Nova Scotia is missing core privacy protections

Not sure about the lupins.

Public information is supposed to be public, and private information about the public shouldn’t be shared indiscriminately. Those are both axioms better in theory than practice. Nova Scotia has traditionally fared poorly where Freedom of Information is concerned, but some daylight is shining through.


Today the FOIPOP review office released its first annual report since Catherine Tully took over as review officer last fall. There’s both good news and bad.

Processing times and fees for FOIPOP requests are increasing while the proportion of information fully disclosed to the public drops. There has been a lack of oversight in several key areas, and Nova Scotia is missing “essential modern protections” in privacy legislation.


But let’s talk about the good news. Tully and her office have been successful in reducing Nova Scotia’s five-year backlog of case files. Since she started in September, the review office closed twice as many files as the same period in 2013. And that’s with a “substantial increase” of new files coming in.

The full report can be read online, but let’s check out some of the highlights.

”I am concerned that significant work is required to ensure that Nova Scotia’s access to information regime remains meaningful and effective. I believe that public bodies and municipalities in particular must implement more meaningful privacy management strategies and that several core changes need to be made to our access and privacy laws to ensure that they remain effective in the digital age.” —Catherine Tully

Progress is slowly being made
Last year, the FOIPOP review office resolved 163 case files (out of a backlog of 223). That’s more than double the work done in 2013. They’ve been able to clean out nearly all the backlogged cases from 2009 through to 2011, and that’s with the case load rising 28 percent last year.

But there’s still a ton of new files being created
There were 626 new cases just last year. That’s a dramatic increase compared to the 192 new files received in 2013. The first three months of 2015 have seen an “extraordinary” 69 reviews already submitted (more than double previous years). It’s likely one reason processing times have—despite the office’s best efforts—been increasing. Tully writes that the bulk of the new review cases comes from two new Personal Health Information Act requirements to report minor privacy breaches and disclosures without consent to researchers.

click to enlarge

Privacy breaches are happening unchecked
Tully was “very surprised” to discover that—as a general rule—public bodies, municipalities and health custodians do not regularly report serious privacy breaches to the review office. Nova Scotia law only requires reporting minor breaches in health privacy, where “there is no potential for harm or embarrassment to the individual.”


In 2014, there were 338 of those minor breaches. Almost half of them involved information being sent in error to the wrong doctor. Other causes include mis-filing, failure to adequately secure data and sending information to the wrong patient. Generally, the individual who incorrectly received the information immediately reported the error.

From January 1, 2014 to March 31, 2015 there were only nine major breaches reported, and none from any government department.

But all those numbers could be wrong
In terms of privacy breaches, we don’t really know anything. One former provincial health authority reported a total of 167 minor privacy breaches. Another reported zero. Only five breaches were reported by private practices, despite mandatory reporting requirements for Nova Scotia’s 26,000 health practitioners. Basically, it’s all over the map. Tully and her team are going to be analyzing the data for accuracy, and educating private medical offices about their obligation to report breaches.

There was previously no case management system
The province’s review office was heretofore using nine different databases for case management. Most calculations in the annual reports were, consequently, done manually. The mistakes that caused is one reason That's in addition to irregularities in government accounting of FOIPOPs, which has meant the most current statistics available for who’s filing FOIPOP requests is from all the way back in 2012. As of April, the review office at least has installed a new case management system to more accurately track times and outcomes. The office—and The Coast—are still waiting on those government statistics.

More information online equals fewer FOIPOPs needed
One way to reduce review cases would be to reduce overall FOIPOP submissions. The review office wants to accomplish this goal by having the government put more information online—easily accessible without special request. 



“A healthy, well-functioning access to information process would mean that very few access to information requests are made because essential information is readily available,” Tully writes.

The formal process would still remain as a “safety net.” Everything posted publicly would, of course, need to be well-indexed and easily searchable. Otherwise, the reader gets lost in their search and public bodies could just hide information in plain site.

Nova Scotia is missing some core privacy protections
Quite a few important protections found in other Canadian jurisdictions are missing in this province, such as requiring individuals to be informed when a privacy breach puts them at risk of harm. Tully also wants to see legislation in Nova Scotia requiring individuals to be provided with notice for any direct collection of personal information by the government, and the requirement for an independent review of any major data sharing projects for their potential privacy impact. Also, she notes police and municipalities currently are subject to privacy rules but not subject to independent oversight by the review office. “This is a significant shortcoming and one that should be remedied.”

Anything else to be worried about?
Plenty! Tully highlights several areas of concern for Nova Scotians in 2015. Chief among them are police surveillance databases that gather information about all citizens, “law abiding or not.” Tully also cautions about Nova Scotia’s “very active” development and use of big data analytics, as compiled by universities as well as private institutes.


“Organizations generally are collecting vast amounts of data about us,” Tully writes. “Algorithms will predict everything from our trustworthiness to our preference for peanut butter cookies. But what are the implications for privacy? We must develop and adopt new privacy rules to take into account the new challenges posed by this new technology.”


click to enlarge