Auditor General, Privacy Commissioner Blast Province Over Privacy Breach

Posted on Tuesday, January 15, 2019 16:24 PM

Nova Scotia's auditor general served up harsh criticism for the Nova Scotia government.

After a nine month investigation into the breach of the province's Freedom of Information website, Michael Pickup presented his findings.

He says signficant weaknesses in the risk management and proccesses used to test the FOI website led to the privacy breach in April 2018.

"Appropriate processes were not followed and as a rseult it was not, in fact, surprising that a breach occurred," says Pickup.

Despite many warning signs Pickup says the Department of Internal Services considered the entire project low risk.

The auditor general made five recommendations to government, including conducting risk assessments before going forward with IT projects.

The province has accepted his recommendations.

The province's information and privacy commissioner also blasted the provincial government for their role in the data breach in the Freedom of Information website last spring.

In a joint press conference with the auditor general, Catherine Tully told press the breach was due to a cultural problem within the Department of Internal Services.

She too conducted her own investigation.

Tully explains some of the attitudes she encountered during interviews with employees.

"One witness said he was mocked for raising privacy concerns, another individual said 'I would do it all the same again,'" says Tully. "This tells me there is a cultural problem.

Tully says at least two members of the public accessed highly sensitive materials and that the system was vulnerable for over a year.

Some of that information was downloaded to a personal computer and has still not been recovered.

The website was used by citizens, journalists, activists, and political groups to access government information normally withheld from the public.

Over 7,000 documents, including some containing information on people accessing the website, were breached last year.

Tully highlighted the experience of one person she spoke to who filed a Freedom of Information request involving child protective services.

Their child's birthday, address, and school's address were all vulnerable due to the breach.

Going forward, Tully says she's worried, as it's clear the Department of Internal Affairs launched their website without truly testing it.

She has sent a letter to the Premier, Justice Minister Mark Furey, and Minister of Municipal Affairs Chuck Porter, once again calling on government to modernize its privacy laws.

Meanwhile, the official opposition is calling for the Minister of Internal Services' resignation.

The Progressive Conservatives called for her resignation when the breach was revealed in April 2018.

Critic Chris d'Entremont says with the filing of the auditor general's and privacy commissioner's reports, it's apparent Patricia Arab must now resign.

"These reports are an embarrassing litany of failure," d'Entremont said. "The Liberal government has failed to do the bare minimum to make sure personal information contained on the Freedom of Information Access website was secure."

Lisa Roberts, the NDP critic for Internal Services, says the breach was entirely preventable and that it was government inaction that led to people's private information being put at risk.

The NDP say many of the issues were flagged in a set of recommendations from the privacy commissioner in June 2017.

"The Liberal government was advised to take action, they failed to do so, and people's private information was put at risk as a result," says Roberts.

Story by Brittany Wentzell
Twitter: @BrittWentzell
Email: [email protected]