The Oops Factor: Managing the “Before, During and After” of a Privacy Breach

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Health Canada Privacy Day

November 4, 2010
Ottawa, Ontario

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

(Check against delivery)


I wish to congratulate the organizers at Health Canada for having put together this Privacy Day. Judging by the number of participants here today, this event is clearly a great success. And it is indeed a very topical event, given the nature of the issues to be discussed.

I also wish to thank my colleague Melanie Millar-Chapman, who is here today, for kindly providing comments on a previous version of this presentation.

The title of the talk I was asked to speak to was “The Ideal Privacy Landscape for a Federal Institution”.

I suppose, using that theme, I could have presented a very serene picture of a quiet sunset; or the dramatic photo of a deep, cavernous gorge.

Alternatively, I could have chosen the hard toil and labor of a farmer’s fields; or a stylized image of a painter’s ideal which may look nice on canvas, but has very little connection with reality.   Or I suppose I could have shown you a collage of landscapes to make precisely the point I am making, and that is, how varied the privacy landscape can be.

Instead, I thought I’d choose a slightly different, catchier and more timely title, particularly in light of recent media stories:  “The Oops Factor!  Managing the Before, During and After of a Privacy Breach”.

In my presentation today, I will try to cover the following aspects:

First, and as background, I will describe where our respective worlds meet, that is, which aspects of the federal health sector may engage the work of our Office.

Second, I will talk about what federal institutions can do before, during and after to manage the risks associated with potential privacy breaches.

Lastly, so as not to avoid the question altogether, I will close with a few remarks on what I believe may be at least some traits of an ideal privacy landscape for a Federal institution. 

There are various aspects of Health Canada’s mandate, and that of other Departments and Agencies with health-related responsibilities, that come into contact with our Office on several fronts.  For example:

  • Users of federally-funded health services may bring privacy complaints to our Office.  No doubt you would have heard about our recent investigation into a veteran’s complaint against Veteran’s Affairs Canada which found that highly sensitive information about him had been widely used and disclosed far in excess of what was necessary or appropriate.
  • Some of you may also remember a finding a few years back involving several hundred complaints we received about the decision to require First Nations and Inuit recipients of certain government-funded health benefits to sign complex consent forms, essentially agreeing to the department’s personal information management practices to track prescription drug use.
  •  In addition, and as many of you know, we regularly receive complaints involving the collection, use and / or disclosure of personal information of employees undergoing Health Canada fitness for work assessments for insurance claims or for labor & employment purposes.
  •  We audit federal institutions, including Health Canada.  In fact, Health Canada was one of the audited entities in our recently published “Wireless Audit”
  •  As required under Treasury Board directive, federal departments and agencies submit privacy impact assessments to the OPC for all new or substantially modified programs and activities involving the collection, use or disclosure of personal information.  As an example, Statistics Canada has submitted to our Office for review and comment a PIA on the Canadian Health Measures Survey.
  • Our Office collaborates with the Federal Healthcare Partnership by providing input into the development of privacy policies related to, for example, the deployment of electronic health records and a data breach protocol currently being drafted;
  • Our Office last year issued Guidelines for employers, including federal public sector, on how to manage personal information-sharing in the time of a pandemic – such as the H1N1 flu virus – in both emergency and non-emergency situations.
  • Our Office is regularly called upon to testify before Parliamentary Committee on the privacy implications of various legislative bills, including bills seeking to introduce or amend laws on the review and approval of clinical trials, the safety of consumer products or the regulation of pathogens and toxins.
  •  We may find ourselves in Federal Court with Health Canada, as we were in the Gordon matter for instance, where we supported the Department’s position to refuse a journalist’s request for access to the province field of the Canadian Adverse Drug Reaction Information System or CADRIS database. The Court held that the province field, combined with all the other already publicly released data-fields, could result in a serious possibility of specific individuals being identified and therefore should not be released on the grounds that it constitutes personal information.
  • And finally, through our Contribution Program, we have funded several research projects on health-related privacy issues, including: secondary use of electronic health records, health information technologies, biobanking, de-identification of health data, direct-to-consumer genetic testing etc.

Throughout these various encounters where the OPC meets the federal health sector, a consistent message you will hear the Commissioner and her delegates say is this:  Privacy protection must be built into programs and initiatives at the front end as they are being conceived and designed, and well before deployment.

Just this week in Israel, the Privacy Commissioner and her colleagues around the world, adopted an international resolution — championed by the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian — which recognizes the concept of “Privacy by Design”.  This concept is an essential component of privacy protection based on the following foundational principles: 

  • being proactive, not reactive/ preventative not remedial;
  •  setting privacy protection as the default;
  • embedding privacy protection right into the design of the system or technology;
  • striving for full product functionality and privacy protection as a positive-sum, not a zero-sum game;
  • providing for privacy protection throughout the entire information life cycle;
  • being visible and transparent about the systems and technologies being planned and deployed, and ultimately
  • ensuring respect for user privacy.

Essentially, Treasury Board’s Directive on Privacy Impact Assessment and the integration of privacy and security requirements into the management accountability framework to which senior public servants are ultimately held accountable is an explicit manifestation of the Privacy by Design concept. Just this year, our office received 60% more PIA`s than we had in the previous year!  In order to make the most of this tool – not only in terms of quantity, but quality too - our Office recently held a workshop involving representatives from over 40 Federal institutions to engage in a dialogue on the content and format of PIAs submitted to our Office for review.  The Office will soon be publishing an ``Expectations document`` coming out of that Workshop to help guide institutions in improving the robustness of PIAs going forward and encouraging them to involve the OPC as early as possible in the process.

To cite an old adage very familiar to all of you, `prevention really is the best medicine`.   I could certainly give you a multitude of good and bad case studies on this.  But for illustrative purposes only, let me a couple recent examples.

For over a year preceding the Vancouver Olympic Games, organizers were in regular communications with the OPC, the OIPC of BC, and the RCMP to discuss the planning of systems that would effectively avert against security threats but also be respectful of privacy rights of spectators, athletes, employees, volunteers and local residents.  The Commissioner reported in her recent Annual Report that she came away from that experience ``convinced that the Vancouver Olympic Games had provided a valuable lesson in balancing security and privacy rights at mega-events``. 

By contrast, before deploying their Street view cars around the world to collect street images and wireless data access points to enhance their location-based services, Google did not have any conversation about the privacy implications of also potentially collecting payload data (essentially the content of communications running through unencrypted wireless networks).  As it turned out from our investigation, the engineer who had included code into the software enabling this collection had identified only what he believed to be superficial privacy concerns which he did not share with Google’s Product Counsel, contrary to company procedure, with the end result being that they never got addressed.  The summons to appear before Parliamentary Committee this week, the frenzy of recent media covering this story and the multitude of class action suits recently instituted against the company in the U.S. demanding millions of dollars in damages, now painfully show that these were more than superficial privacy concerns.

What these examples demonstrate is how important it is to take the necessary steps in advance of deploying an information system or technology to avert potential risk of harm to individuals.   In a sense, to borrow another concept familiar to an audience like this, it’s like applying the precautionary principle to emerging information technologies. Just like in the health or environmental contexts, the precautionary principle would have us take necessary measures upfront to protect individuals from risk of harm arising from wide-spread use and adoption of technological advances, including information technologies, even in the absence of scientific evidence establishing a cause and effect relationship.

But building in privacy protections up front is not a one-shot deal.  It involves an ongoing effort to train employees and to monitor compliance with policies and procedures to ensure that privacy is respected throughout the information life-cycle.

To come back to the Veteran Affairs investigation, the Commissioner found that the Department inappropriately shared personal health information about the complainant across numerous branches including Program Policy, Communications and Media relations.  Highly sensitive medical information had even been included in briefing notes to the Minister in preparation of a press conference where the complainant, a veterans’ advocate, was expected to participate.  

The Department was also found to have disclosed large volumes of the complainant’s medical information to a hospital administered by Veteran’s Affairs, without the individual’s consent.  The sheer volume and sensitivity of the personal information, and the extent to which it was widely shared, was found to have far exceeded what would have been necessary for the Department’s stated purpose.   Most concerning in this case for the Commissioner, was the seeming lack of controls within the department to protect personal information and to guard against something like this happening.  In speaking of this example, I am mindful of the sentiments of some Veterans’ Affairs employees feeling like they’re being “tarred by the same brush” – to quote from a newspaper article this morning.  Nonetheless, I raise it, not in an effort to point blame, but to draw from it concrete lessons we all could learn from.

Two recent audits conducted by our Office further demonstrate the importance of ensuring privacy protection throughout the life-cycle of personal information.

A recent audit of the use of wireless technology (the “Wireless Audit”) in five large federal institutions (including Health Canada) revealed that none had fully assessed the threats and risks inherent in wireless communications.  Gaps in privacy policies and/or limited guidance, in some or all entities audited, resulted in low levels of user responsibility and privacy awareness.  Other shortcomings in some or all audited entities also included weak password protection for smart phones, inadequate encryption of wireless networks and data stored on mobile devices, the disposal of surplus handheld devices and the use of PIN-to-PIN messaging.

Another recent audit on disposal practices (the “Disposal Audit”) among federal institutions revealed that, although policies and procedures for shredding federal government records and disposing of surplus computer equipment are in place, there remain significant deficiencies in practice.  For example, shredding contractors used by Library and Archives at one time or another, violated some of their security obligations.  And among a sample of over 1000 computers studied, auditors found 42% had not been completely wiped clean before being donated to a Computer recycling program for schools.  Some of the data found on these hard drives were confidential, highly sensitive, and in some cases, even classified.

The obvious pre-occupation for every data custodian is how to manage “The Dreadful After” - when privacy breaches do occur.  Indeed, multiple examples of health data breaches in several provinces demonstrate how real the risk is: unencrypted laptops and memory sticks stolen or gone missing; viral malware attacking the computer systems of entire health regions; paper records flying through downtown streets or falling off the back of recycling trucks; snooping health providers  or hospital employees accessing the electronic health records of individuals out of perverse curiosity - without authorization and for purely personal purposes.

In order to assist organizations and institutions in dealing with the “aftermath” of privacy breaches, several Privacy Commissioners’ offices, including our own, have issued breach notification guidelines.  Essentially, the key steps to follow are the following:

The first step is to immediately contain the breach and mitigate potential harm.  This may involve shutting down systems until an investigation can be carried out, or closing off access by individuals suspected of breach.

The second step is to evaluate the risks associated with the breach, including the cause and extent of the breach, the type of personal information involved, the number of individuals affected and the foreseeable harms that can potentially result.  Having proper audit trails and identification of files are critical for this step.

The third is to determine whether to notify affected individuals.  In many cases, this is the most difficult step to work through.  Whether to notify will depend in large part on the degree of risk of harm identified and the possibility for individuals, if notified, to mitigate that harm.  Equally as important is to consider the potential harm in the notification process itself, and this may require sensitive and customized approaches to avoid causing undue stress and anxiety to individuals affected.

Finally, the last step to work though in the event of breach is to undertake necessary measures to prevent breaches from re-occurring in the future.  Once the immediate problem appears to be technically fixed, the importance of this step tends to get underestimated.  Yet, this step allows institutions to close the loop; it takes you back to the beginning of the personal information life-cycle, and affords you with a renewed opportunity once again, to take the precautionary steps needed to avert further privacy risks before re-deployment of the product or service in question.

Throughout this process, an important consideration is whether and when to report the breach to the Privacy Commissioner’s Office.  Without wanting to be flooded with an overabundance of immaterial disclosures, our Office generally takes the view that when in doubt, better to notify.  Several advantages to this default approach are:

  1. OPC investigators can bring to bear their expertise in assisting departments and agencies to work through the various steps of the breach notification process;
  2.  If asked, we could respond to media enquiries more reassuringly, confirming that we have been duly informed and are actively working with the institution in question to contain and minimize potential harms;
  3. If complaints are filed, we already have a good leg-up on what has occurred and the steps being taken to rectify the situation; and,
  4. Over time, we could have a better overview of the types and numbers of privacy breaches, helping to identify trends or reveal areas of increased risk and help guide institutions accordingly.

Breach reporting to the Commissioner should not be viewed as a bad report card.  On the contrary, it takes leadership and courage to take responsibility for breach and act on it promptly and effectively to contain possible damage and remedy the situation.  The Privacy Commissioner certainly recognizes this challenge and stands ready to help support you constructively in this endeavour.

In conclusion, let me attempt to address the question originally put to me.  What is the ideal privacy landscape for a federal institution?

First, and for all the reasons discussed this morning, an ideal privacy landscape requires an effective system of governance and proper risk management throughout the personal information life-cycle.  Second, it requires all employees serving in the public interest to take their responsibilities seriously, including the care and handling of personal information that may be exempted from the fundamental principle of consent as part of information-sharing arrangements within or between departments.   Third, it takes ongoing sensitivity on the part of all concerned that behind these mammoth government programs to manage and administer are individuals with personal lives, like yours and mine, deserving of respect.   And finally, the success of any federal government institution is critically dependent on ongoing efforts to earn and maintain public trust in the importance of its objectives, why they are needed and how they are carried out.

As Abraham Lincoln once said, “If once you forfeit the confidence of your fellow-citizens, you can never regain their respect and esteem.

Date modified: