Sask. Privacy Commissioner explains snooping breaches

It seems professionals snooping into people’s information has been a recent problem in Saskatchewan, with a pharmacy student and some Saskatoon Police officers both recently caught and investigated for looking into personal information when they were not allowed to do so. Ron Kruzeniski, Saskatchewan Privacy Commissioner, joins Evan Bray to discuss the recent privacy concerns in the province.

These situations we’ve heard just in the last week, one with the Saskatoon Police Service, one involving a pharmacy student, were brought to you by the organizations that were involved. Correct?

KRUZENISKI: Yes, there are two situations. Sometimes someone finds out about a breach that affects him and they complain to us. But in many instances, the organization itself discovers a breach and reports it to us, and we call that a proactively reported breach. We then work with the organization and give suggestions and guidance do this or do that, and I hope we get to talk about this to reduce the risk of a similar breach occurring in the future, right?

Can you give us a sense of where that meter is to determine whether or not it breached someone’s right to privacy?

KRUZENISKI: Well, we have four things that we’re looking for. We first want the organization to contain the breach, and put a stop to it. You know, the snooper or whoever then is prevented from entering that database, or discipline is meted out. Secondly, we want those affected by the breach to be notified, because if your or my health information or information that police service is devolved, I may want to do something in terms of telling my spouse, my children, my friends, maybe I want to check with the credit reporting agency so if I don’t know about it, I can’t take any defensive action. We then ask the organization to do an investigation and find out the root cause of what caused this particular breach. In the druggist one, it clearly was a rogue student who acted totally improperly. And then the most important one is what steps would be taken in the future to prevent a similar breach. Breaches are kind of like closing the barn door after the horse has run away. We can’t do too much about the breach that actually occurred, but we can do a fair number of things to reduce the risk of it happening again. I mean, there’s no guarantee, we are dealing with human beings, and they’re sometimes very curious and get tempted, but we can take steps to reduce the risk of it happening.

How common are these types of investigations?

KRUZENISKI: It’s not an epidemic. It’s not unimportant. Every breach that you know gets your information is serious and should be taken seriously. It’s hard to put a number on it, but looking at our work, we spent approximately 30 per cent of our time on privacy breaches. Now there are different kinds of it. In this case, what we have is snoopers. It’s someone internally ignoring the policies and the practices and snooping. The other type of breach is when people in Canada or other countries, particularly other countries, break into our systems and sort of hold our data hostage or take it and put it on the dark web, you know, or do something with it. It’s the outside breach.

Do you get into the discipline side of things for companies? Or do you leave that to the company as well?

KRUZENISKI: I think we mainly leave it to the company because the decision-making aspect of it is all with the employer, you know, as to what they do. I guess, depending on the seriousness of the breach, you know, we would sort of look at what consequences there have been, I think, in both the reports that you’re referring to the Saskatoon police force had taken steps, the druggist in the other case, the next day, had the student removed from the premises. So sometimes it shows up that the organization’s already taken the steps right. In very extreme cases, we’re supportive of termination, right, but you have to have other disciplinary, things like suspension for a number of days or move to a different branch or unit.

Are there consequences to an organization if they do nothing? Based on your recommendations.

KRUZENISKI: Well, if they do absolutely nothing, I guess they’re going to be criticized soundly by me. If somebody complains, we’re going to issue a report, and at the end of the report, or through the report, it’s going to be much more critical. There are other risks in that the people affected by it, the victims of the breach, could decide to go to court. We haven’t had a lot of cases in Saskatchewan, but if you look across Canada, people definitely do go to court. And then there’s just the attracted publicity of all that.

There’s a difference between an employee accessing a database and someone like a police officer on their off time reading a file that they could be implicated with during their day.

Do you see that there are areas of this that are too restrictive when it comes to privacy?

KRUZENISKI: Not really, and what you’re citing is something somewhat unique. And if you take the current report that’s out there, the officers kind of were looking at things that the file wasn’t on their desk, right? We ran into this a little bit in the Humboldt Broncos crash. You know, that terrible evening, many health professionals were involved, and sometimes they didn’t know whether they might receive a patient or might not, and there certainly was some looking, which we would categorize as snooping, although their motives might have been just fine. They didn’t need to know. I think the real test is say, for a police officer who’s been away for a week and comes back, is okay? Do I need to know, has my sergeant or superintendent said you’re on the case or you’re going to be on the case? And I think that’s a critical question that an officer or a health professional should ask as of today.

We find most breaches are more in the area of what’s my ex-girlfriend doing, my ex-boyfriend, my ex-spouse. Oh, what about my children? I should check on them.