Upon request by the WHSCC our Office
agreed to investigate and make
recommendations with respect to the
WHSCC's policies, procedures and
security practices, and in particular
measures that might be taken to further
enhance the protection of WHSCC data in
the hands of external contractors.
During the first phase of the
investigation it became evident that the
WHSCC had taken the appropriate measures
immediately following notification of
the breach to contain it, recover
possession of the records and to
determine the extent of the exposure.
The WHSCC had also evaluated the risks
of harm to affected individuals
resulting from the breach, and had
notified all of them within two weeks
following the event.
During the second phase of our
investigation our Office conducted a
more in-depth review of WHSCC's
information privacy and data security
policies and procedures, and of the
initiatives taken to enhance security
following the breach. In particular our
Office reviewed the terms and conditions
governing information security, privacy
and confidentiality in the contracts
under which external health care service
providers work, with a view to
recommending steps to strengthen those
provisions and their enforcement.
The Commissioner concluded that the
WHSCC, prior to the breach, had made
reasonable security arrangements within
the meaning of section 36 of the Access to Information and Protection of
Privacy Act (the "ATIPPA") to
protect the personal information of its
clients against foreseeable risks. The
Commissioner also concluded that
following the breach, the WHSCC has
taken reasonable measures to review the
causes of the breach and to strengthen
its policies, procedures and practices
so as to minimize the risk of similar
incidents in future. The Commissioner
recommended that the WHSCC consider
whether it would be reasonable to
conduct a compliance audit of its
contractual service providers, and
whether it would be reasonable to set a
standard for privacy training for the
employees of contractors, and to assist
in the provision of that training.