South of the border, U.S. president Donald Trump is facing a barrage of mockery for the fact that his proposed border wall is “
On Tuesday, Catherine Tully, Nova Scotia’s information and privacy commissioner, released her report into the massive data breach of the province’s Freedom of Information web portal, which revealed that the leak was far more damaging than first reported, and included not just social insurance numbers, but also “extremely sensitive personal information” such as medical information and reports of child abuse.
The government’s blasé attitude to securing this sensitive data was pretty galling, even by Nova Scotian standards. The report tells a story of repeated warnings ignored or kicked down the road, including from the information and privacy commissioner herself, who specifically flagged the possibility that users of the website might be able to access unauthorized documents back in December 2017. The government treated legally mandated privacy and security assessments as little more than a box to check, copying and pasting information from the vendor’s own promotional documents rather than carrying out its own analysis. The report points to the government’s “comfortable vendor relationship” with Unisys as having led to complacency, and a failure to rigorously assess the risks associated with the project.
The report, and an accompanying letter which the information and privacy commissioner sent to the premier, includes a number of common sense recommendations for updating the Freedom of Information and Protection of Privacy Act, including stronger requirements for privacy impact assessments, and enhanced powers for the commissioner. But while the government claims to be taking these seriously, many of these same recommendations were made by Tully’s office back in June 2017. Indeed, the idea of giving the commissioner order-making power goes back to a Liberal Party campaign promise from back in 2013!
The report raises issues beyond those Tully focuses on. For example, the chummy relationship between Unisys and the government leads to questions about the procurement process by which government contracts are awarded and the need for better transparency and open contracting policies. Similarly, we’ve never received a satisfactory answer as to why the initial messaging was that the government had been hacked, when the truth was that the government had left these files sitting on the open web. Tully does not fault the police in their response, though it is worth noting that, six months later, the “perpetrator” still hasn’t been given back his computer. Still, while the information commissioner’s recommendations won’t solve every problem, they are at least a good start.
Nova Scotia’s Freedom of Information and Protection of Privacy Act was passed 25 years ago, when grunge was king and the commercial internet had just been introduced. Much has changed since then, but Nova Scotia’s approach to data protection remains stuck in the 20th century. While it’s tempting to call this a wake-up call, the information and privacy commissioner—and civil society voices—have been sounding the alarm on these problems for years. Premier McNeil’s government needs to stop pressing the snooze button.