Data Privacy Day - Information and Privacy Commissioner’s Statement

Tue, Jan 27, 2015

January 28th is Data Privacy Day, a day recognized globally to promote privacy awareness. Data Privacy Day is recognized in countries throughout the world as a day to raise awareness about the importance of protecting privacy rights and the risks to these rights. The goal of this Data Privacy Day is to raise awareness about the impact of technology on our privacy rights and how the use of technology presents significant risks to these rights.

Using technology to carry out the business of public bodies is becoming the norm. More and more public bodies, including governments, are looking to technology to become more efficient and provide services to the public. It is without a doubt that technology has many positive benefits. It is also without a doubt that use of technology to store and transmit personal information presents significant risks to privacy.

The ease at which large amounts of data can be accessed, viewed and downloaded creates significant risks to privacy. Almost daily in 2014 was a news story about a privacy breach involving technology. A year in review story published by Canada.com this past December had this to say about privacy breaches in 2014 and the state of privacy management by the public sector.

It has been such an astonishing year for privacy violations, digital security breaches and flat-out ignorance of ongoing threats that it should be a wake-up call to everyone in
power: it’s time to step up your game.
The unnerving trend of the year is that public infrastructure was attacked repeatedly, but the response was almost universally to hide the nature of the attack, fail to alert Canadians to its impacts or fail to respond in any way at all.¹

The following privacy breaches were reported in the article in support of this view.

• The health information of 620,000 people stored on a laptop was stolen and the breach not disclosed to those affected.
• A hard drive containing personal information of more than 600,000 students was lost.
• A database with 900 social insurance numbers was hacked.
• The National Research Council’s servers were hacked and personal information stolen.

The article also highlighted that in spite of these risks the public sector continues to over collect personal information.

A privacy breach, also commonly called a security breach, is the accidental loss or alteration of personal information or any unauthorized access, collection, use, disclosure or disposal. While access to and disclosure of personal information are commonly associated with a privacy breach that may cause harm, an over collection and improper use of personal information can also lead to harm. For example, if a public body collects your driver’s licence when not required and this information is lost or accessed or disclosed without authority, the implications are that the individual whose driver’s licence was improperly collected is now at risk of identify theft and fraud.

The key ingredient to preventing a privacy breach is effective privacy management. A public body with an effective privacy management program will mitigate risks to privacy. An important tool used as part a privacy management program is a privacy impact assessment (PIA). Completing a PIA for projects involving personal information will assist a public body to ensure it has authority to collect, use and disclose personal information and that it has in place effective security measures to prevent a privacy breach. An important part of completing a PIA is to identify any risks of non-compliance with privacy law and develop a strategy to mitigate the risks before collection, use or disclosure occurs.

To help Yukon public bodies better manage their privacy obligations under the ATIPP Act, today we are offering two workshops designed to assist public bodies develop an effective privacy management program. Tomorrow we are offering two workshops on how to develop a privacy impact assessment. We are pleased to offer these workshops as part of our commitment to proactively support public bodies’ compliance with the ATIPP Act. The workshops are open to Yukon public body employees. Information about these workshops can be found on our website. (GIVE LINK)

Yukoners can play an important role in protecting privacy. When providing personal information to a public body, particularly when the personal information provided is highly sensitive, such as identification documents or health information, ask the person collecting the information why it is needed, what it will be used for or who it will be disclosed to. Ask them what their authority is for the collection, use and disclosure and ask how they secure it to prevent a privacy breach. A public body with an effective privacy management program in place will have employees that are properly trained on their privacy responsibilities and should be able to answer these questions.

To view a copy of the proclamation click here.

For more information contact:

The Office of the Information and Privacy Commissioner
867-667-8468 or info@ombudsman.yk.ca

__________

¹ (2014: The year in privacy failures, From lost hard drives to hacked networks and ignored security breaches, 2014 was the year that should wake us up, Wolfe-Wylie, December 10, 2014, Canada.com)