Remember the story about the mysterious website? SA国际影视传媒 spoke with the man behind the about its purpose and what would happen when the clock on the countdown runs out Thursday.
Donn MacDougall worked at the Department of Justice as a manager of securities in corporate registries from 2006 to 2014.
But after MacDougall left his position in March 2014 he was still receiving automated emails to his personal email through PeopleSoft, the territorial governmentSA国际影视传媒檚 human resources software. Because he was previously a manager with the department, he had access to sensitive information, such as employeesSA国际影视传媒 pay raises and time off.
SA国际影视传媒淚SA国际影视传媒檝e been dealing with this for four years,SA国际影视传媒 said MacDougall. SA国际影视传媒淕oing back and forth with the GNWT saying why was I given access to this information?SA国际影视传媒
In late 2017, he filed a complaint with the Information and Privacy Commissioner (IPC) of the Northwest Territories who in turn investigated and made recommendations in .
But last month MacDougall sent postcards to local news outlets directing them to his website, , for what he called a SA国际影视传媒榗ase studySA国际影视传媒 for when employees leave and privacy for themselves and their former colleagues and staff. There he had posted screenshots of that sensitive information before the GNWT ordered him to take it down.
SA国际影视传媒淚f thereSA国际影视传媒檚 one thing I want to impress on you, itSA国际影视传媒檚 that there will never be personal information posted on that site again,SA国际影视传媒 said MacDougall. He said he only needed to do that once, to prove the breach was real, so the GNWT couldnSA国际影视传媒檛 claim plausible deniability. For the territorial government their employeesSA国际影视传媒 information was confidential, but once they gave him unauthorized access to it, that confidentiality was lost, MacDougall reasoned. And although he was obliged to keep that information confidential during his employment, there is no such requirement for information acquired after it ended, MacDougall explained.
SA国际影视传媒淚SA国际影视传媒檝e got a story to tell,SA国际影视传媒 he said. SA国际影视传媒淎nd I think that ISA国际影视传媒檓 already being taken seriously because ISA国际影视传媒檝e published what they consider to be sensitive information.SA国际影视传媒
According to MacDougall, the GNWT threatened to sue him for notifying the people whose personal information he accessed. But Martin Goldney, deputy minister of the Department of Justice clarified the department didnSA国际影视传媒檛 threaten to sue for disclosing the issue with the software.
SA国际影视传媒淚t did seek and obtain an interim order from the Alberta Court of QueenSA国际影视传媒檚 Bench directing the former employee to refrain from making public by posting online on his website or on any other website, or in any other manner disclosing confidential and personal records or information about individuals that he obtained during or following the termination of his employment with the GNWT, SA国际影视传媒 stated Goldney in an email.
The Information and Privacy Commissioner was notified quickly after the department became aware of MacDougallSA国际影视传媒檚 website.
SA国际影视传媒淭he Department of Justice was already working with the Information and Privacy Commissioner in relation to this former employeeSA国际影视传媒檚 unauthorized access prior to the creation of this website, and will continue to work with her office to resolve this issue,SA国际影视传媒 Goldney said.
The issue of MacDougall's access to the government's PeopleSoft program was originally identified in 2014, and steps taken at that time were thought to have addressed the issue that later led to his unauthorized access, Goldney explained.
SA国际影视传媒淚t was later discovered that this was not the case,SA国际影视传媒 he stated.
SA国际影视传媒淚n November of 2017, when the Department of Justice became aware that personal information held in PeopleSoft had been accessed without authorization in 2014, our review of this matter indicated that a procedural issue in the off-boarding process had led to this error. A technical solution (a request for a manual override) was ultimately implemented.SA国际影视传媒
The department said it agreed to all the recommendations from the IPCSA国际影视传媒檚 report and they have been implemented, except the final one.
SA国际影视传媒淭he former employee was specifically asked to return the personal information he had accessed without authorization, or to confirm destruction of the information,SA国际影视传媒 stated Goldney. SA国际影视传媒淭o date, he has refused to do so.SA国际影视传媒 The department has applied for an Order from the Alberta Court of QueenSA国际影视传媒檚 Bench directing him to do so.
Privacy breaches in the GNWT
In the GNWT, a breach involving personal information is often referred to as a SA国际影视传媒榩rivacy beachSA国际影视传媒, whereas a breach that does not include personal information may be considered an SA国际影视传媒榠nformation incidentSA国际影视传媒, Goldney explained.
SA国际影视传媒淚n either case, both refer to an incident that is an unwanted or unexpected event that threatens the privacy and/or security of our information,SA国际影视传媒 said Goldney.
Currently, GNWT Information Incident Reporting falls under a government directive and responses to incidents are handled through the Department of Finance, Office of the Chief Information Officer.
The justice department is continuing to work on a GNWT privacy framework and management program, Goldney added.
SA国际影视传媒淭he privacy framework for the GNWT consists of an overarching GNWT Protection of Privacy Policy, Guidelines for Privacy Management Programs, dedicated privacy training for staff, and a series of privacy related tools and resources which will include an updated privacy breach reporting protocol,SA国际影视传媒 said Goldney.
It is also departmental practice to inform the IPC and those affected when a breach occurs, he said.
SA国际影视传媒淭he Department has, on two occasions, initiated contact with individuals when it became aware that their privacy rights were or may have been compromised,SA国际影视传媒 stated Goldney. SA国际影视传媒淭he first was in 2017 relating to a 2014 unauthorized access. The second was in December 2018 relating to the Infobreach website.SA国际影视传媒
Mandatory breach reporting
Now that MacDougall has used his website to make his case, he wants to work to make sure breaches like this donSA国际影视传媒檛 happen again. On Thursday at midnight, the counter on his website will run out and a new website with a new purpose will appear.
SA国际影视传媒淲hat I really want to strongly advocate for is the requirement for mandatory breach reporting in the Northwest Territories,SA国际影视传媒 he said.
Mandatory breach notification means when a breach happens, it must be reported to the privacy commissioner's office and in some circumstances, to the individuals involved.
Although the department of justice said it is their policy to do this, legally, they have no obligation to do so.
Mandatory breach reporting legislation was introduced in Nunavut in 2015 but not in the Northwest Territories, even though they share the same Information and Privacy Commissioner and had the same Access to Information and Privacy Protection (ATIPP) Act until separation in 1999. : An Act to Amend the ATIPP Act is currently before the legislative assembly and proposes some amendments to the Act in the Northwest Territories.
The amendments include updating the powers of the Information and Privacy Commissioner so she can initiate a review about a privacy breach without receiving a formal complaint and requiring that the head of a public body report back to her office on the implementation of recommendations outlined in a review report.
SA国际影视传媒淚tSA国际影视传媒檚 been a long process and in 2015, when I provided the Department of Justice with my suggestions for specific changes, one of the things I recommended was that there be an inclusion for mandatory breach notification,SA国际影视传媒 said Elaine Keenan-Bengts, Information and Privacy Commissioner for the Northwest Territories and Nunavut.
The provision already exists in the NWTSA国际影视传媒檚 Health Information Act, which saw 33 breach notifications under the act last year.
SA国际影视传媒淣ow that sounds like a lot,SA国际影视传媒 said Keenan-Bengts. SA国际影视传媒淢ost of them were minor, most of them were immediately detected and corrected.SA国际影视传媒 A lot of these breaches remained in the healthcare system, for example, between a clinic and the Stanton Territorial Hospital.
But the fact that all breaches are being reported now is a good thing said Keenan-Bengts.
SA国际影视传媒淏ecause number one, I know now that theySA国际影视传媒檙e recognizing breaches when they happen,SA国际影视传媒 she said. SA国际影视传媒淚SA国际影视传媒檓 not convinced that a lot of public bodies, other than health, even recognize breaches when they happen.SA国际影视传媒
Mandatory breach notification helps these public bodies change processes, procedures and awareness of what constitutes an information breach to help prevent them in the future.
SA国际影视传媒淥nce a breach happens you canSA国际影视传媒檛 undo it,SA国际影视传媒 said Keenan-Bengts.
SA国际影视传媒淥nce the catSA国际影视传媒檚 out of the bag, you canSA国际影视传媒檛 put it back in. ItSA国际影视传媒檚 even harder to correct a breach once itSA国际影视传媒檚 happened. But itSA国际影视传媒檚 about changing the way we do things so itSA国际影视传媒檚 less likely to happen again. And the more breach reporting is required, the more aware people become of it.SA国际影视传媒
When Nunavut added a breach notification provision to its ATIPP act, it was the first jurisdiction in Canada to do so in general public sector privacy legislation.
But just because the provision exists in law, it doesnSA国际影视传媒檛 automatically prevent breaches or even make people aware of how to deal with them.
SA国际影视传媒淚n Nunavut, ISA国际影视传媒檓 still not getting breach notifications,SA国际影视传媒 said Keenan-Bengts.
SA国际影视传媒淚SA国际影视传媒檓 the one whoSA国际影视传媒檚 finding out about them and taking the public bodies to task for them. They donSA国际影视传媒檛 know that when a breach happens they have to report it.SA国际影视传媒
Work still needs to be done to educate people about what constitutes a breach and what process should be followed in the event of one.
SA国际影视传媒淐hanging legislation without education behind it is not the best way to go,SA国际影视传媒 said Keenan-Bengts. SA国际影视传媒淚 have been slowly but surely changing that in Nunavut.SA国际影视传媒
Although privacy legislation can be SA国际影视传媒渆soteric stuff sometimes,SA国际影视传媒 provisions like this are the way of the future and follow a worldwide trend, said Keenan-Bengts.
SA国际影视传媒淧articularly because governments collect so much personal information, and they have to, thatSA国际影视传媒檚 their job,SA国际影视传媒 she said.
SA国际影视传媒淭o provide services to the people, they have to collect information. And information has such value these days, itSA国际影视传媒檚 a commodity. There need to be stronger and more rules in place to control how thatSA国际影视传媒檚 used.SA国际影视传媒
MacDougall echoed that sentiment, especially after 118 confidential medical records were unearthed at the dump in Fort Simpson in December.
SA国际影视传媒淭he point is, the GNWT didnSA国际影视传媒檛 even know enough not to throw peopleSA国际影视传媒檚 health information in the dump,SA国际影视传媒 said MacDougall.
SA国际影视传媒淭he people who are holding information have a duty to protect it. Protect whatSA国际影视传媒檚 private.SA国际影视传媒
