British Columbia’s Privacy Commissioner, Elizabeth Denham, has released a report on privacy breach management in government ministries.
The report, An Examination of BC Government’s Privacy Breach Management, examines the degree to which government is fulfilling its duty to respond to, and properly manage, its privacy breaches. From the executive summary of the report:
The examination revealed that government has a solid foundation in place for managing privacy breaches and that the majority of suspected breaches are reported to the OCIO within a day or two of discovering the incident, are contained, and are investigated within a reasonable timeframe. Ministries provided notifications to affected individuals when appropriate, and written notifications included all of the necessary information. The OCIO also provided advice on preventative measures in almost every investigation.
There are, however, opportunities for improvement as gaps were found in relation to audits of security safeguards, analysis and public reporting of breaches, follow-up on implementation of preventative measures, timeliness of notifying individuals who may be impacted by a breach, internal processes for documenting and tracking breaches, and training participation rates.
There is also a lack of clarity around when breaches should be reported to the Information and Privacy Commissioner.
For the period 2010-2013, there were 2,718 actual breaches involving personal information. Of those, 71.7% were due to “Administrative Error,” and 16.4% were due to “Disclosure.” All other categories of breach types accounted for less than 5% each. Mailing errors accounted for 50% of the administrative error breaches.
Over 50% of all breaches were reported by the Ministry of Social Development and Social Innovation (31.2%) and Ministry of Health (24.0%).
The report concludes with five recommendations.