continues until such time as those records are safely and properly destroyed. In that regard,  I am grateful for the workshop provided by NAID and Robert Johnson in Regina Oct. 16. The workshop provided granular, practical information to a diverse group of records managers and privacy officers in Saskatchewan. The feedback on the quality of the presentation and materials has been excellent.