The Privacy Commissioner of Canada tabled her annual report to Parliament on the Privacy Act, highlighting many challenges with the protection, use and disclosure of personal information in the federal public sector. Here's the media release with links to the report:
News Release: Privacy Commissioner highlights need for better protection of personal information by federal departments and agencies - October 4, 2012:
Privacy Commissioner highlights need for better protection of personal information by federal departments and agencies
Veterans Affairs Canada audit outlines effort to regain confidence
OTTAWA, October 4, 2012 – There is a continued rise in the level of privacy complaints about government by the public, along with greater delays in responding to requests by people seeking access to their personal information, according to Jennifer Stoddart, Privacy Commissioner of Canada, in her 2011-12Privacy Act annual report which was tabled today in the Parliament. The Commissioner’s report provides details on investigation findings and privacy trends across federal departments and agencies, and also includes the conclusion of an audit into the privacy practices of Veterans Affairs Canada (VAC).
Veterans Affairs Canada audit concludes
The audit of VAC conducted by the Office of the Privacy Commissioner of Canada (OPC) followed a 2010 investigation which uncovered some serious systemic privacy issues involving the handling of veterans’ personal information. Specifically, it was found that a veteran’s sensitive medical information was shared among officials who lacked a legitimate need to see it. Some health information even ended up in ministerial briefing notes detailing the veteran’s advocacy work.
The audit found that VAC has made significant improvements to its privacy practices. For example, following the OPC investigation, VAC reviewed access rights to veterans’ electronic records and subsequently removed privileges outright for some 500 employees while reducing them for 95 percent of others. Investments have also been made in monitoring access to files, educating employees, and developing new policies, procedures and guidelines to respect privacy.
“The Department has agreed to implement all of our 13 audit recommendations and we are pleased with progress made to date,” said Commissioner Jennifer Stoddart, noting that the Office will follow-up with VAC within two years. “I’m satisfied that our findings paint an encouraging picture of a department now working to better ensure that its practices comply with the Privacy Act. It is clear that senior management has implemented structures and control mechanisms to move the department from one that merely reacts to privacy issues to one capable of addressing them systematically and proactively. All organizations would best serve Canadians by striving to reach this destination without having to endure a similar journey.”
Record high in access time delays causes concern and action
The Commissioner’s annual report also documents privacy trends within the federal government. This year saw a concerning increase in delayed responses from organizations to individuals seeking personal information held about them, as is a right under the Privacy Act. While this has been a concern for years, the 2011-12 increase reached an all-time high.
As a result, upon receipt of future time delay complaints, the OPC now provides departments with a maximum four months to commit to a release. Failing that, a “deemed denial” finding will be issued, clearing the way for court action to resolve the matter.
“We note that as awareness and concerns over privacy increase, resources dedicated to facilitating access to personal information for individuals has remained stagnant or even decreased,” said the Commissioner. “Even during a time of greater fiscal restraint, the government shouldn’t cut back on its commitment to meeting the privacy rights of Canadians.”
Increased numbers of complaints, breach reports
The report also notes that the OPC accepted 986 complaints in 2011-12, marking a 39 percent increase over the previous fiscal year. The period also saw reported data breaches within federal organizations reach an all-time high of 80. It must be noted however that because data breach notification within the federal government is voluntary, it’s unclear whether this statistic represents an actual increase in privacy breaches or more diligent reporting by departments.
“Overall, as we take stock upon 30 years of the Privacy Act, the need for a stronger emphasis on respecting privacy within the federal government remains,” added the Commissioner. “We will continue to use the tools and leverage we have to encourage the government to take action.”
The report also details findings from numerous investigations into privacy complaints against other federal organizations, including Correctional Services Canada and the Canada Revenue Agency (CRA). Additionally, following numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years, the report notes that the OPC has selected the CRA for an audit under Section 37 of the Privacy Act. Work on this has begun and will continue over the coming months.
The full annual report and audit of VAC are available at www.priv.gc.ca. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.