A breach, a complaint and how the NZ Privacy Commissioner helped
From the job-well-done dept.:
New Zealand’s Privacy Commissioner, John Edwards, writes:
Late last year, one of my senior investigating officers came to me with a file she’d been working on for quite a while. She was convinced the facts supported a finding of an “interference with privacy”, that is, a breach of the privacy principles, that had caused harm to the complainant. She’d tried to reach a settlement, but the parties were too far apart.
When we get to an end point like that, we have to decide whether or not to refer the matter to the Director of Human Rights Proceedings, an independent statutory officer who decides whether to litigate the matter in the Human Rights Review Tribunal. That can take a long time, and be quite stressful for the parties. It is also expensive.
What had happened was that a social worker out on her rounds had her car broken into. Her notebook was in the car. In the notebook were jotted details of some 90 clients she had seen in recent years. This is an important point – it was not just her current clients.
Her employer, a DHB, did the right thing, and got in touch with all the clients, to let them know what had happened. Some of them were understanding, some were a bit upset, but the one who complained to us was devastated. It had been some years since she had seen the social worker and she could not understand why she would still be carrying around her extremely sensitive personal information, which revealed details of mental ill health following the birth of a child.
And that, my friends, is a perfectly reasonable question. The social worker should not have been carrying around historical information not related to her current cases. And of course, whatever she carried around on a mobile device should have been properly secured. If that had happened in the U.K., it might have resulted in an undertaking. If it had happened here in the states, well, HHS might have done what John Edwards ultimately did. But read on….
Often, when a third party like a thief intervenes maliciously to release personal information, it would not be fair to hold the agency responsible. However in this case, we had to consider whether the agency had taken reasonable steps to ensure the information was protected from loss. While we acknowledged that there would be cases where it was necessary to take patient information ‘offsite’ when treating patients in the community, we were not satisfied it was reasonable to expose this type of historic information to the additional risks inherent in taking patient information out of the DHB.
As a last effort to resolve the complaint I arranged to meet with the chief executive of the DHB. We had a very productive conversation and were able to agree to terms on which the complaint would be settled without referral to the Director of Proceedings. It was helpful for me to learn that the DHB’s biggest concern was the perception that we were requiring a significant change of professional practice (namely that we were saying patient information should never be taken offsite). That would have had quite significant implications given the change in clinical service delivery to community care. This means that more health and support staff will be out and about, which means the ability of health care workers to access patient information when they are outside traditional facilities (think clinics and hospitals) will become increasingly important.
Part of the settlement was that my Office agreed to provide some guidance to help health workers and others who are increasingly mobile, to reduce the risks of things going wrong. We will be beginning that work soon, and will hope to canvas the views of a range of community workers to see how they practically manage their information securely without compromising their ability to deliver top quality care.
And here’s a final tip. One of the things that the complainant was very pleased about was that it had reached the highest level of the organisation. She felt that if it had come to the attention of the chief executive, she knew it had been taken seriously and that something would be done. Don’t underestimate the power of a personal approach from the top level in appropriate circumstances!
Guidance would be helpful, yes. But I fear that the Commissioner will discover that most community workers aren’t managing their information securely at all. To really understand data security among community workers, asking them what they do may not be as informative as unannounced audits. Even announcing that the office will be conducting random and unannounced audits of community workers’ data security might have a positive impact on getting community workers to better secure the information they carry with them – and to encourage them not to store information they do not need to store on mobile devices. It might also encourage DHB’s and agencies to invest in developing systems so that the information remains on the server and can be accessed, but not downloaded and stored, on mobile devices.