Do you rely on Cabin Radio? Help us keep our journalism available to everyone.

Advertisement.

Five takeaways from the NWT privacy commissioner’s annual report

The Office of the Information and Privacy Commissioner
The Office of the Information and Privacy Commissioner. Sarah Pruys/Cabin Radio

In his latest annual report, the NWT’s information and privacy commissioner is raising concerns about the territory’s response to information requests and some privacy breaches.

The Legislative Assembly released commissioner Andrew Fox’s report for the 2025-26 fiscal year on Tuesday.

The report details work within Fox’s office between April 1, 2025 and March 31, 2026 and includes eight recommendations to the territorial government to enhance access to information and protection of privacy.

Fox also noted some improvements in how public bodies in the territory are identifying and responding to privacy issues.

Here are five key highlights from the report.

Advertisement.

Advertisement.

1. Some privacy breach notices are causing more harm than good

Under the territorial Health Information Act, the NWT Health and Social Services Authority is required to notify anyone affected by a privacy breach.

Fox said in the past year, his office had gotten numerous emails and phone calls from people who had received notice from the health authority that their private information was breached.

Many of those notices provided few details, he said, leaving those affected “uninformed and thus confused about the circumstances of the privacy breach” and how they should respond.

Faced with a vacuum of information, Fox said people often worried about ‘worst-case scenarios’ involving their medical history being deliberately accessed.

Advertisement.

Advertisement.

“The reaction may be somewhat alarmist, but it is nevertheless understandable,” he wrote.

Fox said privacy breach notices should include all available relevant information about how a breach occurred, what information was involved, and what is being done to mitigate any harm. He believes providing that information would “increase public confidence that breaches are taken seriously and addressed.”

2. Intentional privacy breaches are up but expected to drop

One bright spot in Fox’s report relates to the health and social services department and three authorities’ efforts to identify and discourage privacy breaches.

For the past three years, he said the department and authorities have been conducting monthly audits of the territory’s electronic medical record system to identify possible “unauthorized access events,” also known as snooping.

Fox said while intentional privacy breaches are rare, his office received an increase in reports of such breaches in the past year with seven reports in 2025-26 compared to five in 2024-25, four in 2023-24, and one in 2022-23.

He said those included a report of a lab assistant checking their child’s test results, a clinic assistant unlawfully accessing 23 patients’ records, and a temporary employee viewing 372 patients’ records.

Fox said he expects the number of intentional privacy breaches will decrease in future years as auditing efforts are “producing results.”

“Health authorities are taking disciplinary measures when unauthorized access is discovered,” he wrote. “As employees realize they will be discovered and disciplined for such behaviour, the number of these cases may be expected to drop.”

Advertisement.

Advertisement.

Still, Fox found there is currently a delay of six to nine months between when an electronic medical record is accessed and when a department employee reviews an audit to determine if there were any instances of snooping. He said that review is then sent to the head offices of the health authorities who send the information on to employees tasked with investigating possible privacy breaches, which could lead to delays.

For example Fox noted that had the clinic assistant’s unauthorized access been identified nine months earlier, it could have prevented subsequent breaches of patient records.

The commissioner recommended that the health department and authorities dedicate adequate resources to ensure audits are completed in a timely manner.

3. The health authority is struggling to complete breach investigations in a timely manner

Fox found the NWT Health and Social Services Authority is facing delays investigating, notifying affected individuals, and completing reports on privacy breaches.

He said notification delays can “frustrate the efforts of affected individuals to mitigate their own harms,” while investigative delays can result in evidence being lost, faded memories, and make it harder to locate witnesses.

Fox gave the example of a case in which a binder containing the information of 38 child and family services clients was left in a rental unit in a community. He said the mystery of who placed the records in the binder and why is still unsolved due to a “delayed and cursory investigation.” He said it also took the health authority more than a year to notify those affected.

“A timely investigation might have identified what happened, the underlying causes, and preventative measures,” Fox wrote.

He said part of the issue is that, while the health authority has a privacy unit staffed with trained privacy specialists, much of the authority’s privacy breach investigation work is delegated to unit managers. He said those managers may have little training in investigating privacy breaches or time to complete them as they have other responsibilities that take priority.

Advertisement.

Advertisement.

Fox recommended that the Legislative Assembly “encourage public bodies to develop a cohort of trained employees to investigate privacy breaches,” and ensure they have resources to properly conduct those investigations.

4. Nearly 70 percent of information request responses are late

Fox noted continued delays in public bodies’ responses to access to information requests. He said between September 2025 and May 2026, 68 percent of requests received a late response.

In his 2024-25 annual report, Fox said 60 percent of responses to access to information requests were late up from 50 percent in 2022.

“Access to information and protection of privacy are fundamental to a functional democracy. People need to be able to find out what their government is doing on their behalf; governments must protect individuals’ personal information,” he wrote.

Fox said the issue is largely due to persistent understaffing of the Access to Information and Privacy Office, a concern he has voiced for several years.

The commissioner noted the Legislative Assembly recently approved an additional $739,000 in funding for the office and said he was “cautiously optimistic” it would lead to improvements.

Minister Caroline Wawzonek told the legislature the funding would come with five additional positions to “support workload pressures and service delivery.” She said timelines for responding to access to information requests are legislated so “there is an expectation” that they will be met.

5. Some education bodies aren’t meeting access requirements

Fox said education councils in particular have struggled to meet their legislated obligations when they receive access to information requests due to issues including poor records management and a lack of training.

Advertisement.

Advertisement.

He said in one case a public body stored records “somewhat haphazardly,” with employees using their personal devices and email accounts for work. He said the public body ultimately hired a law firm to help respond to an information request. In another case he said a public body did not respond to an access to information request and had no intention of doing so.

“Training staff and appropriate records management systems are essential to meeting a public body’s obligations, including education bodies,” Fox wrote.

He recommended that the education department help education councils and authorities to develop the capacity needed to meet obligations under the Access to Information and Protection of Privacy Act.

Faxes, labour investigations and local housing authorities

Another finding in Fox’s latest report is that local housing authorities are uncertain whether they are subject to territorial or federal privacy legislation. He recommended that cabinet consider adding local housing authorities as public bodies under territorial regulations.

Fox said the health authority has increased its threshold for reporting privacy breaches to his office, from all breaches to only those that pose “a reasonable risk of harm,” as required under legislation. The authority is still required to report all privacy breaches to affected individuals regardless of the risk of harm.

The commissioner added while the use of faxes continues to lead to privacy breaches, health authority privacy staff are encouraging the use of secure file transfers and electronic medical records linking whenever possible. He said it appears that may be helping as his office has received fewer reports of fax breaches.

Fox further noted his office heard concerns from witnesses in workplace investigations who believed their evidence would never be disclosed to the subject of those investigations. He said witnesses should “not be surprised” by the way an employer collects or discloses information and that public bodies conducting workplace investigations should ensure witnesses are aware information they provide could be disclosed under access to information laws.