Most public organizations not trained to handle privacy breaches, survey says

While privacy breaches remain common, the vast majority of Manitoba public institutions which participated in a recent survey say they do not train staff on how to deal with the incidents.

The findings are part of a new report by Manitobaombudsman Charlene Paquin into privacy breaches in the province published this month.

Among the respondents, which includedinstitutions likeuniversities, municipalities, health authoritiesand boards,78 per cent said they offered no training on what to do if private information is lost such as apaper health record while 29 per cent said they had a privacy breach in the last three years.

• Patient records illegally accessed by Manitoba Health employee, ombudsman says

Training on handling privacy mishaps, the ombudsman said, is important because it "prepares and empowers staff to respond when confronted with a breach."

The survey is the first of its kind in Manitoba.Paquin said she hopes it provides a benchmark for future studies into privacy protection in the province.

Of the 238 organizations in the province which were sent the survey, only 118 organizations, or 49 per cent, fully completed the questionnaire.The ombudsman said the response rate still provided a "reasonable sample size."

"Another 26 per centpartially completed the survey, but we did not include those responses in our analysis. We view the survey results as a baseline for future surveys. We also saw responses from a cross-section of organizations, which is a great beginning for further discussions on this topic," saidPaquin.

The ombudsman found that among the respondents, 59 per cent said the most common form of privacy breach was losing paper records, while 24 per cent lost information after a computer or other device was stolen.

Manitoba's Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Health Information Act (PHIA) govern the safeguards in place to protect personal information and health information.

"Although organizations may strive to handle personal [information] and personal health information in accordance with these laws and implement safeguards, privacy breaches can occur due to human error, use of technology or malicious actions," the report states.

The ombudsman also points out that public organizations in Manitoba may not fully appreciate how much sensitive information they actually handle.

She found just over half of the organizations involved in the survey, 51 per cent, said they manage personal health information, while49 per cent said they manage only personal information.

"It is likely that some organizations do not realize that in addition to personal information, they also have personal health information," said the report.

• 197 health records 'inappropriately accessed' by Manitoba employee for birthday cards

While 74 per cent of respondentssaid they notified the individual whose privacy was breached, less than half track breaches. Notifying people of privacy breaches is not required by law.

Manitoba's ombudsman is recommending a host of changes to better protect personal information of all descriptions, including calls fororganizations to develop privacy breach policies, provide more training, consider notifying parties affected by privacy breaches and document privacy breaches.

"The survey results showed that some organizations do plan for and manage privacy breaches, while in other cases, improvements can be made," said Paquin.

"Training on how to manage a privacy breach, for example, is something that is not required by privacy legislation, but we believe is a best practice that will help in strengthening an organization's response to a breach, should it occur. We also identified some areas where we can offer more assistance, such as by developing some new resources for organizations to use."