Wednesday, April 18, 2007

Was your privacy breached today?

Consider these scenarios:

  • Your new husband’s ex-wife, who works for a medical office, looks up your medical records.

  • The mail delivery cart in a government office is left unattended in a public area while the mail clerk takes a coffee break.

  • You drop by your boss’s office to update her on your project and notice a disciplinary report on her desk, with the name of a fellow manager showing prominently on the front page

  • You open your annual pension plan update and discover someone else’s report is in the envelope instead of your own

  • A major retailer discovers that their network has been hacked, with potentially hundreds of thousands of customer credit card numbers accessed

  • Your friend in the benefits department tells you at lunch that a co-worker and mutual friend has been submitting claims for visits to a psychiatrist for the past several months.

Which of these scenarios would you consider to be a privacy breach? If you answered all of them, you would be right. According to Canadian privacy legislation, data that is collected or disclosed without authorization is considered a privacy breach. It doesn’t matter that the breach was overt, inadvertent or accidental; the consequences and implications are equally severe.

Security is a means to achieve privacy. Security is established through rigid policies and procedures, a code of ethics and regular training for staff. Security is also established on the information technology side by restricting data access to only those who need it. For example, the government health minister, responsible for overseeing policy direction for his jurisdiction does not require access to citizen health records to do his job, while a clerk responsible for verifying medical claims does require access to those records. While one might expect the health minister to understand the importance of ensuring the privacy of medical records, it is the staff member who actually accesses the records who is in most need of training. And often, these front-line staff are the least-trained in the organization, yet they have the greatest potential to cause a security breach, the majority of which will be accidental or inadvertent.

Organizations need to ensure that the staff who assume the greatest risk through their exposure to confidential information receive annual training about their obligations with respect to privacy legislation and the potential consequences of a privacy breach. Organizations also need a clear set of policies and procedures for dealing with privacy breaches.

Organizations need to ensure that their I.T. departments have adequate budgets to ensure regular upgrades to hardware and software, as well as regular training for their staff.

Governments also need to strengthen privacy legislation to ensure that organizations are accountable to the public in the event of a privacy breach. In the case of the recent TJ Maxx hacking, for example, most U.S. states and Canadian provinces had no legal requirement for the retailer to inform customers that their credit card data had been compromised. Monday's session at the Prairie health information privacy conference highlights the ongoing challenge that privacy breaches, inadvertent or otherwise, present to the public and private sector.

So think back on where you were today – where you work, where you shop, where you ate lunch, where you live – do you know if your privacy was breached today?

No comments: