The Yukon’s information and privacy commissioner has serious concerns about the government’s ongoing review of the territory’s access-to-information and protection of privacy legislation.
Diane McLeod-McKay is worried the government may be looking to create a centralized database for all the information that government departments gather about Yukon residents, which she believes could threaten people’s privacy.
“What I’m not in support of is the wholesale transfer of information to one database for all of government, because that would create a significant risk to privacy,” she said during a news conference on Jan. 12. “A bunch of different employees would have access to information that they don’t need to do their job.”
Based on the size of the Yukon government, McLeod-McKay estimates that a quarter of the territory’s population would have access to everybody’s information if that kind of database were created.
She also said that keeping all that information in one place could create a security risk. She referred to an incident in 2015 when the B.C. government lost a hard drive with millions of students’ education records.
“When you start compiling information into one location, there are a number of risks that could come from it, including loss of information.”
The Yukon government released a damning review of the ATIPP Act in December, which concluded that it’s difficult for people to access their own personal information using the current system, or to know which government departments have information about them.
The review does not make recommendations for changes to the act, and does not mention a centralized database. But a number of comments from the public included in the report suggest that the government should share more information between departments.
“As long as the information is secure and protected, it should be shared for the sake of efficiency,” one person wrote.
McLeod-McKay said it would be reasonable to create a central contact database that would include people’s names, addresses, home phone numbers and other basic personal information. That would allow people to update their contact information more easily, without having to go through each individual department.
The current ATIPP Act doesn’t allow for the creation of a contact database, she said.
“So I think the act can be improved to allow some changes to service delivery that would actually facilitate something like that. And most other jurisdictions have done that.”
But she said that contact database shouldn’t include other personal information, like health records.
She said the government is trying to move ahead with a new service delivery model, which could be why it wants to break down barriers to the sharing of information.
However, “the barriers that are often talked about are in fact people’s rights (to privacy).”
Overall, McLeod-McKay said, the ATIPP Act is “a good piece of legislation,” and changes to the act “should be relatively small.”
David Downing, the director of corporate information management with the ATIPP office, said there is “absolutely, completely no contemplation of putting all the data in one place.”
He said the government wants to help people control their personal information, and might consider a central contact database, but is not looking at compiling all personal records.
“It’s not true and it’s hard to actually see how that came out of the report that we wrote.”
McLeod-McKay released her own review of the ATIPP Act in October 2015. At the time, she called the legislation “antiquated” and “in desperate need of improvement.”
She recognized that the act was written “when the world was largely paper-based,” and called for the government to be given more authority “to collect and disclose personal information” now that many services are provided online.
But she also called for a number of new privacy-protection measures, since personal information can be shared much more easily between departments in the digital era. Now, she seems concerned that those recommendations will be ignored.
McLeod-McKay said the government didn’t contact her while it was completing its review, and she didn’t see the report until it was published last month.
“It would have been nice had they consulted me before they issued the report, but they didn’t,” she said.
Downing said the government did use McLeod-McKay’s recommendations when drafting its report.
“I think our office has worked with the privacy commissioner’s office,” he said. “Both parties perhaps need to do more.”
McLeod-McKay also addressed a number of other issues raised in the government’s report. The report found that the definition of personal information in the act is so broad that it’s difficult to know what it means. But she said Yukon’s definition is similar to other jurisdictions.
“It’s not clear to me how the definition could be narrowed in Yukon without negatively affecting the right of an individual to control their own personal information.”
The report also found that the act is poorly understood by government staff and the public. McLeod-McKay said the solution to that problem is to train staff and educate the public, not to simplify the legislation.
“I would say that the ATIPP Act is no more complex than any other piece of legislation,” she said.
McLeod-McKay didn’t take issue with the portions of the government review that deal with freedom of information. She has called for changes that would make it harder for the government to avoid releasing information in response to access-to-information requests. Some of those same changes were suggested in the government report.
McLeod-McKay has scheduled two public information sessions to help people understand the ATIPP Act. They will take place on Friday, Jan. 20 from 11 a.m. to 12:30 p.m. and on Monday, Jan. 23 from 7 to 8 p.m. at the Whitehorse Public Library.
Contact Maura Forrest at firstname.lastname@example.org