Nova Scotia’s privacy watchdog is again calling on the government to bolster the province’s privacy laws citing numerous shortcomings in the act that is supposed to protect sensitive information.
In her annual report, privacy commissioner Catherine Tully said previous recommendations have not been acted on. In particular, her report highlights the weak protections for Nova Scotians who may be victims of privacy breaches.
Government departments are not required to report information breaches to the individuals affected by the breach or to her office.
“This is a significant shortcoming of our laws,” the report reads.
Last year, two privacy breaches were voluntarily reported to her office by government departments but Tully says “common sense” suggests many more breaches occurred.
Based on statistics from other jurisdictions, Tully says it’s likely that public bodies in Nova Scotia had between 10 and 154 “significant privacy breaches” in 2015.
“I am increasingly concerned that Nova Scotians are not hearing about privacy breaches,” Tully said in a release.
“They happen in every organization and public body across the country. The causes are varied but they include human error, technical errors and criminal attacks.”
Rules safeguarding medical records ‘upside down’
In what she calls a “very odd quirk” of the province’s laws protecting health records, Tully says her office is notified when there are minor breaches in health records but not major breaches.
“I call it the upside down breach reporting,” Tully said. “I’m not hearing about breaches where there’s a real risk of significant harm.”
For major information leaks health officials are supposed to contact patients directly, Tully says, but she says she has no way of knowing whether that happens.
The government says it is reviewing the rules for reporting privacy breaches along with the entire Personal Health Information Act as part of a mandatory review.
‘One of the weaker access and privacy laws in the world’
Nova Scotia’s freedom of information and protection of privacy law hasn’t been significantly changed since before the advent of social media, smartphones, and the proliferation of electronic record keeping.
“We have one of the weaker access and privacy laws in the world right now,” Tully said.
For example, Tully says she is the only provincial privacy officer in Canada that isn’t an independent officer to the legislature, instead she is part of the justice department. She and previous privacy commissioners have been calling for full independence for more than a decade.
The government risks further eroding the public trust without major changes to the law, says McInnes Cooper privacy lawyer David Fraser.
He says the government should be legally obliged to protect information and publicize when mistakes happen.
“That is something that’s significantly lacking in our law now,” Fraser said.
No timeline for privacy act overhaul
This year’s recommendations to change the province’s privacy acts are the same as in Tully’s previous reports. However, the government says it needs more time to consider them and has no immediate plans to change the privacy act.
In the meantime, the government is drafting a policy for privacy breaches for all government departments, Deputy Premier Diana Whalen says. The policy will require the government to track breaches, but Whalen isn’t committing to giving that information to Tully.
“She may well get it but that would be done in consultation with her, and we’d want to know to what avail,” Whalen said. “What’s the purpose, how’s it going to be used, all of that.”
Statistics on privacy breaches will be publicly reported once the new policy is in place, Whalen says.