N.S. must identify, mitigate risks of digital health records, warns commissioner
Privacy commissioner Catherine Tully says government has not consulted with her office on possible pitfalls
The Nova Scotia government is pushing ahead with plans to create a "one person, one record" system for every Nova Scotian who seeks medical help, but it has not sought the expertise of the information and privacy commissioner to help design the digital record-keeping system.
The commissioner, Catherine Tully, was asked about the system during an appearance Wednesday before the legislature's public accounts committee.
"We're aware of it, we've asked questions about it, but we haven't been consulted on it, no," said Tully in response to a question from NDP MLA Susan Leblanc.
Tully was testifying before the all-party committee about the province's largest privacy breach last spring when a 19-year-old man was able to download more than 7,000 pages of material from the government's online access to information portal.
She released a report last month that was highly critical of how the government handled the design and launch of the portal, saying there was a "serious failure of due diligence" that led to multiple breaches.
The commissioner also implored the committee to advocate on her behalf to modernize the province's Freedom of Information and Protection of Privacy Act, which she called outdated and not up to the task of protecting Nova Scotians.
'We have concerns'
Leblanc said during the committee meeting that the public has a "healthy amount of concern" about a digital health-record system "especially given that we're going down the road to that very private information being online."
Speaking later to reporters, Tully said her office met Tuesday with officials involved in the project to try to get a better understanding of it.
"We have asked questions about it and we will be following up," she said. "We have concerns about how this system is designed and we want to make sure that the proper steps are taken."
Tully said she would like to see the provincial government conduct a privacy impact assessment and reassess every step of the way to completion of the project.
"They need to identify risks. They need to mitigate those risks. They need to circle back and make sure that privacy is protected."
Health Department responds
The government is under no obligation to consult with Tully's office about the system — something she would like to see changed.
"For serious systems that involve sensitive personal information — particularly large systems or systems that are connecting databases together — those are the kinds of things that I would expect to be consulted about," she said.
A spokesperson for the Health Department said in an email the department takes the "protection of information seriously," adding that "experts in privacy, access and security have been involved" behind the scenes.
"The department has met twice with the Office of the Information and Privacy Commissioner," Tracy Barron wrote. "We have started monthly meetings with them to share information and be a forum for common interest items like digital health systems."
A director with the commissioner's office confirmed the meetings, but said the information provided was "very high level" and it has not yet been given any details about a privacy analysis.