The Information and Privacy Commissioner, Ed Ring, has released his Report P-2010-001 under authority of the Access to Information and Protection of Privacy Act. A summary of the Report is included below.

To view the Report in its entirety, please go to www.oipc.nl.ca/privacyreports.htm

Report:          P-2010-001
Report Date:  March 29, 2010
Public Body:  Workplace, Health Safety and Compensation Commission
Summary:

In late January 2008, computer records containing the personal information of clients of the Workplace Health, Safety and Compensation Commission (the "WHSCC"), including health information, were exposed over the Internet by an employee of a health care services provider as a result of installing a popular music-sharing program, Limewire, on a laptop that also contained client files. The service provider was under contract to the WHSCC.

Upon request by the WHSCC our Office agreed to investigate and make recommendations with respect to the WHSCC's policies, procedures and security practices, and in particular measures that might be taken to further enhance the protection of WHSCC data in the hands of external contractors.

During the first phase of the investigation it became evident that the WHSCC had taken the appropriate measures immediately following notification of the breach to contain it, recover possession of the records and to determine the extent of the exposure. The WHSCC had also evaluated the risks of harm to affected individuals resulting from the breach, and had notified all of them within two weeks following the event.

During the second phase of our investigation our Office conducted a more in-depth review of WHSCC's information privacy and data security policies and procedures, and of the initiatives taken to enhance security following the breach. In particular our Office reviewed the terms and conditions governing information security, privacy and confidentiality in the contracts under which external health care service providers work, with a view to recommending steps to strengthen those provisions and their enforcement.

The Commissioner concluded that the WHSCC, prior to the breach, had made reasonable security arrangements within the meaning of section 36 of the Access to Information and Protection of Privacy Act (the "ATIPPA") to protect the personal information of its clients against foreseeable risks. The Commissioner also concluded that following the breach, the WHSCC has taken reasonable measures to review the causes of the breach and to strengthen its policies, procedures and practices so as to minimize the risk of similar incidents in future. The Commissioner recommended that the WHSCC consider whether it would be reasonable to conduct a compliance audit of its contractual service providers, and whether it would be reasonable to set a standard for privacy training for the employees of contractors, and to assist in the provision of that training.

- 30 -

Media contact:

Ed Ring
Information and Privacy Commissioner
709-729-6309