The NWT’s information and privacy commissioner had harsh words for the Department of Justice in an annual report released on Monday.
Elaine Keenan Bengts' report to the Legislative Assembly stated the government was moving too slowly to update the Access to Information and Protection of Privacy Act.
The report also highlighted the frequency with which public bodies did not follow recommendations of the commissioner’s office, the many privacy issues the City of Yellowknife has “stumble[d] and trip[ped] awkwardly in,” and the reporting of privacy breaches as required by the Health Information Act.
The commissioner’s office completed 18 review reports over the 2017-18 fiscal year and opened 53 files under the Act (down from 61 in the previous year).
Fifteen of this year’s files fell under requests for review regarding access to information, while there were nine review requests relating to privacy issues.
ATIPP Act revisions
More than two years ago, the justice department conducted public consultations reviewing the Act, but Keenan Bengts says that – aside from an update last spring about “some of the likely directions that the department would be taking in its legislative proposal” – she had “heard virtually nothing since that time.”
“While I understand that the wheels of government grind slowly and that the Department of Justice has been pre-occupied with developing legislation to deal with the upcoming legalization of cannabis, it is disheartening that it is taking so long to address this important piece of legislation,” she wrote.
“The Northwest Territories is now the last Canadian jurisdiction, but for Nunavut, to modernize its first-generation access and privacy legislation."
Keenan Bengts goes on to say she has seen “a marked decrease in the willingness of public bodies to uphold [the spirit and intention of the Act].”
As her office only provides recommendations that public bodies are not legally required to follow, she says they can too easily avoid accountability.
She advocates for a system like that found in Newfoundland and Labrador, where the onus remains on the public body to ask the court for an allowance to disregard the request.
Currently, in the NWT, the person who filed the ATIPP request can request a review by the commissioner if they deem the response received unsatisfactory.
The commissioner will try to resolve the issue informally or through a review process and, if the applicant is still not satisfied with the commission’s report and the public body’s response to the report, they are responsible for the costs, time, and appeal to the territory’s supreme court.
Privacy issues plague City
Keenan Bengts also drew attention to the many privacy issues plaguing the City of Yellowknife over the past year, from a possible email theft shared with local media to allegations that a senior employee was misusing City cameras to watch women.
“This is not the first time I have offered to work with the City on privacy concerns. The non-response has, however, been consistent,” she charged.
In the 20 years Keenan Bengts has been in the position, she says she has repeated her suggestion almost yearly that municipalities be included as public bodies under the Act.
“The Northwest Territories is now the only remaining Canadian jurisdiction in which municipal governments will not be required to meet minimum access to information and protection of privacy standards,” she wrote.
Breaches in health information
Keenan Bengts took aim at the Health Information Act, pointing out that many breaches involved misdirected faxes or unencrypted emails.
“I simply cannot understand the apparent reluctance of the health sector to adopt the better technology,” she said.
Yet she pointed to an increase in the number of files opened in regards to the Health Act as a “positive development” – noting they handled 33 files this year in comparison to just eight files last year – as it means people handling the information “are beginning to pay more attention to their responsibilities surrounding the collection, use and disclosure of personal health information.”
Twenty-two of the breach notifications flagged by the Department of Health and Social Services relate to a section of the Act which states individuals must be notified if their health information is used incorrectly, lost or stolen, or disposed of without authorization.
“In the case of most of the breach notifications, the breaches were relatively minor and corrected almost immediately,” she said, and as such there were no review reports issued this year.
Keenan Bengts also noted there has been little progress made to ensure the public has a say in who can access their health information.
She explained that while system-wide standards, policies, and procedures were issued in May 2017, they do not appear to be publicly available yet. She called for better public consultation regarding policies that directly affect the public.
On October 29, the same day the annual report was presented to the legislature, Bill 29: An Act to Amend the Access to Information and Protection of Privacy Act was read for the first time.