On Tuesday, the Information and Privacy Commissioner/Ontario issued her report on the Elections Ontario data breach – a breach involving the loss of two USB keys containing unencrypted personal information of between 1.4 to 2.4 million electors. There are a number of relevant technical findings in the report, but overall the Commissioner used the occasion to send a message about the need for a well-functioning internal responsibility system.
The internal responsibility system concept is well known to health and safety practitioners. An IRS is a system of accountability within an organization in which all individuals – from executives, to middle management, to supervisors, to workers – have an assigned responsibility for addressing occupational hazards. Ryerson University Professor Peter Strahlendorf illustrates how an IRS works by reference to the causal analysis that is conducted after a workplace accident:
If a worker makes a mistake and causes an accident, we can see how very often there was a prior failure of a supervisor to train, coach, observe, job plan, motivate, and so on. So, if the supervisor can be said to have caused the accident in part, then we can see that frequently the manager did not properly select and train the supervisor, or did not develop programs needed by the supervisor, or did not properly allocate resources or staff the workplace.
Where the direct causes of an accident involve unsafe conditions, tools, machines, processes and structures, we can often bypass the worker and supervisor in our causal analysis and see the failure of the mid-level to senior manager to properly apply design standards or allocate resources.
Managers cause accidents; they just cause them in different ways than workers and supervisors. However many layers there are in an organization we can see a causal connection back to the accident. Presidents cause accidents. They can fail to lead, to set policy, to ensure a proper delegation of authority, to inspire a proper safety culture, to design a workable organizational structure or to allocate resources.
The striking feature of most Canadian privacy statues is that they do not assign duties throughout an organizational hierarchy. Unlike health and safety statutes, privacy statutes typically impose duties on organizations themselves or “heads” of organizations but do not impose legal duties on employees and others who handle personal information. The imposition of statutory legal duties on employees and agents is more common in Canadian health privacy legislation, but the duties imposed are very general.
The Commissioner measured Elections Ontario against Ontario’s provincial public sector privacy statute – the Freedom of Information and Protection of Privacy Act. FIPPA features a data security provision typical of Canadian privacy legislation: “Every head shall ensure that reasonable measures to prevent unauthorized access to records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.” It’s up to the head – most often a cabinet minister or board chair – to determine what duties to assign to whom, to assign the duties and to enforce the duties, all without the backing of statute. As Elections Ontario might illustrate, this is a difficult task that should not be taken lightly.
The Commissioner’s Elections Ontario report describes a total failure of internal responsibility. Workers failed to follow the identified protocol for data handling. The two supervisors on the privacy-sensitive project regularly worked at a different building than the workers handling the data. Middle management appointed two supervisors who were not competent to deal with data protection; one apparently thought encryption involved zipping and password protecting files. Senior management put in place a policy framework that the Commissioner said included significant flaws. She also suggested that senior management, after the matter was escalated, failed in providing the leadership necessary to muster an appropriate breach response and remedial plan. There were enough problems in the Commissioner’s eyes to justify a bottom-to-top flogging.
The problem with privacy legislation is that it seems to suggest that data protection is too easy. If data protection were easy enough to be handled by a single accountable person we would never have data breaches. In reality, data protection is complex. It involves risks that need to be managed through a coordinated bottom-to-top effort, especially involving the competent supervision of individuals.
The consequences of failure are frightening. The Commissioner’s report must be terribly painful to Elections Ontario and its management, and will serve as a handy road map for prosecution in the now-commenced class proceeding.