Former privacy boss calls for tougher rules

CALGARY – Alberta’s former privacy watchdog says it’s time to beef up the province’s personal information protection laws. Frank Work (pictured), who stepped down as Alberta’s Information and Privacy Commissioner in 2011, says the recent breach of 620,000 records of Medicentres Canada patients is disheartening.

“Any responsible organization that’s dealing with information has to assume that their devices are going to get lost, so they better be encrypted,” said Work.

“If you want to put your own stuff at risk, fine. But if you’re dealing with other people’s information, you really have an obligation – and the legislation says you have an obligation – to take reasonable care of the information.”

In the latest case, the data was contained on a laptop that went missing while in the possession of a consultant working for Medicentres Canada.

Alberta’s current privacy commissioner, Jill Clayton, has launched a probe into the circumstances around how the information was lost or stolen, as well as a review into how health information privacy violations are reported.

Work told the Calgary Herald he’d like to see the non-disclosure provision in the Health Information Act revisited. The legislation currently prohibits Clayton’s office from disclosing a breach of the health act voluntarily reported to her by a “health custodian” or requiring the organization to share the information with affected parties.

Work, who regularly deplored poor data encryption practices in Alberta when he was privacy czar, said he’d also like to see changes to the offence provision in the province’s privacy legislation. Under the Health Information Act, fines can range from $50,000 to $500,000 but the commissioner’s office generally has to prove the violator deliberately breaks the law, while under the private sector law, similar intent to break the law must be proven.

“If people aren’t getting the message, if the carrot isn’t working, I guess you have to look at using the stick, and I guess that means looking at the offence provisions under the act and seeing if there’s anything that can be done there to put a little more bite in it in terms of prosecuting people who do lose information,” said Work.

“If organizations handling personal information won’t take the minimal precautions, I guess you have to up the ante somewhat.”

Work said he’s hopeful more Alberta companies are paying heed to proper data protection measures. “The optimist would say lots of organizations and individuals are getting it and they are using encryption and they are taking precautions,” he said.

“A pessimist would say, clearly people aren’t getting it.”