Office of the Information and Privacy Commissioner
July 3, 2008

Office of the Information and Privacy Commissioner
Report P-2008-001 Released

The Information and Privacy Commissioner, Ed Ring, has released his Report P-2008-001 under authority of the Access to Information and Protection of Privacy Act (the "ATIPPA"). The Commissioner is pleased to announce that this is the first privacy Report issued by this Office. The Commissioner would also like to note that the issue leading to this investigation and Report occurred before the privacy provisions of the ATIPPA were proclaimed into force in January of this year. Despite this fact, the Department of Health and Community Services requested that this Office conduct the investigation and make appropriate recommendations. The Commissioner commends the Department for this initiative and has issued this Report within the spirit and intent of the privacy provisions of the ATIPPA. A summary of the Report is included below.

To view the Report in its entirety, please go to //www.oipc.gov.nl.ca/reports-privacy.htm

Report: P-2008-001
Report Date: June 25, 2008
Public Body: Department of Health and Community Services

Summary: On 20 November 2007 a privacy breach occurred involving the accidental disclosure over the internet of personal information of patients and staff from a computer operated by a Consultant working for the Public Health Laboratory ("PHL"), which is the responsibility of the Department of Health and Community Services ("DHCS"). DHCS followed up by assessing the severity of the breach and contacting a number of affected individuals. DHCS also notified this Office of the breach, and on 28 November 2007 requested that we accept for investigation any complaints from affected individuals who received DHCS�s notification, despite the fact that the privacy provisions of the ATIPPA were not yet in force. This Office agreed to do so. Three complaints were subsequently received.

The Commissioner commended DHCS for its response to the breach, including its notification process. The Commissioner further commended DHCS for requesting that this Office investigate any complaints, despite the privacy provisions of the ATIPPA not being in force at the time of the breach. The Commissioner found, however, that policies governing the management, retention and destruction of electronic records were significantly lacking at PHL, and that areas of responsibility for electronic records and privacy between PHL and Eastern Health (which provides information technology support to PHL) have not been formalized appropriately. The Commissioner also determined that appropriate training had not been provided to staff or management of PHL prior to the privacy breach, and that such training should be provided at the earliest opportunity. The Commissioner further recommended that privacy protection be built into the contractual language whenever a third party is retained to provide services to PHL; that Privacy Impact Assessments be conducted where appropriate at PHL; and that recommendations of the IT Security Framework Review be implemented.

- 30 -

Media contact:
Ed Ring
Information and Privacy Commissioner
709-729-6309

2008 07 03                                                     4:10 p.m.

 


SearchHomeBack to GovernmentContact Us


All material copyright the Government of Newfoundland and Labrador. No unauthorized copying or redeployment permitted. The Government assumes no responsibility for the accuracy of any material deployed on an unauthorized server.
Disclaimer/Copyright/Privacy Statement