Printer-friendly version   
Original News Release

 

 

   BACKGROUNDER  

2004HSER0073-000919

Nov. 4, 2004

Ministry of Health Services

     

 

IMPROVING PRIVACY AND CONFIDENTIALITY

 

The Role of the B.C. Information and Privacy Commissioner

·        Government frequently consulted with the Office of the Information and Privacy Commissioner in the earlier stages of this initiative.

·        The B.C. Information and Privacy Commissioner subsequently undertook a review of the implications for British Columbia of the USA PATRIOT Act.

·        Upon undertaking the review, the commissioner felt unable to advise the health benefit operation project as he needed to remain independent of any ‘alternative delivery service’ project.

·        Government made its submission to the Information and Privacy Commissioner, which highlighted a plan for tough new privacy legislation and contractual solutions.

·        The commissioner concluded that the USA PATRIOT Act poses some risk to privacy, however, the commissioner made it very clear, that “a ban on outsourcing would not be a practical or effective response to this risk, but that other mitigating measures should be implemented at legislative, contractual and practical levels.”

·        Government compared the draft MAXIMUS agreement to the commissioner’s recommendations and found that the contract meets or exceeds the commissioner’s recommendations.

·        The contract with MAXIMUS was only signed after the ministry was assured the personal information of British Columbians is and will continue to be protected.

 

Privacy and Security Provisions

  • Enhanced privacy and security measures are included in the contract with MAXIMUS.
  • Technical protection measures:
    • Strong technology security measures will be implemented, including firewalls, encryption and physical security.
    • Special restrictions on data access and oversight/supervision requirements apply to any U.S. employees working on transition and transformation activities.
    • Data storage and access, including remote access, will be only in Canada, and can only be changed with the Province’s express consent.
    • Data access will be segregated so that only the B.C. service provider (and not the Canadian or U.S. companies) has access.
    • Outbound web and e-mail access for staff will be prohibited or restricted, except as required to deliver specific services.
    • Hardware that would enable data to be copied and taken offsite, such as removable floppy drives, CD burners and USB smart drives will be restricted to designated personnel.

·        Contractual protection measures:

o       Service provider policies and procedures outline all privacy and security objectives, methodologies, and disclosure requirements.

o       Within the B.C. service provider, access will be further segregated to align with specific job requirements.

o       Strict records management and retention policies will be implemented.

o       Privacy Impact Assessments will be required prior to any systems change.

o       The contract includes termination rights in the event of disclosure or privacy breach.

o       All employees who have access to MSP or PharmaCare data sign non-disclosure agreements directly with the Province.

o       Non-disclosure agreements and contract language include the requirement for the signer to notify the Province in the event that he/she becomes aware of any potential disclosure.

o       Whistleblower protection and hotline for employees to call.

·        Corporate protection measures:

o       The Province has contractual rights that allow the Province to take over the operations of the B.C.company in the event of a potential disclosure of personal information.

o       All Canadian resident directors on the board of the B.C. company.

o       Creation and reference to a detailed privacy plan in the contract.

o       Service provider must have dedicated privacy and security officer who monitors compliance.

o       Contract includes liquidated damages in the event of disclosure or privacy breach in response to a requirement of a foreign country or agency.

·        The agreement is fully compliant with the recent Freedom of Information and Protection of Privacy Act (FOIPPA) Amendment Act and the recommendations made by the Information and Privacy Commissioner.

-30-

 

 

 

     

Media

contact:

Public Affairs Bureau

Ministry of Health Services

250 952-1887

 

Visit the Province's website at www.gov.bc.ca for online information and services.