September 24, 2014
Mann's Technology Newsletters
By: J. Fraser Mann
See the IPSource Advantage for yourself
Decision by Saskatchewan Information and Privacy Commissioner Concerning Unauthorized Access to Government Database
An Investigation Report by the Saskatchewan Information and Privacy Commissioner (the "IPC") provides insight into two issues relating to the improper use and access to a database of personal information held by a government institution, namely: (i) where responsibility rests for a privacy breach by an employee of one institution who obtains access to information held by another institution; and (ii) the measures that a government institution should take upon the occurrence of a privacy breach in order to address the breach and to prevent a re-occurrence.
Facts
Saskatchewan Government Insurance ("SGI") is a government institution responsible for maintaining a database of information about drivers for both commercial and non-commercial vehicles. Another government institution, the Ministry of Highways and Infrastructure ("MHI"), had entered into a data sharing agreement to allow MHI employees to access information in the SGI database for purposes of enabling the MHI employees to perform their duties of "commercial vehicle enforcement".
An MHI employee had accessed information about a driver in the SGI database for purposes of discussing a highway incident that had occurred between the two individuals. When informed of the privacy breach, SGI issued an apology to the complainant. However, no apology was issued by MHI, being the institution whose employee had accessed the information. The IPC commenced an investigation into the breach, to determine what institution was responsible for the breach and what action should have been taken by that institution.
Responsibility for Privacy Breach
The IPC found that the MHI employee had committed a privacy breach by accessing personal information in the SGI database for a purpose other than the performance of his duties relating to commercial vehicle enforcement. This purpose was not in accordance with FIPPA2 which allowed collection of personal information only for "a purpose that relates to an existing or proposed program or activity of the government institution".
The IPC found further that the collection was a violation of the data sharing agreement between the two government institutions. The agreement included an acknowledgement by MHI that information was being disclosed only for specified business purposes, and provisions requiring MHI to use best efforts to advise its employees of their obligations and making MHI responsible for the actions of its employees with respect to any use or disclosure of information received from SGI.
The IPC found that MHI rather than SGI was responsible for the privacy breach, since its employee collected and used the personal information for an unauthorized purpose.
Did MHI respond appropriately to the privacy breach?
The IPC found that MHI failed to respond appropriately to the privacy breach in several respects, first by failing to carry out a full assessment of the breach; second, by failing to notify the complainant and to issue an apology, while allowing another government institution to do so; and third, by failing to create a comprehensive strategy to mitigate similar privacy breaches from occurring in the future.
With respect to its failure to assess and analyze the breach and associated risk, the IPC noted that MHI had not put in place adequate safeguards, including capabilities to audit the actions of its employees to ensure that they view only the information for which they require access in order to fulfil their job duties.
The IPC also found that MHI failed to conduct further training after the occurrence of the privacy breach. The IPC noted that regular and ongoing privacy training (and not just one-time training) was necessary, and that such training should be specific to the employees' duties and should address the parameters for the viewing of information by employees (particularly as there were limited technical measures in place to prevent access to any information in the SGI database).
The IPC found further that the institution whose employee had committed the privacy breach should have assumed responsibility for the breach and issued an apology. It was unclear how a future privacy breach could be prevented if a different institution assumed responsibility for the breach.
Finally, the IPC found that MHI had failed to take adequate steps to prevent future privacy breaches, insofar as it was unclear what disciplinary action was taken against the employee who committed the breach (other than to restrict his duties and suspend his access privileges). MHI also failed to circulate a directive to employees with a view to preventing further breaches. In addition, without putting in place auditing capabilities, MHI failed to demonstrate that it had sufficient measures in place to prevent and detect employee misuse.
Findings and Recommendations
In conclusion, the IPC found that MHI was the institution having primary responsibility for the privacy breach in this case, that it had failed to adequately respond to and manage the breach and that it collected information in contravention of FIPPA. Among its recommendations were that:
(i) MHI work with SGI to establish monitoring and auditing capabilities of MHI employees' use of the SGI database;
(ii) MHI conduct random audits of employees' use of the SGI database on a sustained basis to ensure information is used in compliance with FIPPA; and
(iii) MHI work with SGI to establish a technical solution to limit the extent to which MHI employees may access and use personal information in the SGI database.
To read the full newsletter on westlaw Canada, click here.
To read the full newsletter on Westlaw Canada, click here.
© Copyright Westlaw Canada, Thomson Reuters Canada Limited. All rights reserved.