N.S. government acknowledges system failed to protect privacy of 10,000 people
Province blames old website which was not maintained and 'needed to be shut down'
A CBC News Freedom of Information and Protection of Privacy (FOIPOP) request has revealed previously unreleased information about a major privacy breach where the personal information of more than 10,000 Nova Scotians was published online in error earlier this year.
The breach occurred in May when decisions rendered by the Workers' Compensation Appeal Tribunal (WCAT) were posted online with the names of the workers and employers included.
The decisions included very personal employee information about family members, sexual abuse, and mental health issues, including one man's thoughts of killing his co-workers. The decisions were uploaded to a site called the Canadian Legal Information Institute (CanLii), used for legal research and where courts and quasi-judicial bodies routinely post decisions.
A government spokesperson said they are following protocol and have notified the affected people. However, the government has not disclosed how many were notified and what form the notification has taken. The spokesperson also said they have met with other departments to understand what went wrong and prevent it from happening in the future.
CBC first learned of the error on May 12 after being alerted to it by an audience member. We contacted the government to ask for details and the story was published on May 13.
At that time, WCAT, through the Department of Justice, would not disclose how many people were impacted or how the mistake was made.
However documents provided as a result of our request, say of the 10,000 cases that were posted, only 550 were accessed by the public. One email said the decisions were stored on a Department of Labour database and blames "Labour IT" for the error.
How did it happen?
In a May 12 email to another government employee, Sandy MacIntosh, WCAT's chief appeal commissioner, wrote: "This went live yesterday and I found out last evening that names of workers and employers were included (we had discussed this with Labour IT ahead of time and were told that the database sent to CanLii did not include names."
However, since those emails were written more than four months ago, the WCAT has completed a preliminary investigation and posted the findings on its website. Its explanation of what happened says: "The breach occurred when these pre-2010 decisions were transferred from a government-maintained public website to CanLII."
"The old government website used software which was not maintained, or used by WCAT or Nova Scotia Digital Service and needed to be shut down," it said.
It said when the decisions were published on the Nova Scotia government site the names were redacted, but not when sent to CanLii.
"While there were safeguards in place for the transfer to protect privacy, these failed. The Tribunal accepts that these safeguards were inadequate. We are taking measures to ensure this will not happen again," the update said.
Halifax privacy lawyer David Fraser said the update should provide more information.
"People want to understand how could this have happened, what happened, what information was disclosed, who had access to it and then really at the end of the day, what measures have been put in place in order to prevent it from happening again?" he said.
Questions remain
"Relatively broad statements like the ones we've seen really don't get to the heart of that and I would imagine anyone who was the subject of this breach would find it empty and unsatisfying," said Fraser.
Fraser said he's heard from one person who was notified about this breach by the province, but they had several decisions from the tribunal and the notification did not say which or how many of the decisions were published in error.
The decisions were from a long time ago and the person hadn't kept a copy, so they still don't know what personal information was disclosed. Fraser said that caused even more stress, which could have been alleviated if they were also provided with a copy of what had been published.
The 24-page response to the CBC request through the FOIPOP includes "urgent" discussions to get the unredacted decisions taken down.
While the Personal Health Information Act requires people to be notified when the privacy of their health information has been breached, Nova Scotia's Freedom of Information and Protection of Privacy Act does not require people who are affected by a government privacy breach to be notified.
Fraser said Nova Scotia is one of the few places in the world where there is no legal requirement to notify those people. He said many updated privacy laws elsewhere in North America require not only notification, but a list of what must be included in the notification.
Emails reveal concern about legal action
Still, the documents show the government was trying to determine how to notify people whose private information was posted.
MacIntosh, WCAT's chief appeal commissioner, said he was in contact with Morneau Shepell, which its website describes as "a leading provider of technology-enabled HR services." They discussed contacting only the 550 people whose cases were accessed by the public.
MacIntosh said there were two options: to have Morneau Shapell notify people by phone using an experienced counsellor with training on the breaches, or WCAT notifying people of the breach and providing information on Morneau Shepell's counselling services.
The first would cost an estimated $100,000 and MacIntosh suggests the cost would be half that because of the age of some of the decisions. The latter would cost $20,000, although MacIntosh was concerned there wasn't enough staff to make the calls.
"We will not be able to get current telephone numbers for all 550 in any event given these are records from 1996-2009," MacIntosh said in another email.
A procurement authorization for notification expenses is included in the documents.
"To mitigate any psychological harm which may be caused by the breach, we would like to offer psychological services to those who identify as having an adverse reaction to the breach. This could also mitigate damages should there be legal ... in relation to the breach," the document said.
MacIntosh notes "WCAT expenditures do not appear on the Provinces' Consolidated Budget as its expenses are fully recovered from the WCB Accident Fund."
WCAT is following the province's privacy breach protocol, which includes notifying those affected and investigating the cause, according to Department of Justice spokesperson Heather Fairbairn.
She said WCAT has met with other government departments to better understand the issue and put measures in place to ensure this will not occur again. She did not specify what those measures are.
MORE TOP STORIES