Sep 1, 2023

Manitoba Ombudsman has released its status report on the progress made by Manitoba Families to implement the nine recommendations made in its April 2021 investigation of a privacy breach that affected 8,900 children receiving services from the Children’s disAbility Services (CDS) program of Manitoba Families.

The report identifies the actions the department has taken between April 1, 2021 to May 25, 2023 to address the recommendations. We also assessed whether the department has implemented the necessary privacy policies and procedures to comply with the security safeguard requirements of the Personal Health Information Act (PHIA).

Manitoba Ombudsman made nine recommendations to the department related to strengthening policies and procedures, and training employees about privacy obligations. As the department is one of the largest trustees of health information in Manitoba outside the health sector, we also recommended that the department implement a comprehensive privacy management program. Our office committed to reporting the results of our follow-up review publicly. Our review revealed that Manitoba Families has taken steps to strengthen its protection of personal and personal health information. Specific actions taken by the department to improve compliance with PHIA include:

• Revamping and reorganizing its PHIA policies
• Reviewing its policies to ensure consistency
• Updating its pledge of confidentiality to meet the requirements of PHIA
• Establishing new policies such as a policy for the recording of privacy breaches
• Ensuring that its policies/procedures are incorporated into its employee training
• Providing PHIA training to 93% of its employees, and establishing a centralized training tracking system
• Developing a process to review PHIA pledge signing quarterly to ensure that all staff sign pledges
• Establishing a Privacy Management Committee

We have determined that the department implemented 7 out of the 9 recommendations arising from the 2021 Privacy Breach investigation. The review of recommendations 1 through 7 reveals that Families has implemented security safeguards procedures and has taken measures to enhance its compliance with PHIA by strengthening policies and staff training.

One of the outstanding recommendations is that the department strengthen its oversight with agents and service providers as required under their standard service purchase agreements and the Act. We have assessed this recommendation as partially implemented. Manitoba Families has existing oversight mechanisms in place to monitor service purchase agreements but requires a more standardized and consistent review of agents’ and service providers’ privacy policies, procedures, and practices in order to ensure that they are compliant with PHIA.

As the department collects personal and personal health information from thousands of Manitobans receiving its services, we also recommended that the department implement a comprehensive privacy management program. Our review confirms that Manitoba Families made an organizational commitment to privacy management by creating a privacy management committee (PMC) and initiating an audit to inventory the personal health information in its custody. This is a foundational step to develop appropriate program controls to protect privacy and strengthen the information handling practices of the department and its service providers/agents.

We will continue to monitor and report on Manitoba Families progress to improve its security safeguards required under PHIA and to implement an effective and accountable privacy management program that is critical to building a privacy-focused culture in the department.

The full review summary can be found on our website at:

https://www.ombudsman.mb.ca/uploads/document/files/case-mo-00783-en-en.pdf

The April 2021 privacy breach report can also be found on our website at https://www.ombudsman.mb.ca/uploads/document/files/case-2020-1304-en.pdf