Privacy watchdog says B.C. must share privacy breach details

Elizabeth Denham said in a report released Wednesday that she’s concerned her office is largely left out of the loop when it comes to receiving government reports of privacy data breaches.

Denham said she remains confident British Columbians will learn about cyber attacks or other incidents involving breaches of sensitive government information, but recent reporting numbers indicate the need for openness improvements.

She said of approximately 2,700 documented incidents of privacy breaches from April 2010 to December 2013, notice of only one per cent of the breaches were received at the Office of the Information and Privacy Commissioner.

The statistics were part of Denham’s 60-page report, An Examination of B.C. Government’s Privacy Breach Management, that concluded the government reporting of violations or suspected breaches must get better.

“Our office needs to be informed of a greater number of these privacy breaches, because right now we’ve only heard about one per cent of them,” said Denham. “So, what I’ve said in my report is the government needs to raise the threshold of when to report to my office.”

Denham’s report said 83 per cent of actual breaches across government and agencies involve personal information of government clients, including double-stuffing envelopes and other administrative errors involving one person, but the privacy commissioner’s office would rather hear about every incident than only a few.

The report also said less than one per cent of the data breaches involved cyber attacks of data systems through “malicious code, hacking or phishing.”

Denham’s report did not elaborate on the hacking breaches.

“I hope that they would tell us if personal information was affected by cybercrime, by cyberhacking, by the installation of malicious code or software,” she said. “However, the underreporting we’ve shone the light on in this report gives me some concern.”

Denham said she wants the government to increase its reporting threshold of data breaches to her office. She said she is also considering recommending changes to the Freedom of Information and Protection of Privacy Act to notify individuals and her office when significant privacy breaches occur.

Technology, Innovation and Citizens’ Services Minister Amrik Virk could not be immediately reached for comment.