Alberta, Canada is updating its books so that the breach of medical information is disclosed ASAP. The original legislation had a number of good points although it didn’t include a mandate for the use of medical encryption software for laptops used by health information custodians. On the other hand, the Information Privacy commissioner does require it for devices that store personal and sensitive information, so it’s a moot point.
A data breach last fall highlighted further problems, prompting the legislative change.
Breach Remains Under Wraps for Months
Alberta suffered its largest health information data breach to date on September 2013. Over 620,000 people were affected. The breached healthcare organization learned of the mishap right away and duly contacted the Information and Privacy commissioner. And there the story ended until January of this year, when the Health Minister’s office was contacted and it went public with the news.
The controversy over the three-month-long delay revealed that the Alberta Health Information Act proved an impediment to the Information Privacy commissioner because it treats “private-sector companies and health providers very differently” and prohibits the commissioner “from disclosing a breach to anyone, or forcing the offending organization to disclose it.”
The updated law strikes out this obstruction; however, it is not without its own downsides and has raised concerns.
Use of Encryption Mandated
It’s been a while since I’ve read any Canadian information security law, and what I’ve read wasn’t comprehensive by any means – there’s just too much out there, with each Canadian province and territory having its own set of laws. So how do I know that the use of laptop encryption is mandated by the Alberta Information Privacy commissioner?
Well, I ran into this site at the University of Alberta that deals with “encryption myths and realities.” According to the page,
The Alberta Office of the Information and Privacy Commissioner and information management legislation such as FOIP, do require information custodians to adequately protect personally identifying information. The privacy commissioner specifically mandates laptop encryption for custodians of personal and sensitive information. [ualbertablog.ca]
This law is quite unique. Legislation that I’ve come across (and I’ve read a lot of them despite my status of non-lawyer) does not mandate the use of encryption on specific devices. Some legislation require the use of encryption to protect data in general; others contort words so that encrypted data is protected from legal penalties and fines (but does not directly mandate the use of encryption).
This brings up a very interesting question: when people don’t follow the law in those regions where laptop encryption is specifically required, what chance do other regions have?
Related Articles and Sites: