Thank you, Mr. Speaker.
Update policies on mobile handheld devices
The IPC's annual report drew attention to the role of mobile handheld devices in several privacy breaches.
Review Report 20-242 investigated one such breach. An education official recorded a video, using a personal mobile device, of a teacher and students. The official uploaded the video to a government server that others could access, ostensibly for training purposes. The official did not seek or obtain consent from anyone in the video.
The IPC identified a key factor in this breach: "The absence of any policy direction for the use of such personal devices in the workplace."
Existing policy direction on mobile handheld devices is limited and outdated. The Mobile Handheld Device Policy contains only one provision that touches on personal privacy: To prohibit taking pictures of people without permission. The Employee Code of Conduct says even less. Its provisions on the "use of government equipment and property" are silent on protecting personal privacy. The Code was last updated in March 2008.
The IPC's annual report recommends "clear policy guidance" for employees on the proper use of mobile handheld devices. Committee agrees. This work is urgent given the ubiquity of these devices and the high risk for breaches of sensitive personal information. Therefore, the Standing Committee on Government Operations recommends:
Recommendation 2: That the Department of Finance, in consultation with the Information and Privacy Commissioner, and by April 1, 2023, update policies governing the use of mobile handheld devices by the public service, including:
- The Mobile Handheld Devices Policy, to expand the policy provisions for "proper use" to address all the ways a user can collect, use, or disclose personal information with a device;.
- The Employee Code of Conduct, to introduce provisions to protect personal privacy regarding the "use of government equipment and property"; and.
- New policy guidance, to address the use of personal devices and email to conduct government business.
The Department of Finance should supplement these policies with easily accessible guidance documents on how the device should and should not be used.
Eliminate faxing
In October 2020, committee recommended that the GNWT "develop and implement a plan for ending the use of fax machines in the Health and Social Services sector." The GNWT supported this recommendation and indicated that it was preparing a plan to reduce faxing. However, despite this commitment to reduce faxing, privacy breaches persist. As stated in the IPC's annual report: "Mistakes related to the use of fax machines continue to generate reports resulting in the unlawful disclosure of personal health information." He added that a concerning number of the 66 privacy breach notifications related to HIA in 2020-2021 implicated fax machines. The IPC felt the need to reiterate his office's long-standing advice: "Health information custodians should stop using fax machines to transmit personal health information."
The IPC and committee have already been unambiguous on the need to eliminate faxing. Committee therefore seeks to reinforce accountability surrounding the GNWT's plan to reduce faxing and recommends:
Recommendation 3
That the Government of the Northwest Territories provide an update on its plan to reduce the use of faxing across the Health and Social Services system, including:
- Metrics on reductions in the use of faxing achieved so far;
- The targets and associated timelines for future reductions; and, if faxing cannot or will not be eliminated,
- An explanation on why the use of fax cannot or will not be eliminated, and what measures the department is taking to mitigate the risk of data breaches arising from misaddressed documents.
Mr. Speaker, I ask that you now redirect it back to Member for Yellowknife North. Thank you.