Case Report – BC OIPC says 41 days too long for breach notification

On May 7th, the British Columbia OPIC issued an investigation report in which it held that the Ministry of Health breached the security measures provision of the British Columbia Freedom of Information and Protection of Privacy Act in circumstances involving the loss of an unencrypted magnetic tapes that contained that contained the personal information of British Columbia residents who received health care in New Brunswick.

The tapes were sent pursuant to the provinces’ reciprocal billing agreement and contained the following personal information: gender, personal health number, birth date, fee code for medical service received and the practitioner number of the health care provider. They were mailed on October 3, 2007 and identified as missing October 25th. Notification to individuals and an offer to pay for credit protection services costing up to $200 was sent on December 11th, about a week before the courier company finished its investigation into why the package was lost.

The OPIC held that the Ministry breached the Act in light of the following actions:

  • sending data on unencrypted magnetic tapes (even though the data on the tapes would not be highly accessible given the near-obsolesce of the medium)
  • not requiring the sender to give notification of when the package would be received and not requiring the sender to use a courier with a tracking service (which contributed to the delay in discovering the package had been lost)
  • not instructing the sender to refrain from sending another unencrypted tape while the incident was still under investigation
  • taking 41 days to notify individuals of the breach

The OIPC also held that the Ministry did not follow best practice by only notifying the OIPC shortly before it gave notice to the affected individuals. It expressed a desire to help public bodies develop effective strategies to mitigate the risk of harm flowing from data breaches.

Investigation Report F08-02, 2008 CanLII 21699 (BC I.P.C.).

One thought on “Case Report – BC OIPC says 41 days too long for breach notification

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.