GN slow to file privacy breach reports, privacy commissioner says
Nunavut government gave its official response on the privacy breach to the commissioner on Wednesday
Although the Government of Nunavut wrote that it has better security for network sharing, Nunavut’s information and privacy commissioner Graham Steele is still waiting on reports from departments on a widespread privacy breach that was discovered last year. (File photo by Mélanie Ritchot)
Government of Nunavut departments are too slow in assessing whether they suffered a serious privacy breach by the use of an unprotected network drive, says the territory’s information and privacy commissioner.
Graham Steele issued a report in late January about an open network sharing drive used by all GN departments, called the V: drive, that had dozens, if not hundreds, of sensitive files on it. Some of those files included diagnoses, prescriptions and medical photographs.
The V: drive was accessible for “at a minimum, a number of years,” according to the report.
Once departments were notified of the breach last summer, they were asked to complete investigations on whether there had been any privacy breaches while the V: drive was in use. Departments that found breaches were asked to submit reports to Steele.
But only two departments, the Department of Justice and the Department of Economic Development and Transportation, did this work.
Since then, no other departments have sent in a report.
“Not a single one,” he said.
While a department is not legally obligated to file a report unless it finds a privacy breach, Steele said more investigations need to be completed to uncover them. He added that he saw more privacy breaches than what he has received in reports so far.
“I know what was there, and it never should have been on this drive,” Steele said.
The GN gave its official response to Steele’s report, signed by Premier P.J. Akeeagok and Community and Government Services Minister David Joanasie, on Mar. 2.
The response notes the GN has completely removed the V: drive after it was initially decommissioned. The government added a new file-sharing system with more stringent steps to be accessed, such as a two-step password process.
As well, the response mentions the GN is working to follow Steele’s recommendations.
Steele said he is satisfied with the increased security Akeeagok and Joanasie’s response touches on, but he still wants to see reports from departments coming in.
He refers to the Justice Department’s report as proof that promptly completing an investigation is critical.
In his own report, Steele said the Justice Department was taken aback by how many people who had no reason to view sensitive information on the V: drive had done so. That finding never would have been discovered without an investigation.
“There’s no way for a department to know [about the extent of privacy breach] unless they do the legwork,” Steele said.
“It shouldn’t take this long.”
Joanasie was not available to respond to this story by publication and Akeeagok was not immediately available.
Funding is nominal. ATIPP Coordination is three lines on a general policy advisors job description. Barely anyone is adequately trained. In 99% of cases no one will escalate to the Commissioner and the Court, so the Departments can get by with mediocre results. On the flip side, 98% of all ATIPP requests are from crazy people, not journalists or individuals actually looking for government information. It is usually people who have left the Department causing their coworkers a lot of work out of spite. The GN should commit to this or get out of it. As you can see, only 1-2 departments actually manage it whereas the rest, including the high-and-mighty Finance, do not care at all.
You can’t opt out of ATIPP it is a legislated responsibility. That being said I have an acquaintance who was a long-time ATIPP coordinator with the GN, who could corroborate much of what you said. Yes, ATIPP is treated as an afterthought by most GN departments and yes, ATIPP is usually managed off the corner of the desk of some junior policy analyst. And yes ATIPP is usually used punitively by disgruntled ex-employees and wing nut community members as a way to get back at whomever they feel has done them wrong.