The British Columbia Information and Privacy Commissioner has now released her investigation report on recent privacy breaches which occured in the BC Ministry of Health. The report can be found on the Commissioner's website as No. F13-02. The report indicates that a lack of effective privacy governance, management and controls within the Ministry resulted in Ministry employees downloading large amounts of personal health data onto unencrypted flash drives and sharing it with third party health researchers. Several Ministry employees have been disciplined and the Commissioner has issued a number of recommedations to enhance privacy compliance within the Ministry.
In at least one case it appears that the health researcher had only requested the information in anonymized form, as that was all that was needed for the research project. When the researcher discovered that it had received the data in "raw" or personalized form, the researcher notified the Ministry and returned or destroyed the data.
There is an ongoing controversy over how much of what is in the government's databanks should be made available, in the public interest, to researchers and others, or denied to them in the interests of protecting the privacy of those using the provincial health system. This debate, enhanced by the sensitivity of health information itself, has resulted in the Commissioner implementing some very high standards for public bodies dealing with health information and health research.
The Commissioner recently hosted an informal roundtable amongst stakeholders in the health research field, concerning their ability to access necessary data. The results of that session were published by the Commissioner in August, 2012 here.
The high privacy standards applied in this area have led the Commissioner to issue a number of recommendations to the Ministry on how to improve its privacy practices and procedures. These are:
The Ministry should develop and implement additions to the BC Government policy on the use of portable storage devices to require the use of other, more secure, forms of information transfer. Portable storage devices should only be used as a last resort and must always be encrypted.
The Ministry should ensure user privileges are granted and managed based on the need to know and least privilege [least access] principles, ensuring that employees have access only to the minimum amount of personal information they require to perform their employment duties. Access permissions should be assigned consistently and kept up to date.
The Ministry should implement technical security measures to prevent unauthorized transfer of personal information from databases.
The Ministry executive should implement an effective program for monitoring and auditing compliance by employees with privacy controls, and by contracted researchers and academic researchers with privacy provisions in agreements, to enable proactive detection of unauthorized use and disclosure of Ministry information.
The Ministry should ensure that all contracts with contracted researchers and research agreements with academic researchers involving the disclosure of personal health information provide for an appropriate level of security, including privacy protection schedules. These requirements should include limiting the use and disclosure of personal information to specified contractual purposes; taking reasonable security measures to protect personal information; requiring compliance with privacy policies and controls with respect to storage, retention and secure disposal; and requiring notice to the Ministry in the event of a privacy related contractual breach. The Ministry also should use information sharing agreements wherever the substance of an agreement is about information sharing, rather than the provision of services to the Ministry.
The Ministry should develop a comprehensive inventory of all databases containing personal health information. The inventory should be updated regularly and should set out associated information flows relating to collection and disclosure for research purposes.
The roles and responsibilities for privacy belonging to the OCIO and branches throughout the Ministry should be documented and effective overall leadership for the Ministry's privacy management program clarified. There is a particular need to enhance the Ministry's internal privacy resources.
The Ministry should continue to streamline its information access request approval and delivery processes to reduce time delays in access to information for health research.
The Ministry should ensure that employees with access to databases containing personal health information participate in mandatory privacy training sessions and that their participation is documented.
Other public bodies in this field, in British Columbia and elsewhere, may wish to take note of these recommendations. In addition, the Commissioner has released some general guidance for all public bodies on implementing better privacy management. These can be found on the Commissioner's website here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.