Nova Scotia’s 25-year-old privacy law is not up to the task of protecting personal information held by the provincial government.
Catherine Tully, the province’s information and privacy commissioner, told the legislature’s public accounts committee Wednesday that Nova Scotians can expect more breaches of their personal information until and unless the provincial government gets with the program of modern privacy protection in the digital age.
Her warnings are not new. Tully wrote an extensive report two years ago which basically gave the province a step-by-step plan to bring Nova Scotia’s Freedom of Information and Protection of Privacy (FOIPOP) law into the 21st century.
And that may be part of the problem. While the province seems amenable to improving its digital security, the Liberal government has no interest in Tully’s other recommendations to improve access to public information, nor is it willing to grant the commissioner the powers she says her office needs to be more effective.
Chief among those is the power to order the government to comply with her rulings. Currently, she only has the power to recommend action, and the government has amassed an unenviable record of ignoring her recommendations.
Nova Scotia’s Freedom of Information and Protection of Privacy Act (FOIPOP) came into effect in 1993, and to underscore how technology has rendered that law obsolete, Tully reminded the committee that neither Google nor Facebook existed at the time.
“Indeed, Nova Scotia’s privacy laws lack virtually all of the essential modern privacy protections found in other Canadian jurisdictions,” Tully wrote in that two-year-old report.
Wednesday’s meeting was about last year’s breach of the Freedom of Information Access site, which resulted in unauthorized access to thousands of files, including highly personal information, in at least two separate incidents.
Both Auditor General Michael Pickup and Tully determined that the breach resulted, not from inappropriate action or “hacking” from the outside, but from lax security inside the government.
There was a rush on in the government to get the Freedom of Information Access portal up and running, and security concerns were either dismissed or government employees blindly trusted the software vendor’s word that security measures were adequate. The government did not test the security of the site, despite plans to store highly personal information there.
There was — and may still be — a culture in provincial government circles that de-emphasizes security and dismisses privacy concerns as a barrier to getting the job done.
That culture needs to be turned on its head, so that the protection of Nova Scotians’ personal information is built in at every step of an IT project. The broad principles and basic elements required to keep personal information secure need to be enshrined in law to elevate their importance and to provide consequences for those who fail in their duty to protect Nova Scotians’ privacy.
Despite the ongoing risks to Nova Scotians’ private information, the province has no plans currently to modernize either the privacy or the public access provisions of the FOIPOP law.
Yarmouth MLA and Education Minister Zach Churchill dropped into the committee just for this meeting, apparently with a zany plan to discredit the commissioner’s recommendation that the government should release the details of its deal with Bay Ferries to operate the Yarmouth ferry.
Churchill seemed to be suggesting that the commissioner doesn’t have the expertise to determine whether the release of those details could have negative economic consequences for the province or place the company at a competitive disadvantage.
Tully schooled Churchill on the FOIPOP Act, which clearly places the burden of proof on the government to show why it is withholding information, and in the case of the Yarmouth Ferry, the province provided no proof of negative economic consequences or competitive harm. The provincial government supported its decision to withhold the deal’s details with vague assertions.
Churchill’s opprobrium was misdirected. It’s not the commissioner’s job to make or unmake the case for economic considerations, it’s the government’s. And if the government is unable to effectively make the case, the information is subject to public release.
The province will get a second chance to make that case, this time before a Supreme Court judge, who will apply the same test Tully did, so the province is going to need to up its game if it hopes to keep those details hidden from public view.