Alberta: Privacy Issues and Mobile Computing
March 7, 2007
Catherine M. Samuel
In our last issue, we discussed some of the legal issues and obligations arising from the loss or theft of personal information and other mobile data. In a recent decision, the Alberta information and privacy commissioner found that the Calgary Health Region (CHR) contravened the provincial Health Information Act. The finding arose from an investigation into the theft of a mental health therapist’s laptop computer.
The laptop contained a database of more than 1,000 current and past patients – all children under six years old – in CHR’s collaborative mental health program. The computer was stolen from the therapist’s locked home.
CHR informed the commissioner’s office of the incident on its own initiative and took immediate steps to notify the affected individuals. CHR is currently installing encryption software in business areas where laptops containing health information and other sensitive information are in use.
It is also installing ‘phone-home’ technology on high-risk mobile computers so that if a laptop is stolen the computer will send a signal back to CHR the first time it is connected to the Internet. Until the encryption solution is fully implemented, program workers will use virtual private network (VPN) technology to access the database remotely over an encrypted Internet connection.
McCarthy Tétrault Notes:
Mobile computing technology is widely used in provincial health sectors. When dealing with health or personal information stored on mobile devices, it is prudent to consider the following general recommendations made by the commissioner’s office concerning mobile computing:
- Perform a privacy impact assessment (which should include an assessment of security risks) before implementing mobile computing;
- Do not store personal or health information on mobile computing devices unless you need to — consider technologies that allow secure, remote access to your network and data instead;
- If you must store personal or health information on a mobile device, use encryption to protect the data — password protection alone is not sufficient;
- Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs;
- Periodically check your policies against practice to ensure they reflect reality and remain effective; and
- Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.
Given the ubiquity of laptop use for storing confidential information, even those companies not in the health sector will wish to consider the implications of this decision upon their own businesses.