Mr. Speaker, your Standing Committee on Government Operations is pleased to provide its report on the review of the 2021 Annual Report of the Information and Privacy Commissioner, and commends it to the House.
The Standing Committee on Government Operations has reviewed the 20202021 Annual Report of the Information and Privacy Commissioner. The Access to Information and Protection of Privacy Act and the Health Information Act require the IPC to prepare an annual report. The report includes information on the number of files the IPC opens to review complaints. It can also include recommendations. The Speaker tables the report in the Legislative Assembly. Once tabled, the committee reviews the report.
As part of the review, the Information and Privacy Commissioner, Mr. Andrew Fox, appeared before committee on February 10, 2022. The committee appreciated his detailed testimony on the state of access to information and privacy protection in the territory. The committee hopes the IPC’s annual reports will include more statistics on the files he reviews and investigates.
Enhanced reporting will help establish trends on why complaints and breaches arise, which public bodies they come from, and whether they are dealt with in a timely manner.
This report presents four recommendations to address the surging number of reviews within the Government’s access and privacy regime. The committee is pleased to submit these recommendations to the Government of the Northwest Territories and looks forward to their implementation.
I will now pass it on to the MLA for Kam Lake.
Thank you, Member for Yellowknife North. Member for Kam Lake.
Thank you, Mr. Speaker.
The IPC can open a file to review and investigate: GNWT decisions on access to information requests; Privacy complaints of improper collection, use, or disclosure of personal or health information; Privacy breach complaints; and
Any matter relating to the application of ATIPPA or HIA, whether or not an individual requested a review.
The IPC can also open a file to comment on the access and privacy implications of proposed legislation, policies, or programs.
Over the past 10 years, the number of files opened by the IPC has grown substantially. The number of files opened increased sixfold from 20112012 (27 files) to 20202021 (162 files). Much of the growth comes from files opened under the Health Information Act, which came into force in 20152016.
The growing number of files is not inherently bad. Recent IPC annual reports identify potential reasons driving the trend. The Health Information Act’s coming into force increased the scope of privacy rights and responsibilities. The public’s exercise of the right to access government information may be increasing. Similarly, the public may be more aware and protective of their personal privacy. Public bodies may also have become more aware of privacy issues and better at reporting privacy breaches. However, the high number of files is fiscally costly.
In the past 10 years, the IPC has had to spend more to keep up with the surging workload. Spending has increased by an order of magnitude from $90,000 in 20112012 to $547,000 in 20202021. Public bodies also incur costs to comply with ATIPPA and HIA. It is unclear how much the GNWT spends to comply and how that has changed over time. The government’s activity reports on administering ATIPPA, which the GNWT has not published since 2016, do not report on costs.
In his appearance before committee, the IPC explained that "upstream: Investments in the access and privacy regime can reduce "downstream" costs associated with access complaints and privacy breaches. As he put it more succinctly, public bodies must choose between a small expense now or a larger expense later.
"Upstream" measures address the reasons individuals request reviews of access decisions and public bodies breach personal information. Some examples include:
Making more government records available by default.
Training employees on the proper collection, use, and disclosure of personal information.
Procuring technology for better records management; and
Implementing administrative safeguards to protect personal information.
In fact, the IPC highlighted the early success of one such "upstream" measure. Since March 2021, the government has centralized some access to information functions at the new Access and Privacy Office. The IPC credited the APO’s trained staff and centralized approach with promising early results. He has observed a slight decrease in the number of review requests and, as of February 2022, zero "deemed refusals" on APO files.
More "upstream" measures are needed. Committee is making four recommendations to that effect. The recommendations address persistent gaps in the access and privacy regime, raised by the IPC, that lead to complaints and privacy breaches. They also reinforce accountability for past committee recommendations that the Government has not implemented adequately.
Mr. Speaker, I will now pass this over to the Member for Thebacha. Thank you.
Thank you, Member for Kam Lake. Member for Thebacha.
Thank you, Mr. Speaker.
The IPC’s annual report identifies staff who are underresourced, undertrained in or unaware of privacy policies as a frequent cause of privacy breaches. When he investigates breaches, the IPC frequently recommends comprehensive and regular training. He also recommends the broader publication of relevant policies.
However, there is no governmentwide policy to ensure all employees receive proper training on the collection, use, and disclosure of personal information.
The issue is so important that it was the focus of the IPC’s one recommendation in his appearance before committee. He said: I would urge all public bodies and health information custodians to ensure that new employees are given the appropriate training early on, both in protection of privacy and access to information, and that all employees should be given regular refreshers of that.
Committee wholeheartedly endorses the IPC’s recommendation. While there are costs involved with training, the costs of not training are greater: Reviews of access decisions, privacy breaches, breach investigations, and ultimately reduced public faith in government.
Therefore, the Standing Committee on Government Operations recommends:
That the Government of the Northwest Territories, in consultation with the Information and Privacy Commissioner, and by April 1, 2023, establish a governmentwide policy that ensures all employees receive appropriate training on the collection, use, and disclosure of personal information. The policy should ensure that new employees receive training early on and all employees receive regular refreshers.
The committee further recommends that the Government emphasize Indigenous recruitment and retention to fill access and privacy positions.
I will now pass this over to the Member for Inuvik Twin Lakes. Thank you, Mr. Speaker.
Thank you, Member for Thebacha. Member for Inuvik Twin Lakes.
Thank you, Mr. Speaker.
The IPC’s annual report drew attention to the role of mobile handheld devices in several privacy breaches.
Review Report 20242 investigated one such breach. An education official recorded a video, using a personal mobile device, of a teacher and students. The official uploaded the video to a government server that others could access, ostensibly for training purposes. The official did not seek or obtain consent from anyone in the video.
The IPC identified a key factor in this breach: "The absence of any policy direction for the use of such personal devices in the workplace."
Existing policy direction on mobile handheld devices is limited and outdated. The Mobile Handheld Device Policy contains only one provision that touches on personal privacy: To prohibit taking pictures of people without permission. The Employee Code of Conduct says even less. Its provisions on the "use of government equipment and property" are silent on protecting personal privacy. The Code was last updated in March 2008.
The IPC’s annual report recommends "clear policy guidance" for employees on the proper use of mobile handheld devices. Committee agrees. This work is urgent given the ubiquity of these devices and the high risk for breaches of sensitive personal information. Therefore, the Standing Committee on Government Operations recommends:
That the Department of Finance, in consultation with the Information and Privacy Commissioner, and by April 1, 2023, update policies governing the use of mobile handheld devices by the public service, including:
The Mobile Handheld Devices Policy, to expand the policy provisions for "proper use" to address all the ways a user can collect, use, or disclose personal information with a device;.
The Employee Code of Conduct, to introduce provisions to protect personal privacy regarding the "use of government equipment and property"; and.
New policy guidance, to address the use of personal devices and email to conduct government business.
The Department of Finance should supplement these policies with easily accessible guidance documents on how the device should and should not be used.
In October 2020, committee recommended that the GNWT "develop and implement a plan for ending the use of fax machines in the Health and Social Services sector." The GNWT supported this recommendation and indicated that it was preparing a plan to reduce faxing. However, despite this commitment to reduce faxing, privacy breaches persist. As stated in the IPC’s annual report: "Mistakes related to the use of fax machines continue to generate reports resulting in the unlawful disclosure of personal health information." He added that a concerning number of the 66 privacy breach notifications related to HIA in 20202021 implicated fax machines. The IPC felt the need to reiterate his office’s longstanding advice: "Health information custodians should stop using fax machines to transmit personal health information."
The IPC and committee have already been unambiguous on the need to eliminate faxing. Committee therefore seeks to reinforce accountability surrounding the GNWT’s plan to reduce faxing and recommends:
That the Government of the Northwest Territories provide an update on its plan to reduce the use of faxing across the Health and Social Services system, including:
Metrics on reductions in the use of faxing achieved so far;
The targets and associated timelines for future reductions; and, if faxing cannot or will not be eliminated,
An explanation on why the use of fax cannot or will not be eliminated, and what measures the department is taking to mitigate the risk of data breaches arising from misaddressed documents.
Mr. Speaker, I ask that you now redirect it back to Member for Yellowknife North. Thank you.
Thank you, Member for Inuvik Twin Lakes. Member for Yellowknife North.
In October 2020, the committee recommended a GNWT update on work to standardize Access by Design principles when designing government records and communications. Access by Design advances that governmentheld records should be available to the public by default, with limited and specific exceptions.
There are many benefits to the proactive disclosure and active dissemination of governmentheld records. Residents would not need to make any special requests for information. Public bodies could have fewer access to information requests to answer. This would save time and costs. Ultimately, residents would be more empowered to hold the government accountable, and the government would be more accessible and transparent.
In February 2021, the GNWT indicated that it supports the Access by Design principle. The GNWT also reported that it was planning to ask all public bodies to conduct a "comprehensive review of their records." The review would establish categories of records that can be routinely disclosed and proactively made available to the public.
This review appears to be an effort to comply with section 72(1) of the recently amended ATIPP Act. The changes to the ATIPP Act came into effect in July 2021. The status of this review is unclear.
The Standing Committee on Government Operations believes expanded proactive disclosure of the governmentheld records is long overdue, and therefore recommends:
That the Government of the Northwest Territories provide an update on complying with section 72(1) of the Access to Information and Protection of Privacy Act, which requires the head of a public body to establish and publish categories of records to be made available to the public without a request for access. The update should include a summary of the progress achieved so far and the timelines for full compliance at each public body.
This concludes the Standing Committee on Government Operations Report on the Review of the 20202021 Annual Report of the Information and Privacy Commissioner. The committee looks forward to the government’s response to these recommendations.
The Standing Committee on Government Operations recommends that
the Government of the Northwest Territories provide a response to this report within 120 days.
Thank you, Member for Yellowknife North. Reports of standing and special committees. Member for Yellowknife North.
Mr. Speaker, I move, seconded by the Member for Thebacha, that Committee Report 3019(2): Standing Committee on Government Operations report on the review of the 20202021 Annual Report of the Information and Privacy Commissioner be received by the Assembly and referred to the committee as a whole. Thank you, Mr. Speaker.
Thank you, Member for Yellowknife North. Motion is in order. To the motion?
Question.
Question has been called. All those in favour? All those opposed? Any abstentions. The motion is carried.
Carried
The report of the review of the 20202021 Annual Report of the Information and Privacy Commissioner will be moved into Committee of the Whole.
