NorthOpinion

N.W.T. needs to improve protection of health data before another breach

David Wasylciw says departments and outside organizations must notify those affected after privacy breaches and begin a review to prevent future breaches.

David Wasylciw says there should be clear safeguards in place, including notifying those affected

David Wasylciw for CBC News Posted: Aug 01, 2018 7:00 AM EDT | Last Updated: August 1, 2018

Hands are seen typing on a keyboard — After the latest data breach in the N.W.T.'s health department, David Wasylciw says there needs to be clear steps for departments and outside organizations to follow after privacy breaches, including notifying those affected, and a review to prevent future breaches. (Jonathan Hayward/Canadian Press)

Data theft. Privacy breach. Information leak. Even just a few years ago, these terms didn't raise eyebrows or affect most of us, but times are changing. In the digital age we're used to hearing these terms as part of regular life.

Stolen laptop had health data for 80% of N.W.T. residents

In late June, the Government of the Northwest Territories announced that due to the theft of a laptop there had been a health record breach that affected up to 80 per cent of N.W.T. residents. That it happened isn't a surprise health and other personal records have been lost, stolen or inappropriately accessed several times in the N.W.T.

In 2014, a USB stick with 4,000 patient records was lost (then eventually found); in 2010 and 2012 medical records were accidentally faxed to CBC. To top it off, the N.W.T.'s Information and Privacy Commissioner, Elaine Keenan Bengts, has steadily flagged other personal and health record breaches in her annual report.

Health centre sign — In October 2017, the Hay River Health and Social Services Authority started a review of patient files, after an internal audit revealed 41 'irregularities,' including instances where non-essential patient information was improperly shared with heath care providers, (Jimmy Thomson/CBC)

Any of these bits of data might not be significant on their own, but when compiled with other information, someone out there can put together a profile and end up knowing more about you than you do.

This information could be used to steal your identity, to harass, blackmail or stalk someone, steal online accounts and more. You can't change fingerprints, or health records these things represent you forever. In the case of health records, they might even impact your children or other family members.

There need to be strict regulations [and] significant penalties.

In the digital age, governments and companies need to become more protective of the information they hold. When records were stored on paper, a breach meant a page, or a single record, but when a privacy breach can impact tens of thousands or even millions of people it's a different story.

EU law better protects residents

Understanding the importance of privacy and digital records, the European Union recently implemented the General Data Protection Regulation (GDPR). This seeks to ensure companies and organizations that hold data on European Union residents do so securely.

How secure is a 'strong password'? Not very, experts say

Patient records breached 8 times in last year, confirms N.W.T. health dept.

The fines for a breach can be up to four per cent of global annual revenue in a given year. A privacy breach affecting an EU citizen requires that individuals be notified within 72 hours. Notifications must include likely consequences, details of the information breached, and efforts taken to mitigate any impacts.

These rules go far beyond anything in the N.W.T. or Canada.

In November 2014, a doctor at Yellowknife's Stanton Territorial Hospital lost a USB drive containing names, health care numbers and personal medical information for over 4,000 patients. (Sara Minogue/CBC)

Notably, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) sets a minimum privacy protection bar for corporations and organizations in provinces and territories but, we have an opportunity to be leaders in privacy and protection of personal information by moving the bar higher for N.W.T.-based organizations and applying the same requirements to our government.

What's needed now is action from the N.W.T. there need to be strict regulations, significant penalties and clear steps for government departmentsand outside organizationsto follow in case of a privacy breach.

These steps should include mandatory notification of individuals affected by the breach within a fixed period of time. These notifications need to include what information was breached, why it matters and what is being done about it. Reviews addressing what steps will be taken to prevent this from happening in the future need to be completed and communicated to residents.

Privacy breach at Hay River clinic prompts discovery of 41 'irregularities' with patient files

Gov't has duty to protect data

Before another breach happens (and it surely will), our government needs to take stock of its approach to information and privacy overall. What steps can be taken system-wide to better protect N.W.T. residents' personal information? What happens when there is a breach?

Our governments hold the key to information that isn't available anywhere else this means that there is an even greater duty to protect our information.

In an age where the entire financial and medical history for all northerners (and likely all Canadians) fits on a single USB memory stick, we need to have strict controls and steps in place to protect our privacy.