Information and Privacy Commissioner in Support of Auditor General Recommendations

October 3, 2008

Information and Privacy Commissioner Frank Work fully supports recommendations made by the Auditor General with respect to security and protection of information assets of the Government of Alberta. The Auditor General, among other things, is recommending establishment of a central security office to oversee all aspects of information security across all Government of Alberta ministries and departments.

“Section 38 of the Freedom of Information and Protection of Privacy Act clearly places responsibility for security of personal information assets on the shoulders of the public bodies. The Auditor General’s recommendations will help public bodies discharge this responsibility.”

Frank Work says a central authority to advise and set direction on security issues is very important. “The growth of information technology systems could outpace the ability to secure them. This raises the question of whether a decentralized IT management model can keep pace. I also recognize that advancements in information technology create new challenges, requiring ongoing attention to security matters.”

The Commissioner says some of the Auditor General’s are startling. “Findings such as passwords taped to key pads, unsecured doors and windows in server rooms are unacceptable and in some cases downright scary. The government holds a lot of personal information about Albertans. If that information falls into the wrong hands, it could be used for criminal purposes, including identity theft. While the Auditor found footprints indicating that some systems have been compromised, here is no indication about what, if any information has actually been accessed.”

Work adds, “Part of my mandate is ensuring that public bodies protect information assets. Albertans expect their information to be protected. We will work closely with Service Alberta and other government agencies to address the Auditor General’s recommendations. One possibility is Privacy Impact Assessments for information systems. Another is a surveillance and detection process so that possible breaches can be picked up immediately.”