Annual report urges increased staff training, vigilance
Reports are great, but if the recommendations within the report aren’t implemented, then they are useless. NICOLE SARAUER, NDP justice critic, on the report into the provincial coroner’s office
There’s no silver bullet when it comes to preventing privacy breaches, but Saskatchewan’s information and privacy commissioner says more can be done to reduce the risk.
“You can work five or 10 or 20 years to build a good reputation,” said privacy commissioner Ronald Kruzeniski. “One privacy breach can affect that reputation significantly.”
Reducing the Risk is the title of the commissioner’s 2017-18 annual report, which was released Wednesday morning.
In the report, Kruzeniski reflects on the progress and accomplishments of his team during the past year, hopes for the upcoming year and provides recommendations to reduce the risk of future privacy breaches.
Recommendations for organizations to reduce risk were broken down into four sections, and include things like mandatory annual privacy training for all staff, and for staff to sign confidentiality agreements at least once a year.
The report urges people to use complex passwords, not let coworkers use their computers if it means they will have access to information they shouldn’t, and use email encryption.
“I know we all have tons of passwords and it gets frustrating, but when it comes to personal information, I think it deserves that extra effort and extra attention,” Kruzeniski said.
Keeping personal and business emails separate should be part of any organization’s privacy policy, and for those who still send faxes, making sure they are sent to the right place is key, says the report.
“We are still receiving reports of faxes going astray,” said Kruzeniski.
Known as the “love triangle” in the report, Kruzeniski said expartners snooping on their ex’s new spouse or partner is also an ongoing issue.
“Through policy, training, confidentiality statements, monitoring and discipline is how employees realize the cost of submitting to temptation,” says the report.
“I think the closest thing to a silver bullet is trying ... to create a culture of privacy,” said Kruzeniski. “That, you know, when it’s personal information and you know that you should be cautious.”
According to the report, the office has experienced an increase in the number of reviews, investigations and consultations, resulting in more files being opened.
The number of files has increased to 345 in 2017-18 from 182 in 2014-2015.
“I think Edward Snowden caused a flurry of media activity,” said Kruzeniski. “It spilled over into Canada and all that coverage starts to increase the public consciousness.”
He said incidents like the 2015 terrorist attack in San Bernardino, Calif. and the legal battle between the FBI and Apple that followed, as well as the more recent Cambridge Analytica Facebook scandal have also increased public awareness about the risk of privacy breaches.
“Greater public consciousness causes people to make more requests of organizations, and when organizations say no, it causes them to come to our office,” said Kruzeniski.
The commissioner said requests regarding the Global Transportation Hub, which has been the subject of a CBC investigation, have also caused an increase in the number of files opened in the last couple years.
The report also highlights the efforts made by the privacy commissioner’s office to train police services on the amendments to The Local Authority Freedom of Information of Protection of Privacy Act (LAFOIP), which came into effect in January 2018.
Kruzeniski said the office receives phone calls for advice on how to interpret the legislation, which now includes police services.
Based on the amendments, the Regina Police Service announced in May they would no longer release the names of homicide victims except under special circumstances.
The decision was quickly reversed and is awaiting a formal recommendation from the privacy commissioner, who has previously conveyed support for the RPS’s interpretation of the legislation.
“We will probably have a response to the Regina Police Service, I’m going to say within a week,” said Kruzeniski. “Since we’re in the middle of that consultation, I won’t go further today.”
Kruzeniski also repeated the office’s recommendations from last year’s report to make amendments to The Health Information Protection Act, which the Ministry of Health has yet to implement.
Considering how much the digital landscape has changed since the legislation was established 15 years ago, he said “it’s very concerning ” that amendments to the act have not been made.
For a copy of the full report, visit oipc.sk.ca.