Monday, June 28, 2010

Mandatory Disclosures of Privacy Breaches in Saskatchewan

This headline popped up in my Star Phoenix news feed the other day:

"Province Ponders Revealing Privacy Breaches"

I quote, from the article:
"The issue here is this is people's private information," said NDP house leader Kevin Yates. "When your private information has been given to a third party, people have a right to know that, not only the individual but the public also has a right to know that if their information guarded by SGI . . . or held by any agency is allowed to be made public. That is of concern to everybody."
Kudos, Kevin Yates and everyone who agrees with this idea! Citizens should absolutely have a right to know about when their private data has been accidentally distributed to third parties.

To those of you who are on the fence: other organizations know a lot about you. Saskatchewan Health Region knows your health, the U of S knows your academic record, the Government knows your name, address, and SIN number. The fact that organizations are not legally obliged to disclose privacy breaches is crazy!

Here's an even better idea. What if the law required organizations to notify citizens of ANY time their personal information is disclosed (en masse) by any organization. This would mean that any time your information is lost, leaked, sold, accessed or otherwise distributed, you know about it. Let's assume there's a fair use exception, like if a contractor needs to let a subcontractor know your address for work you've hired the contractor to do.

There would be two immediate benefits to this system: For one, citizens have the benefit of knowing who is holding their private information. Secondly, if violators faced significant fines, organizations would have to tighten their control of private data - especially in Regina, where medical records have been found blowing around on the street.

On the scale of confidential, need-to-know, and right-to-know, I'd argue that when your personal information is involved, notification of privacy breaches should be a right.