The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, December 06, 2006
The Office of the Information and Privacy Commissioner of Alberta has found that the Calgary Health Region violated the Health Information Act in connection with a stolen laptop:
Calgary Health Region found in Contravention of Health Information Act over stolen laptop:
The Office of the Information and Privacy Commissioner has found that the Calgary Health Region contravened the Health Information Act (HIA), following an investigation into the theft of a laptop computer. The laptop contained a database of more than 1,000 children in a mental health care program, including patient history and treatment details.
Key findings included:
- The Health Region had policies in place that would have protected the stolen laptop and the information it contained, but those policies were not fully implemented by the Collaborative Mental Health Program.
- A copy of the entire database was stored on the stolen computer, increasing the number of people affected. Program workers should only have copied the files they needed, rather than the entire database.
- While the laptop was protected by passwords, this was not adequate given the nature of the information it contained
- A knowledgeable and motivated individual could access the data with tools that are readily available on the internet.
- While the risk of identity theft from the information is low, it cannot be ruled out.
- Encryption technology would have protected the lost data, but it was not implemented.
The CHR informed the Commissioner's Office of the incident on its own initiative, took immediate action to notify affected individuals and has since implemented measures to secure mobile computers. The Health Region also agreed to follow our Investigator's recommendations.
Investigator Brian Hamilton says, "For the most part the Calgary Health Region does a good job protecting information, and has been taking steps to improve security. Unfortunately, they failed to recognize and address the risks of mobile computing in this program area."
Others can learn from this investigation. The Office of the Information and Privacy Commissioner urges all HIA custodians, public bodies and private sector organizations to follow these recommendations for mobile computing:
- Perform a Privacy Impact Assessment (or a security risk assessment) before implementing mobile computing.
- Do not store personal or health information on mobile computing devices unless you need to - consider technologies that allow secure, remote access to your network and data instead.
- If you must store personal or health information on a mobile device, use encryption to protect the data - password protection alone is not sufficient.
- Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
- Periodically check your policies against practice to ensure they reflect reality and remain effective.
- Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.