Health Minister Terry Lake has released the following statement on the report released today by privacy commissioner Elizabeth Denham:

"I thank privacy commissioner Elizabeth Denham and her staff for the report released today regarding the Ministry of Health's data security, as well as the three specific instances of unauthorized data access that warranted public notification earlier this year."

"As Minister of Health, I take the responsibility to safeguard British Columbians' personal health information very seriously. The ministry will be accepting and implementing all of the commissioner's 11 recommendations.

"While there are a number of issues the commissioner has raised in this report, I am pleased to see that she did recognize the Ministry of Health has made a number of significant improvements over the past year.

"Late last year, we engaged the firm Deloitte to do a review of ministry data security practices. Much of what the commissioner suggests matches the 10 recommendations from Deloitte's review. We also have accepted Deloitte's recommendations in full, and have already acted on a number of them. A copy of Deloitte's report is now available on our website at: www.health.gov.bc.ca/cpa/mediasite/pdf/deloitte-report.pdf

"We have been keeping the commissioner's office fully informed about our data-privacy investigation from the beginning and have followed her advice in respect to public notification. We will continue to work closely with her office on this matter."

A backgrounder follows.

Contact:

Ryan Jabs
Media Relations Manager
Ministry of Health
250 952-1887 (media line)

BACKGROUNDER

Ministry accepts all recommendations from Deloitte report

In September 2012, the Ministry of Health announced an internal investigation related to allegations of inappropriate conduct, contracting and data-management practices involving ministry employees and drug researchers.

In January, the ministry gave an update into that investigation, and information about three instances where personal health data was accessed for research purposes without ministry authorization.

To improve how data in the ministry is handled and accessed, the ministry hired the private consulting firm Deloitte to review our internal data security systems to ensure effective privacy and security measures. Deloitte has now delivered its final report and the ministry is accepting all of its 10 recommendations.

Work that is already underway or completed includes:

• More than 280 managers and executives at the ministry have completed mandatory privacy and data security training;

• All of the ministry's divisions have reviewed and inventoried sensitive data and how it is secured and protected.

• The ministry has improved its data warehousing system; the system now allows logging and enhanced tracking which employees are accessing which data.

In the next few months, the ministry will be working on or completing the following work, as recommended by Deloitte:

• More ministry employees will soon undergo the enhanced privacy and data security training, on top of training already required for all public servants.

• Access to older, outmoded software used to work with data has been severely restricted. This software is in the process of being replaced with more modern, more secure programs.

• The ministry is developing easy-to-understand reference guides and other materials for staff on data security and privacy.

• The ministry has developed a list of opportunities to increase our data security, and is tackling the projects on the list over the next several months.

• Some of the larger projects may take up to two years to fully complete.

The Deloitte report can be found at: www.health.gov.bc.ca/cpa/mediasite/pdf/deloitte-report.pdf

Ryan Jabs
Media Relations Manager
Ministry of Health
250 952-1887 (media line)