Susan on the Soapbox welcomes her first guest blogger.
Employment and privacy lawyer Brian Thiessen has a few words to say about a privacy breach that impacts 620,000 Albertans. The title says it all.
The Buck Stops Here–Privacy 101 for Minister Horne–Incompetence is not a defence
Like most Albertans, I have been reading, with interest the news of the theft of a laptop containing the information of 620,000 Albertans. Unlike the feigned outrage of Minister Horne, I am genuinely concerned with both the theft and exposure of the sensitive personal information of hundreds of thousands of Albertans, but also with the complete lack of understanding of the privacy law regime in Alberta by a Senior Minister in the Alberta Government and his thinly veiled attempt to pass the buck to the Independent Office of the Legislature (the Office of the Information and Privacy Commissioner of Alberta) tasked with investigating that breach and holding the Alberta Government to account for its’ woefully inadequate security measures, as required by the Personal Information Protection Act (“PIPA”) and the Alberta Health Information Act (“HIA”).
To understand the colossal incompetence involved, you have to start at the basics. You see, unlike the PIPA that governs the collection, use and disclosure of Personal Information by commercial entities and which contains provisions requiring organizations to provide notifications to the Privacy Commissioner in circumstances where the loss, disclosure, or unauthorized access of an individual’s personal information would result in a “real risk of significant harm” to that individual, HIA (which governs the collection use and disclosure of health information and rules for custodians of such health information) does not contain any privacy breach reporting requirement.
Despite the lack of mandatory privacy breach reporting in HIA, the Commissioner has repeatedly encouraged custodians of health information to report privacy breaches. For example, in Investigation Report H2009-IR-007, Alberta Health Services voluntarily contacted the Commissioner to report that one of its computer networks had been infected with malicious software that potentially compromised nearly 12,000 individual’s health information and voluntarily notified those individuals of that breach. The Investigator appointed by the Commissioner stated:
“The HIA does not require custodians to notify individuals whose health information has been disclosed inappropriately. I believe AHS took a prudent and responsible course of action by notifying the patients whose [health information] may have been exposed… The [Commissioner] supports AHS’ decisions to notify staff and affected patients about this breach.”
Similarly, in Investigation Report H2011-IR-003, the University of Calgary voluntarily contacted the Commissioner to report that one of its computer networks had been infected by malicious software that potentially compromised nearly 5000 individuals’ health information and voluntarily notified those individuals of that breach. The Investigator appointed by the Commissioner stated:
“In my opinion, notification is a responsible and prudent response to this kind of breach… health information is inherently sensitive. People deserve to know that their health information may have been exposed… [emphasis added]”
Accordingly, custodians of health information are encouraged and typically inclined to voluntarily report privacy breaches of health information. Custodians who have voluntarily reported privacy breaches to the Commissioner include:
• Alberta Health Services (Investigation Report H2009-IR-007);
• Alberta Health and Wellness (Investigation Report H2005-IR-001);
• The Calgary Health Region – now Alberta Health Services (Investigation Report H2006-IR-002);
• The University of Calgary on behalf of the University of Calgary Medical Clinic (Investigation Report H2011-IR-003); and
• Individual health service providers (Investigation Report H2005-IR-001).
You may have noticed that most of the voluntary disclosures involved governmental agencies, some under the direct responsibility of the Minister of Health. So Minister Horne should have been very well aware that: (a) the HIA (which his government enacted) did not contain a mandatory requirement element (so that should come as no surprise to him); (b) despite this lack of legislative requirement, the Commissioner has consistently taken the position that such breaches should be reported, and (c) most agencies, including Minister Horne’s own department have regularly reported such breaches to the Office of the Information and Privacy Commissioner (the “OIPC”). A simple internal policy in Mr. Horne’s department would require them to tell the Minister.
How bad was the breach and was it the Governments fault?
In short, it was really bad. And yes, the Government, and Minister Horne is directly responsible.
In 2006, in Investigative Report P2006-IR-005 the OIPC considered a remarkably similar fact pattern, although in the context of PIPA. In that decision, the private company involved had a laptop was stolen containing sensitive personal information (names, age, month, year of birth, medical specialty, home and business addresses and fax numbers, and email addresses, and in some cases total financial assets and shareholder information). The OIPC found that the organization did not have adequate security measures in place, noting specifically that such sensitive personal information should not be stored on laptops, and that (as of 2006) commercial encryption was both commercially commonplace and had been available for 10 years (including in Microsoft Windows 2000), and that such encryption measures would compose part of reasonable security for information stored on laptops (along with BIOS passwords) and the common sense solution of having tracking or “phone home” technology installed on laptops so they can be quickly located if stolen. The OIPC noted, in 2006, that encryption had become “a baseline for security” and that the technology is readily available on standard operating systems. The OIPC also made some other common sense suggestions such as keeping laptops with such information under physical lock and key and not letting employees travel around with them. When evaluating the adequacy of an organizations security measures, the OIPC considers the seriousness of the issue and the degree of harm that could result. On the issue of harm, the OIPC stated:
“Phonebusters, a Canadian anti-fraud call centre operated by Ontario police agencies, received between 11,938 and 14,599 complaints of identity theft each year between 2003 and 2005. The total annual financial cost to these consumers reached 20 million dollars. This does not include the time and money spent to rectivy the problems created by identity theft. In March of 2006, an Ipsos Reid survey revealed that one-quarter of Canadian adults (24%) – representing 5.7 million Canadians – have either themselves personally (4%), or known someone who has (20%), been subjected to identity theft.”
Ok, so was it Minister Horne’s Fault, I mean nobody told him right?
Yes. It’s his fault. As you can imagine, one of the first defenses any organization considers when in breach of privacy legislation, is the argument that it wasn’t me my client/law firm/contractor/employees never told me.
Of course, the OIPC has repeatedly rejected this argument and notified organizations that they are responsible for the acts of their agents. In Investigative Report P2005-IR-005, the OIPC considered the argument by a company that they were not responsible for a privacy breach because they had hired a law firm to advise them on privacy law. : The Privacy Commission pointed out section 5(2) of PIPA:
“For the purposes of this Act, where an organization engages the services of a person, whether as agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance with this Act.”
Accordingly, the Privacy Commissioner held that, although the organizations demonstrated some diligence in hiring law firms, they did not escape their responsibility for privacy breaches under the PIPA. Similarly, Custodians of Health Information under the HIA have a direct duty to protect such information under Section 60 of the HIA including protecting against any reasonable hazard or threat to the security of that information. Further, any disclosure by an affiliate of a custodian is considered to be a disclosure of the custodian (Section 62(2) of the HIA). So the blame game certainly will not work for Minister Horne in the eyes of the Privacy Commissioner. The fact that Mr. Horne either failed to enact such policy or his department felt comfortable hiding it from him (or perhaps thought they might insulate him from political blowback by keeping it from him) is not a defense, but rather an extreme example of incompetence and a failure to take responsibility at the very top of the organization. Doesn’t the buck stop with the Minister in such a circumstance?
And knowing that the buck stops with Minister Horne, why is he claiming outrage at the Privacy Commissioner not informing him of the privacy breach within his own department, which he failed to monitor or protect? Why blame the independent officer of the Legislature whom your government has legislated could not have reported this to you?
Well, as President Eisenhower once said: “The search for a scapegoat is the easiest of all hunting expeditions.”.
Or perhaps more fitting is Craig Ferguson’s words of wisdom on the blame game: “When in doubt about who’s to blame. Blame the English.”
For the Alberta Conservative Government, the motto seems to be: “When in doubt about who’s to blame. Blame the hard working civil servants.”
Susan on the Soapbox 
It’s good for lawyers to flesh out the bare bones of stories like this for lay people. Thank-you to Brian, and Susan, for sharing your knowledge in this area. Regular folks do “get” the sense of when something is really wrong, but lack the expertise to peel back all the layers to the core and relate it all to actual legislation. The word “Accountability” seems to be used so much now both by citizens and government, it seems the real meaning of the word has been worn thin. We all need the assurance that our Ministers (in this instance the Minister of Health) know exactly what they are responsible for and get down and do their jobs already instead of posturing defensively and playing the blame game.
Thank you Elaine. I always worry when comments are made by the Government which erode the public perception of the integrity of Civil Servants, Independent Officers of the Legislature (like the Privacy Commissioner) and the Judiciary. Many of whom can not, or will not, speak out publicly. I think the initial damage to the public by the disclosure is magnified exponentially by the scapegoating engaged in by the Government. I hope that readers will realize how important our OIPC is, and how lucky we are to have them. As it appears that, Minister Horne’s office may have done nothing if not for the investigative role of the Office of the Information and Privacy Commissioner, who independently and objectively work for Albertans.
I too appreciate the explanation in this blog. Many thanks.
One thing that bothers me is that the person whose laptop was stolen did not seem to place a high enough value on the damage that its theft would cause. If they had fully appreciated it, they would have taken a lot more care and perhaps not have put the records onto a laptop in the first place, for starters.
In trying to prevent future losses of this type, I would like to see those in charge, whether it is government, private company management, boards, anyone, take steps to make sure there is an effective, strong and sharp incentive to treat other people’s information with utmost care. It can be a carrot, a stick, whatever it takes.
It’s fine to know that there was a breach, but nothing in the story so far suggests that the underlying attitudinal problem has been changed. In fact your post mentions an earlier incident with very similar facts, an investigation, recommendations – but those didn’t prevent this occurrence.
To be a little more concrete: if you or I had on our own laptops things like your own banking details, or private photos of your family, the identities of twenty James Bond-type undercover secret agents, or the treasure map for the Sierra Madre – if you had something super valuable to you on that machine, how would you handle it?
Now, how do we get people to care that much about other people’s private records?
I am eternally optimistic. I don’t think people typically wake up every morning determined to harm others. However, life is complicated and it’s easy to overlook things that with hindsight seem like common sense. But “common sense” is not common. It’s neither abundant, nor is there a shared (common) understanding of what is sensible. We cannot rely on other people to have it, nor can we rely on ourselves to have it.
It seems to me that in the present case there is a problem with training, with oversight, and with establishing, publishing, and monitoring reasonable controls for the type of data involved. Let’s fix the problem, please.
Brian, I was Privacy Commissioner at the time of the reports you cite in your article. Your article is thoughtful, well-sourced and thorough. In short, an excellent piece of work. I intend to refer to it often. I hope it gets the wide readership it deserves. Thanks.
Thank you Mr. Work, and for your service. It is very helpful to have such clear and well reasoned direction from your former office on point. I very much appreciated your comments.
There are so many fundamental issues with Fred Horne’s office. The issues here are but one small glimpse. I personally have seen form letters from two different people, sent to me.. This office is part of a health machine, and an incompetent one at that.. There is no accountability. Citizens are not first. Our health is not first. Our privacy is irrelevant. Even when I waive my right to privacy, no action is taken. Currently they are long postponing a medical (criminal) dental fraud which I reported to them, and which is clearly against their own direct billing legislation pertaining to Alberta health care insurance plan. I will not let this or any of the other issues rest. Mr. Horne, you have also refused to disclose to me and the public how your organization receives advise. Your advisory boards are not properly open on your web site, never mind disclosure. You have an ethics board board applicable to hospitals but not private practice or dentists. You have no description suitable to intelligent business people to comprehend all the private corporations that makes up Alberta Health. There is no disclosure of your mad mess that desperately needs clean up.
Joanne. excellent points. The byzantine public/private organizations that delivers healthcare in this province are like a bramble bush. One unfortunate step and bam! you’re slashed to ribbons. And as you said, heaven help you if you’re looking for compensation. I don’t know the nature of your issue but if it was the result of a doctor’s mistreatment you can send a complaint to the College of Physicians and Surgeons. If on the other hand, it was the result of shoddy work by a dentist you can complain to the Alberta Dental Association and College. (Perhaps you already did). I don’t know much about the Dental Association but the College will investigate any allegations brought before it and has the ability to revoke medical licenses. I think doctors and dentists would really clean up their acts if the public was prepared to report them to their self-regulatory bodies for inappropriate, negligent or fraudulent behavior. Just a thought.
Thank you Brian for your analysis of a privacy issue in “real time”. And thank you Frank for everything you did to increase transparency while you were Privacy Commissioner. In your 2010 annual report you said this: “If you’re going to promise transparency then deliver it…Let the public see, let the public judge, let the public find ways to make the information useful and relevant to themselves and others.” Wouldn’t it be refreshing if the Alberta government actually took your advice instead of simply giving it lip service?
I agree Jill. Life is pretty complicated and most people don’t set out to do harm. But some do and custodians of our personal information ignore this at our peril.
Mistrust is exhausting, but blind trust or willful blindness is just plain foolish.
In addition to the OIPC, many organizations have attempted to shine light on these issues. For example, see this 2009 presentation by the Consumers’ Association of Alberta to an all-party Leg Committee on Bill 52 amendments to the HIA.
Click to access CAC%20Alberta%20Submission%20Bill%2052%20Health%20Information%20Amendment%20Act%20Feb%2020094.pdf
Many thanks Brian for the great job of both explaining and refocusing.
This is great information, Wendy, thanks! It would seem that we have absolutely no control, and there is no oversight regarding our personal information, including our medical records. I am asking all you experts,”What should be done?”
Excellent presentation by the CAA to the all-party Leg Committee Wendy. What was the response? Did the government accept your input?
On a slightly different note, I’m sharing the link you sent me. Ann Cavoukian, Ontario’s privacy commissioner, points out that while the US government is debating the use of iPhone and the Internet surveillance programs, our government is silent as a tomb about the Communications Security Establishment Canada (CSEC) and what it’s up to. Not good. Here’s the link: http://www.theglobeandmail.com/globe-debate/why-the-silence-around-privacy/article16516631/
I suspect (cynic that I seem to have become) that the existing system works very well for some, and that may be where we can determine what really counts…
All that health information data is particularly useful for marketing purposes – whether direct to customers (individually or as populations), where to build a retail outlet, what to develop as consumer goods/services, what the competition might be doing… to say nothing of the potential for tracking by insurance providers or employers or others.
I keep harping on the point that the Katz Group should NOT have had access to the data they had; if they had not lost it and somehow been obliged to admit to the loss we would never know they had it; there is probably no limit to their use of the data and we will never know; and we will never know who else uses that data or for what purpose.
Even if there were penalties attached to those who get found out for some breach of the legislation, whatever it is, I wonder if the game isn’t worth the cost to them.
And back to basics: how does this improve health outcomes, and if so, at what cost?
Excellent question Carol: Why does the Katz Group (owner of Medicentres and mega-donor to Redford’s campaign in the last election) have access to this information? The paranoid side of me flashed back to something I learned about Google. Apparently Google owns a DNA analysis company–one of those companies that traces your ancestry based on your DNA. You take a swab, send it off to the company and presto, within a a few weeks you’ll know all you need to know about your genetic makeup all the way back to the dawn of time. Unfortunately so does Google and likely the US and maybe even Canadian governments given all we’ve heard about PRISM and other NSA data mining tools. Scary.
Something I have been wondering about, that I would appreciate information on from any of the knowledgeable people here, relates not to accidental release of personal information, but contracted (for lack of a better word) scenarios. This is what concerns me. Several years ago I was working on a casual basis, my husband had his own business and we purchased our own private Blue Cross plan for medications and extended health coverage. When I took a temporary position covering a maternity leave I was able to access a group plan through work. It was lovely! When the job term ended, however, I called Blue Cross to renew our coverage. They asked for my client number, but I didn’t have a card anymore. “That’s okay,” said the nice lady, “Just give me your Alberta Health Insurance number. It’s the same.” I was astonished. Does this mean Blue Cross, a private company, is given given free and easy access to all my health records and that of all my family members? Many people think Blue Cross is just an extension of government but they aren’t. I know we have special legislation in Alberta that grants them special status- but I don’t understand it. They are a “non-profit” but they are not a charity. A 1998 brochure of theirs stated $50 billion was going through their offices every year; what are they making now? My question is, should we be worried about this arrangement? Is there any point in worrying now, when the horse left the barn a long time ago?
Elaine having the same number does not mean much and it could be just a question of convenience for them and the people that have accounts with them because they only need to know one number. Having said that, I would not be surprised at all if Blue Cross has access to our records. It seems everybody does except us.
Well, Carlos, the reassurance to my paranoia has come from an unexpected quarter! Thanks for commenting, you make a good point. It still tickles my spidey-senses, though, and I wonder how close this particular insurance provider can get to the information in our personal health records. How would we know? And who else is snooping around in our private health care stuff? As Wendy A. says, mistrust is exhausting. I think I’ll go back to bed.
Elaine, it seems these days that more and more of us live in that mistrust area you are talking about. Some people can get some comfort by going to bed; unfortunately I am not one of them. 🙂 I just get angrier and angrier at these pseudo people that behave more like predators.
Again I can assure you that having the same number means nothing in terms of them having access to our medical records. On the other hand I can just tell you that I was astounded that I went to the Drug Store and the pharmacist saw me taking my blood pressure and came to talk to me about doing a review of my medication and if I was interested. I accepted because with my doctor I never really had an opportunity to talk much about it. With my doctor I do not even know much about tests when I have to do them. To my surprise the pharmacist logged on to a database and just by using my health care number which of course is on my medication, he shows me all my tests going back 3 years. I have to say here that this does not bother me at all because first I trust my pharmacist and secondly I really think that some of them have a better knowledge of drugs and their interactions, but I did not know that it would be so easy. After all I do not have access to these tests, but my pharmacist does. So to end the story, for any of these major Insurance companies to have access to your tests, and I emphasize that this was just the tests not medical records, they need a pharmacist ID and password. In today’s world this is not that difficult to get, is it? A good external commission will do it for many of them. As far as the medical records I still do not know how easy it is to access them but I will.
Elaine and Carlos, this business about using one number as an identifier for unrelated enterprises is very worrisome. Elaine provided one example, here’s another. The ID number on a seniors Alberta Blue Cross card is the same as his AHS number, presumably because it’s an easy way to confirm the senior is actually 65. But practices that started years ago as a matter of convenience can create privacy issues today. When my daughters went to university in the US, they were surprised to learn that their student ID numbers were the same as their Social Security Numbers. They had to put their “student” ID numbers on every exam they took and paper they wrote, so their Social Security Numbers were flying around all over the place for everyone to see.
I’m most troubled by Fred Horne’s refusal to take accountability. Why does Horne think he’s not responsible for this breach? The doctors, nurses and healthcare professionals may work in the Katz Medicentres, but their remuneration comes from our tax dollars which are managed by Horne. This is just another example of the buck stopping somewhere, anywhere, but at Horne’s doorstep. Sorry, accountability and transparency don’t work that way—not when Horne is funding healthcare delivery through private companies using our tax dollars.
Susan I fully agree and if Horne does not think he is responsible for our information, who is? Katz? My goodness, what is Horne responsible for? Just the big paycheque? What a bunch of morons. He they choose private companies then they are responsible for whatever mess they get into, which is very likely.
Carlos you’re right from both the moral and legal perspective. Horne signed a contract to allow Katz’s Medicentre group to deliver healthcare to Albertans. This contract should have included a standard “compliance with laws” clause requiring the Medicentres to comply with all laws including the Health Information Act (HIA). The HIA requires all “custodians” of health information to keep health information confidential. It’s not clear to me from the few facts we have whether the Medicentre itself or the healthcare professionals who work in the Medicentre are “custodians” under the HIA, but the fact remains that someone has an obligation to keep health information confidential and this obligation was breached when the Medicentres hired an IT consultant who then left his laptop in the backseat of his car (ie failed to protect the confidentiality of this information). In addition to being “outraged” Horne should be threatening a lawsuit against the Medicentres and/or the IT consultant for failing to protect the private information of 620,000 Albertans. However given the cross-connections between the PC government and Katz, I very much doubt we’ll see anything of the sort. The principle of “take care of the public interest” is once again subsumed to the principle of “take care of your friends in high places”. I don’t know how many more examples it will take before ALL Albertans twig to the fact that the PC government has got to go.
Susan the so called Harper Government is not interested in talking about surveillance programs because they are the biggest supporters of it. We all know these people are obcessed with secrecy. All they talk about is their ‘Action Plan’ that does not exist. There is a name for people that talk about stuff that only exists in their minds.
I just got an email from my MP regarding the support of Chong’s private bill to improve the democratic process. In this email my MP asks for my vote ‘Yes or No’ and takes the opportunitty to clarify that he does not support it because he is alright with our Democratic process and he does not see any problems with it. 🙂 No wonder we are heading to a big crash in this country. My MP does not see any problems whatsoever with our democratic process. I on the other hand do not believe we have a democracy!!!! This is how far appart we all are. Very scary. 🙂