Commissioner says Saskatchewan 'bedevilled' by privacy breaches
Jennifer Graham reports:
Saskatchewan’s privacy commissioner says the province is “bedevilled” by a large number of intrusions into people’s personal information.
Gary Dickson said in his annual report released Monday that his office opened 47 investigations into privacy breaches at government institutions over the last year.
“What we often find is that it’s not somebody hacking into a database,” said Dickson.
“It’s typically a lack of care. It’s carelessness on the part of organizations that are entrusted with personal information, and then curiosity of staff who can’t seem to overcome the temptation to go and snoop in somebody else’s health records or somebody else’s personal information, which means a huge training effort has to happen in our province.
Read more on Winnipeg Free Press
In the report, one section deals with misdirected faxes and the response of entities that were sending faxes to a business assigned a number that had previously belonged to a medical clinic. The number had been reassigned to a business almost two years after the clinic stopped using that number, but a number of entities continued sending faxes to that number. I’ll skip some of the details, which you can read in the report itself, but note some of the findings:
Only 3 of the 9 pharmacies provided notification to their affected patients. Only 14 out of the 31 trustees had written policies and procedures for safe faxing of personal health information.
I concluded that the three principal causes of the breaches were: a change of fax number, use of outdated pre?programmed fax numbers and the carelessness of employees due to lack of training. In my conclusion I stated as follows:
Overall, I am underwhelmed by the response of the trustees to these privacy breaches. Most trustees have not adequately investigated the breach. More importantly, their current fax policies and procedures do not address the issues that caused these breaches, and therefore, are not likely to prevent a reoccurrence in the future.
Just as the U.K.’s ICO has called for sterner financial consequences for entities that breach the Data Protection Act, so too is Saskatchewan’s looking for a big hammer.
But even when agencies have bigger hammers in their tool box, will they really use swing them? And if they do, will it really serve as a deterrent for others?