image21

Spoiler Alert: They sue me anyway

While this may be the latest threat I received from the GNWT, it is not the first

The first threat was in a letter to the Information and Privacy Commissioner dated July 19, 2018

image22

I promised to remove all personally identifying information

THIS LETTER MAKES it CLEAR THAT IN JULY OF 2018, THAT THE GNWT WAS "CONSIDERING ITS LEGAL OPTIONS"

While the treat is quite clear, please note the other highlights of this letter:

  • it took them almost 6 months to reply to a request for information
  • they admit not properly advising me of the delays involved

The "LEGAL OPTIONS" here are about my CONTACTING "GNWT EMPLOYEES IN CONNECTION WITH THIS MATTER"

THOSE EMPLOYEES ARE the EMPLOYEES TO WHOM I HAD UNRESTRICTED ACCESS TO THEIR DATA IN PEOPLESOFT

OK, slow down, if I understand the threat here . . . they are upset that:

  • I notified the persons involved of the GNWT breaching their obligation to keep their personal information confidential;
  • that I notified them at their GNWT email address; and
  • this is somehow highly inappropriate and worthy of legal threat?


ALL I DID WAS ADVISE THE PERSONS INVOLVED THAT I HAD ACCESS TO THEIR INFORMATION

So, why would the GNWT make threats if they have to inform the individuals of this breach anyway???

Well, threats are the only way to make sure the individuals involved don't know that there has been a data breach at all. The GNWT is not under any obligation to do anything:

  • They don't have to report the breach to the individuals involved
  • they don't have to report the breach to the Information and Privacy Commissioner
  • they don't have to report the breach to the Legislative Assembly
  • they don't have to report the breach to the Minister, Deputy Minister, or Deputy Head of their Department
  • in fact, they don't have to inform anyone . . . ever 

THE NORTHWEST TERRITORIES IS NOT A MANDATORY BREACH REPORTING jurisdiction

Many jurisdictions in Canada place an obligation on public bodies to report breaches to the individuals involved  if there is a "real risk of significant harm."


The Northwest Territories is not one of those jurisdictions.

So, when the GNWT discovers a breach of the access to information & protection of privacy act . . .

They aren't under any obligation to do anything. In fact, they don't have to inform anyone . . . ever  

image23

nope, never

So, who does have MANDATORY BREACH REPORTING?

image24

Nunavut . . . formerly known as 'Northwest Territories East'

Nunavut has mandatory breach reporting

  • They also have the same Information and Privacy Commissioner as the Northwest Territories.
  • When they separated from the Northwest Territories in 1999, they had the same Access to Information and Protection of Privacy Act
  • Since separation they actually added provisions to their Act  to make continual incremental improvements to privacy protection--improvements that I assert should be considered by the Northwest Territories

image25

That's just a list of the sections, not the real legislation

so, what does the people of the northwest territories want?

image26

White text on a red background . . . for dramatic effect

Mandatory Breach Reporting has been a long time coming! Now is the time!!! contact your MLA!!!

Your MLA can introduce the necessary changes to the Access to Information and Protection of Privacy Act that will require that breaches are reported and not covered up under threat of legal action.

Contact Your MLA