The NWT privacy commissioner says a child and youth care counsellor acted unlawfully when they opened an unsecured social work file and added notes.
In a recently released report reviewing the privacy breach, Andrew Fox said the NWT Health and Social Services Authority did not notify him of the incident until 18 months after it became aware of what happened.
He identified several gaps in the authority’s privacy measures.
According to the report, the counsellor – who is no longer employed in the role – was temporarily using an office normally occupied by the social services worker in Fort Liard on June 25, 2021, when they discovered one of the social worker’s files in an unlocked desk. The counsellor opened the file, reviewed its contents, then added notes and opinions, in some cases disagreeing with the social worker.
Fox said the individual referenced in the file was also one of the counsellor’s clients, but they had not consented to having their personal health information shared with the counsellor.
Advertisement.
Advertisement.
“This is behaviour that can seriously undermine the ability of counsellors to help people,” Fox wrote of the counsellor’s actions.
“Counselling requires trust: clients must feel safe to share their difficult personal information, trusting that the information will not be disclosed further. Trust requires substantial, reliable protection of personal privacy in the counselling relationship.”
Three days later, the counsellor gave the file to the administrative assistant for filing. That same day, the assistant contacted the social worker, who was not working at the time, to tell them what had happened.
‘Grossly ignorant of the laws’
The health authority said the counsellor had received privacy training less than a year before the incident, but Fox said their actions demonstrated a lack of understanding of privacy protection.
Advertisement.
Advertisement.
“Just reading the file was unlawful, but to review it in detail and write commentary about purported errors in the social worker’s notes suggests that the counsellor was either grossly ignorant of the laws governing health information custodians in the management of client records, or the counsellor had no respect at all for client privacy,” Fox wrote, adding that as the counsellor did not try to hide what they had done, they likely did not understand it was unlawful.
Fox added that the health authority had said the counsellor was “not initially qualified for the role.” He said employing unqualified people in such positions “poses an unreasonably heightened security risk regarding the protection of personal information.”
When the social worker returned to the office on July 13, 2021, they removed the altered notes from the file and replaced them with copies of the original documents.
‘A serious oversight’
Eight days later, the social worker submitted an incident report regarding the privacy breach, as advised by the regional manager of child and family services.
Fox said the breach could have been avoided if the social worker had properly secured the file or if a child and family services official had completed a search of the desk before allowing the counsellor to use it. When not in use, he said, client files were normally stored in a secure file area.
“The counsellor’s actions were possible only because the social worker left the file unsecured and available for others to view,” Fox wrote.
He added there was “no doubt” this was unintentional on the part of the social worker, but said it was still “a serious oversight.”
How the health authority responded
Shortly following the breach, the report states the child and family services regional manager ordered a lockable filing cabinet for the Fort Liard office, which Fox called “a clear improvement.”
Advertisement.
Advertisement.
The health authority said privacy principles were reviewed with both the social worker and the counsellor.
The counsellor additionally underwent a disciplinary process “due to multiple performance issues.” They subsequently resigned.
Fox said the incident highlighted the need for an organization-wide procedure on managing paper records rather than the existing “patchwork” within the health and social services authority, or NTHSSA.
“Paper records continue to be used widely throughout NTHSSA,” he wrote, “and having written guidelines or procedures to direct all employees how to manage and secure paper records could help prevent future privacy breaches like the one under review.”
Late notification
The health authority did not notify Fox of the breach until January 26, 2023, 18 months after it had learned what happened. Shortly after that, the authority notified the individual whose private information has been accessed.
The health authority attributed the reporting delay to staff turnover affecting its internal investigation of the breach.
Fox said, however, that the Health Information Act requires health information custodians to report privacy breaches once they become aware of them, not after a full internal investigation has been completed.
Fox highlighted issues with a health department policy that permits notification once a breach has occurred but only requires notification once a full investigation has been completed. He has previously recommended that the policy be changed.
Advertisement.
Advertisement.
“Investigations can take months, sometimes many months, even if the circumstances of the breach are simple and straightforward. If notice is not provided for months, there is little or nothing an affected individual can do to mitigate the effects of the breach,” he wrote.
Fox recommended that the health authority develop a directive requiring employees to report breaches as soon as possible after they have occurred. He said the authority should also speak with the health department about amending its notification policy.
Fox further recommended that the health authority review privacy training materials to ensure employees are made aware of relevant policies, procedures and guidelines. He said the authority should ensure employees that handle personal health information are provided appropriate work facilities with safeguards to protect that information.
