VICTORIA - In response to the Information and Privacy Commissioner’s report into the sharing of personal information as part of the draft multicultural strategic outreach plan, Minister of Technology, Innovation and Citizens’ Services Andrew Wilkinson issued the following statement:

“The government of British Columbia thanks the Information and Privacy Commissioner for the work she and her staff have put into this investigation.

“While the report did not find any evidence that government staff carried out activities that resulted in the unauthorized disclosure of personal information, government is accepting the recommendations directed to it, and we have identified ways to address them.

“Public servants in British Columbia have a duty to ensure security and protection of personal information. It is important they know their responsibility to keep personal information obtained in their duties as government employees separate from the personal information obtained through their personal lives, whether political or otherwise.

“We are always looking for ways to strengthen our policies and guidance, and your recommendations will help us to do so. We will look to strengthen the policies necessary and extend and enhance our training provisions to help ensure our responsibilities are met.

“These recommendations complement the recommendations made in the government’s review of this matter, and they will help guide us as we further strengthen our information management and protection of privacy.

“We have taken a number of steps in the past months to strengthen our policy and guidelines and enhance our training to ensure these responsibilities and duties are clearly understood and are part of the culture in government.”

A backgrounder follows.

Contact:

Jason Macnaughton
Communications Director
Ministry Technology, Innovation and Citizens’ Services
Phone: 250 387-3134

BACKGROUNDER

Recommendations and responses

OIPC Recommendation 1
Government should provide training for its employees regarding the use of personal email accounts for government business in order to ensure that reasonable security measures are in place to protect personal information, and that personal information is not stored or disclosed outside of Canada.

Government Response: Agree
Government provides policy, guidelines and training for staff on the appropriate use of government email and technology resources for government business, as well as on the importance of protecting personal information and maintaining appropriate records in compliance with legislation.

Government’s core policy manual states that improper use of technology may jeopardize the confidentiality, integrity and availability of government's information and technology assets, and may put personal information protection, security or service levels at risk.

The Office of the Chief Information Officer is in the process of updating Chapter 12 (IM/IT Management) of the Core Policy and Procedures Manual to more clearly articulate the policy regarding use of personal email for government business. The OCIO has also added use of personal email to the mandatory privacy and information sharing training it provides.

Mandatory training on records management and on Freedom of Information and Protection of Privacy has been provided to government management staff and will continue to be provided to ensure high levels of awareness and compliance.

In the past month, further mandatory training has also been provided to staff in ministers’ offices to ensure they understand and are able to execute their responsibilities.

OIPC Recommendation 2
Government should ensure that copies of all records created by its employees that relate to government business are located in government controlled information management systems.

Government Response: Agree
Government core policy states that government must appropriately provide access to, manage, preserve and dispose of its records in compliance with the Document Disposal Act, the Freedom of Information and Protection of Privacy Act, and other relevant legislation, policies and standards, in order to:

• Ensure government accountability.

• Provide evidence of its activities and organizational structure.

• Document its responsibilities, rights and entitlements.

• Preserve records of enduring value.

Government is always looking for opportunities to improve, enhance and clarify policy and guidelines, and will work to strengthen and reinforce the importance of this requirement through internal communications.

OIPC Recommendation 3
Government should provide its employees with sufficient technological resources to ensure that they do not have a reason to use personal email accounts in the performance of their government duties.

Government Response: Agree
Government provides employees with the tools they need to do their jobs. More and more employees are mobile and need the ability to access their work files remotely.

Proper use of these technologies assists in the daily management of information, saves time and money, reduces administrative overhead and improves service delivery. The technologies include, but are not limited to, information systems, services (e.g., web services; messaging services); computers (e.g., hardware, software); and telecommunications networks and associated assets.

Improper use may jeopardize the confidentiality, integrity and availability of government's information and technology assets, and may put personal information protection, security or service levels at risk. Users must not transmit or otherwise expose sensitive or personal information to the internet. Government provides secure channels for them to conduct government business.

Policy is currently being updated to clarify appropriate use of government assets and secure channels. Ongoing communication and training will ensure that staff are aware of and know how to access this policy.

Government will continue to assess what improvements can be made to support staff in their mobile role.

OIPC Recommendation 4
Government should ensure that employees with roles that are closely tied to the governing party participate in mandatory privacy training sessions regarding the need to keep personal information obtained in their government role separate from personal information obtained in any role they might have with the political party.

Government Response: Agree
Standards of conduct and government technology agreements are received and signed by every employee at the outset of their employment. Privacy, information management and FOIPPA training are provided to government staff.

In the past month, mandatory training has been provided to staff in ministers’ offices as part of their orientation to ensure they understand and appreciate their responsibilities under the Freedom of Information and Protection of Privacy Act, as well on the imperative of protecting and preserving the confidentiality of government information.

This training will continue as often as necessary to ensure staff are up to date and high levels of awareness are sustained.

OIPC Recommendation 5
The Liberal Party should ensure that employees and volunteers who also have roles within government participate in mandatory privacy training sessions regarding the need to keep personal information obtained in their Liberal Party role separate from personal information obtained in their government role.

Government Response: Agree
The government recognizes that this recommendation is directed at the BC Liberal party, and government does not direct or manage the employees or volunteers of private entities.

The OCIO does provide privacy training upon request to organizations that are covered by the Personal Information Protection Act (PIPA), and could provide training that aligns with the training it provides government employees with a particular emphasis on the separation of roles.

Contact:

Jason Macnaughton
Communications Director
Ministry Technology, Innovation and Citizens’ Services
Phone: 250 387-3134