“There is a direct relationship between good records and information management and the ability of a public body to meet its responsibilities under either the Access to Information and Protection of Privacy Act or the Health Information Act.”
NWT Information and Privacy Commissioner’s Report , 2016-2017, p. 44
Recently, on Oct. 3, 2017, to be precise, Elaine Keenan Bengts, the Northwest Territories’ Information and Privacy Commissioner, tabled her latest annual report in the Northwest Territories legislative assembly [link1]. Her report – and the subsequent news coverage about it [link2] – highlight the important role that good records management plays in the efficient and effective engagement of Freedom of Information and Protection of Privacy. However, the report also makes clear that records management still faces an uphill battle as it tries to strike a balance between making sure people can access and control data about themselves, and keeping that information out of the hands of people who don’t need or shouldn’t have access to it. One of the biggest obstacles in the Northwest Territories (and probably in many, if not most, other jurisdictions) is in the technologies used to manage and transmit the records and in people’s willingness to use them.
As evidenced in the privacy commissioner’s report, recent changes have brought to light issues specifically relating to health information. The new Health Information Act, introduced in 2015, stipulates the right of patients to access and control who has access to their personal health information. It also recognizes the need for health care providers to collect, use and disclose that information for the purpose of providing health care. The difficulties in achieving and maintaining this balance are compounded in the Northwest Territories by the fact that a patient is not assigned to one physician, but, rather, is provided with primary health services by various teams. This means that the health records need to be accessible to a wide and diverse group of people – but not to everyone in the system! In the past year, these problems have been even further complicated by a major structural reorganization of the Health and Social Services Authority that took place in 2016.
Issues with Privacy
“Under the Act, health information custodians must have the ability to allow for a patient to put conditions on their consent.”
NWT Information and Privacy Commissioner’s Report, 2016-2017, p. 38
Keenan Bengts notes in her report that in the past year the privacy commissioner’s office has already received complaints about issues under the new legislation. One case, in particular, dealt with a patient who was having difficulties getting his health service provider to limit access to his health records to specific individuals – a legitimate condition for a patient to request under the new legislation. On examination, Keenan Bengts found that the health information system being used by that particular health authority “did not have the functional capacity to allow masking” (p. 38).
Similarly, another health authority reported that a clerk had been repeatedly accessing private health information inappropriately. Again, the software was a major obstacle. The system in place didn’t allow for blocking to prevent this kind of inappropriate access.
Issues with Data Storage and Transfer
“Every employee is now expected to manage their own records … but little is done to ensure that employees are knowledgeable about and applying good information management practices. Every employee with a computer has control over his or her record keeping system, which leads to uneven records management.”
NWT Information and Privacy Commissioner’s Report, 2016-2017, p.44
The report also highlights issues related to record keeping and technology that do not arise out of specific complaints but which the commissioner felt worthy of noting. One such area is data transfer. As Keenan Bengts points out (p. 45) the reality is that “information has to flow to provide effective services.” However, this flow needs to be carefully controlled when dealing with the data covered by privacy laws.
One persistent issue in this regard is the use of personal web-based e-mail accounts and instant messaging services for taking notes and storing sensitive communications. Despite the prohibitions against doing this, workers still favour the convenience and familiarity of this and often don’t think about the security issues involved.
Another problem raised in the report is the continued use of fax machines to transmit patient data and other sensitive information. Fax technology is now considered old technology; nevertheless, Keenan Bengts states that she still receives a significant number of reports of faxes being sent to the wrong telephone number causing a breach of patient privacy.
So What Can We Do?
“Good access and privacy … require strong leadership, good policies, and good information management”
NWT Information and Privacy Commissioner’s Report, 2016-2017, p. 44
The report is not, of course, just a litany of problems and mistakes. Keenan Bengts, in responding to the complaints and on observing ongoing problems, offers suggestions for fixing the problems; suggestions that are relevant not only in the Northwest Territories, but to records professionals everywhere. Interestingly, most of the solutions involve educating those we work with.
There’s often not much we can do about the software we have to work with, but we need to make sure we understand its limitations and draw any problems to the attention of those who can fix them. Explaining not only what the problems are, but being clear in explaining what needs to be done to fix them is key. Offering clear suggestions makes it not only easier to get a solution, but is often cheaper as there is a specific goal to work towards.
It’s very difficult to stop people from using their personal devices but Keenan Bengts points out that emails can be made very secure by the simple addition of encryption. While this is not currently a widespread practice, it is, again, something that can be brought to the attention of those who need to transfer records and, with education, is something that can be implemented fairly easily.
As records professionals, it’s sometimes easy to forget that records are intimately related to the people who use them; without these people there would be no records. We, however, are more directly involved with the records in ways that the users frequently are not. One of the key roles we can play is to ensure that the users have both the tools and the knowledge to interact with the records appropriately.
Links
Link1
http://www.assembly.gov.nt.ca/sites/default/files/td_465-182_0.pdf
Link2
http://www.cbc.ca/news/canada/north/privacy-commissioner-nwt-report-1.4343978