In response to recent news of a breach involving a veteran’s medical information, the Privacy Commissioner of Canada has already completed an investigation and announced findings. From the press release:
An investigation has highlighted the serious mishandling of a veteran’s personal information, entrusted to the care of Veterans Affairs Canada, says Privacy Commissioner Jennifer Stoddart. Today she announced her investigation findings and provided more detail about an upcoming audit of the Department.
“What we found in this case was alarming,” says Commissioner Stoddart, who launched the investigation after the veteran complained to her Office.
“The veteran’s sensitive medical and personal information was shared – seemingly with no controls – among departmental officials who had no legitimate need to see it. This personal information subsequently made its way into a ministerial briefing note about the veteran’s advocacy activities. This was entirely inappropriate.”
The investigation confirmed that the Department contravened the Privacy Act in the way it handled this veteran’s personal information. The law requires that personal information be used only for the purposes for which it was collected or for other consistent purposes and that it be shared only on a need-to-know basis.
The investigation confirmed that two ministerial briefing notes about the complainant contained personal information that went far beyond what was necessary for the stated purpose of the briefings. This included sensitive medical information as well as details about how the complainant interacted with the Department as a client and an advocate for veterans.
One of the notes, prepared in March 2006, was to brief the Minister on the complainant’s participation in a Parliament Hill press conference where he was critical of the Department’s handling of veterans’ issues. In addition to describing the complainant’s advocacy activities, the briefing note contained considerable sensitive medical information, including diagnosis, symptoms, prognosis, chronology of interactions with the Department as a client, amounts of financial benefits received, frequency of appointments and recommended treatment plans.
The Privacy Commissioner was also deeply concerned that officials from numerous branches of Veterans Affairs, including Program Policy, Communications and Media Relations, were involved in discussing and contributing to the content of the briefing notes and also had full access to them.
This sensitive personal information was inappropriately shared with departmental officials who would normally require only very limited or no access to medical information in fulfilling their duties. It was clear that many of those officials had no need to know the complainant’s medical information in order to add their contribution to the briefing notes. There was a clear lack of controls to protect sensitive medical information from being widely disseminated within the Department.
The investigation also raised concerns about the fact that the Department sent several large volumes of the complainant’s personal and medical information to a hospital that it administers without obtaining his consent.
In light of her findings, the Privacy Commissioner has recommended that Veterans Affairs Canada:
- Take immediate steps to support an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the Department.
- Revise existing information-management practices and policies to ensure that personal information is shared within the Department on a need-to-know basis only and is appropriately limited to what is necessary to fulfil the operational requirements of its programs. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training to employees about appropriate personal information-handling practices.
- Review and comply with its existing policies and procedures concerning hospital referrals to ensure that the consent for the transfer of personal information has been obtained and that the information shared is limited to that which is necessary.
As a result of what was learned during the investigation, as well as information that has come to light through media reports and telephone calls to her Office, the Privacy Commissioner has decided to launch an audit of the Department’s handling of veterans’ personal information.
The scope of the audit and a timeline is still under consideration. Broadly speaking, it will examine the Department’s policies and practices against its federal privacy obligations.
The audit may provide guidance as the department implements the recommendations stemming from our investigation.
“I would like to thank the veteran who filed this complaint for bringing these important issues to light,” says Commissioner Stoddart. “We also thank the Minister and the Department for their cooperation. We are pleased to hear the Minister say that he is committed to resolving these problems.”
A case summary of the complaint investigation is available on the Office of the Privacy Commissioner’s website, www.priv.gc.ca.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.