QuickLinks
News
Ombudsman releases status update on Manitoba Families’ implementation of CDS privacy breach audit recommendations
Return to listingSep 1, 2023
Manitoba Ombudsman has released its status report on the progress made by Manitoba Families to implement the nine recommendations made in its April 2021 investigation of a privacy breach that affected 8,900 children receiving services from the Children’s disAbility Services (CDS) program of Manitoba Families.
The report identifies the actions the department has taken between
April 1, 2021 to May 25, 2023 to address the recommendations. We
also assessed whether the department has implemented the necessary
privacy policies and procedures to comply with the security
safeguard requirements of the Personal Health Information Act
(PHIA).
Manitoba Ombudsman made nine recommendations to the department
related to strengthening policies and procedures, and training
employees about privacy obligations. As the department is one of
the largest trustees of health information in Manitoba outside the
health sector, we also recommended that the department implement a
comprehensive privacy management program. Our office committed to
reporting the results of our follow-up review publicly. Our review
revealed that Manitoba Families has taken steps to strengthen its
protection of personal and personal health information. Specific
actions taken by the department to improve compliance with PHIA
include:
• Revamping and reorganizing its PHIA policies
• Reviewing its policies to ensure consistency
• Updating its pledge of confidentiality to meet the requirements
of PHIA
• Establishing new policies such as a policy for the recording of
privacy breaches
• Ensuring that its policies/procedures are incorporated into its
employee training
• Providing PHIA training to 93% of its employees, and establishing
a centralized training tracking system
• Developing a process to review PHIA pledge signing quarterly to
ensure that all staff sign pledges
• Establishing a Privacy Management Committee
We have determined that the department implemented 7 out of the 9
recommendations arising from the 2021 Privacy Breach investigation.
The review of recommendations 1 through 7 reveals that Families has
implemented security safeguards procedures and has taken measures
to enhance its compliance with PHIA by strengthening policies and
staff training.
One of the outstanding recommendations is that the department
strengthen its oversight with agents and service providers as
required under their standard service purchase agreements and the
Act. We have assessed this recommendation as partially implemented.
Manitoba Families has existing oversight mechanisms in place to
monitor service purchase agreements but requires a more
standardized and consistent review of agents’ and service
providers’ privacy policies, procedures, and practices in order to
ensure that they are compliant with PHIA.
As the department collects personal and personal health information
from thousands of Manitobans receiving its services, we also
recommended that the department implement a comprehensive privacy
management program. Our review confirms that Manitoba Families made
an organizational commitment to privacy management by creating a
privacy management committee (PMC) and initiating an audit to
inventory the personal health information in its custody. This is a
foundational step to develop appropriate program controls to
protect privacy and strengthen the information handling practices
of the department and its service providers/agents.
We will continue to monitor and report on Manitoba Families
progress to improve its security safeguards required under PHIA and
to implement an effective and accountable privacy management
program that is critical to building a privacy-focused culture in
the department.
The full review summary can be found on our website at:
https://www.ombudsman.mb.ca/uploads/document/files/case-mo-00783-en-en.pdf
The April 2021 privacy breach report can also be found on our
website at
https://www.ombudsman.mb.ca/uploads/document/files/case-2020-1304-en.pdf
Follow Us