Sunday, November 29, 2009

Press Pass on the government's big privacy breach

The Times Colonist runs a Sunday column called Press Pass, compiled mainly by the newspaper's press gallery reporters- currently Lindsay Kines and Rob Shaw - and legislative columnist Les Leyne. The reporters have broken all the stories on the government's bungled response to a major privacy breach.
On Sunday, Press Pass added this background.

"SUGGESTED READING: With all the hoopla around those missing government files, perhaps it's worth brushing up on the fundamentals. What's supposed to happen when government learns of a major privacy breach?

According to the Key Steps in Responding to Privacy Breaches guide, written by the Office of the Information and Privacy Commissioner in June 2008, there are four key steps. Let's contrast them with what happened in this case:

1. Contain the breach and notify privacy/security officials.

If, by that, you mean don't tell the senior bosses or ministers until the Public Affairs Bureau hears about it seven months later, then done and done.

2. Evaluate the risk of the breach.

Let's see. Employee under criminal investigation for fraud has swiped sensitive personal information that could be used for fraud ... we'll go with "high" risk.

3. Notify people "as soon as possible" to warn them their privacy has been compromised.

In this case, wait more than half a year before writing letters to the wrong people.

4. Prevent a future reoccurrence by investigating the cause of the breach.

Or, repeatedly claim ignorance about when you found out or what you knew and bolt from the legislature to enjoy a four-month winter break.

When should you follow these four steps? According to the guide: Immediately.

Maybe someone in government should read this thing."

4 comments:

RossK said...

Fisking in the public prints, even if satirical, is most welcomed.

However.

Here's hoping the three Press Passkateers are still chasing down the rest of the 5 W's on this thing.

For example, with respect to #1....

Who, exactly, passed this very private information along to the Public Affairs Bureau so that they could pass it along to the Minister concerned?

.

sempoi said...

Hi..

good information..

my blog

Anonymous said...

Each Ministry has an assigned FOI officer/person or persons whose job it is to handle requests and complaints. Cynically part of their job is how to stall requests for info and complaints. They also raise the flags about certain people, such as journalists, activists who are requesting sensitive info. It isn't clear to me whether these people report to the PAB, which is run out of the Premier's office.

People would be surprised how big a disconnect there is between levels and branches. But this was a RCMP investigation, if someone actually didn't communicate that to Ministers and other heads of organizations, such as Public Service Agency, then they should be fired. It is extremely unlikely high-level players weren't informed, but nothing would surprise me about this bunch.

It's important to remember that these organizations are assessing risk to the organization and it's employees, Ministers etc. It isn't coming from the place of protecting and informing the public. That's just not how it works with this government. Also remember, if you don't investigate there is no paper trail to follow and they count on a large number of complainants to drop off because they don't have the time, energy, capacity or inclination to keep up their complaints over time, because it will be dragged out.

RossK said...

Thanks very much Anon-Above for the insight.

.