For years, some GNWT staff could access colleagues’ sensitive records
Incorrect settings allowed some NWT government employees years of access to private information about their colleagues, the territory’s privacy watchdog says.
Information and privacy commissioner Andrew Fox said unsecured digital folders at the Department of Infrastructure went unnoticed from 2017 to 2020 before anyone took action.
In that time, 7,000 records “were accessed inappropriately” by GNWT workers. Of those, 1,200 records contained at least some personal information relating to a total of more than 300 people.
That information included basics like names and addresses but also the “educational history, employment status and history, medical history and personal opinions” of some staff, Fox wrote.
The commissioner’s findings are contained in a report, dated November 2022, that was published online earlier this week.
The Department of Finance experienced a similar breach at roughly the same time, exposing more than 3,000 files that should have been in a folder open only to people with clearance.
The file system used by the GNWT – the Digital Integrated Information Management System, or DIIMS – does have features that allow staff to easily secure folders containing sensitive information.
“Merely having an information management system with those features does not satisfy the obligation to make reasonable security arrangements,” Fox concluded, referring to privacy and data protection legislation. “The obligation requires the public body to implement, maintain and update the security features as required.”
He said the Department of Infrastructure’s investigation into the size of its breach, which took more than a year (partly through other factors such as the Covid-19 pandemic), had required a five-person team and hundreds of staff hours.
“Institutionally, this privacy breach event has been a very significant and expensive event,” Fox wrote.
In a statement, the Department of Infrastructure said it “takes the protection and proper use of personal information very seriously” and had taken additional steps to improve file protection since the breach was reported.
The Department of Finance, in a separate statement, said it would respond to Fox outlining “areas where the department is working to make improvements.”
Employee ‘forwarded hundreds of emails’
DIIMS is not new technology, though it still hasn’t been rolled out across the entire territorial government.
The Department of Infrastructure has used DIIMS since 2012. While the Department of Finance began using DIIMS in 2015, the department said on Thursday that implementation across all of its divisions was “still in progress.” The rollout is also not yet complete at Health and Social Services or Education, Culture and Employment.
The breach at Infrastructure first came to light in August 2019, when an employee reported a folder where personal records were “accessible to a broad range of the department’s employees,” in Fox’s words.
While the department could find no evidence of unauthorized access to that folder, a second unsecured folder turned up in February 2020. That time, using DIIMS’ internal audit tools, staff discovered many thousands of records had been accessed by people who shouldn’t have been able to see them.
Even the subject lines of some records contained personal information, meaning users didn’t have to open a file for a privacy breach to have occurred.
From November 2017 to February 2020, anyone in the department could have viewed any of the personal files. In the spring of 2021, 330 people were told their information had been compromised.
To make matters worse, Fox said one employee – remarkably, the same employee who first reported an unsecured folder in 2019 – had forwarded more than 200 emails from an unsecured folder to their personal account, and also apparently forwarded some of the documents to their lawyer.
That individual, who was not named in Fox’s report, “has not confirmed if these records were destroyed,” the commissioner wrote.
“This issue is apparently part of ongoing litigation and will, presumably, be resolved in that process,” he added.
How departments responded
At the Department of Finance, an employee discovered a folder in February 2020 containing “emails between different levels of management regarding potentially sensitive employment issues of certain employees.”
Fox said the department blamed “a former director who left the organization in the fall of 2019.” Individuals affected by that breach were notified in August 2020.
The commissioner’s report appeared critical of the Department of Finance in places.
For example, Fox wrote that the department had “made no commitments regarding training for employees either in regard to proper use of DIIMS, in regard to privacy protection generally, or in regard to responding properly to privacy breaches.”
He also said his office had received no reply from the department between August 2020 and May 2021, and then again between May 2021 and November 2021.
In a statement to Cabin Radio, the Department of Finance said it agreed with recommendations made by Fox in his report.
The department said staff receive three to six hours of training on DIIMS, including how to set file permissions, and a “records management overview module” is required for all new GNWT employees.
Additional training is offered twice monthly if staff “would like a refresher,” the statement continued. The department noted that employees sign a code of conduct and oath of confidentiality on joining the GNWT that should also govern how they behave regarding others’ personal data, though Fox said the breaking of privacy rules by some staff was “reasonably predictable.”
The Department of Infrastructure set out many of the same training steps but added that it has “taken additional steps to raise awareness internally regarding the proper use of DIIMS, including the distribution of educational materials to all Infrastructure employees regarding the appropriate use of DIIMS, adequate permissions, and proper protection of personal and confidential information.”
The department said Infrastructure senior managers had also directed all employees to take training related to access to information, protection of privacy, and information security awareness, “with follow-up required to senior management.”
Fox concluded that taking more steps to make sure employees carefully manage data will ultimately save time and money, even if governments find doing so to be a difficult process.
Using the example of the Department of Infrastructure’s lengthy and expensive investigation, Fox wrote: “The effort and expense required for the response to the breach could have been avoided by taking the proper steps at the outset.”