The Office of the Information and Privacy Commissioner has concluded its investigation into the outage that resulted from a fire at the Shaw Court building in Calgary, providing findings and recommendations on business continuity and disaster recovery planning.
On July 11, 2012, one of the electrical breakers in the Shaw Court building failed, causing a fire in the main transformer room. Sprinklers were activated in response to the fire, damaging equipment and infrastructure, including servers that stored personal and health information for Service Alberta, Alberta Treasury Branches, Alberta Health, and Alberta Health Services (the respondents).
The investigation focused on the safeguards the respondents had in place to protect against unauthorized access, loss or destruction of personal and health information as required under Alberta’s three privacy laws. The report does not look into why systems went offline, or how the outage affected the business or personal needs of the public, but focuses on how prepared the respondents were to maintain privacy in a disaster situation.
The investigation found that three of the respondents had business continuity and disaster recovery plans in place. One of the respondents, Alberta Health Services, had components of a business continuity plan in place, but no comprehensive plan, and was therefore found to be in contravention of the Health Information Act.
In addition, two main instances of increased risk were noted in the report:
- Having weighed the clinical risk against the privacy and security risk, Alberta Health relaxed one layer of security within its Netcare authentication system to allow users continued access during the outage.
- Alberta Health Services reported that some of its staff used personal email and text messages to communicate with each other during the outage, having lost access to internal email and messaging services.
All of the respondents reported no data loss as a result of the outage. They have reviewed their actions following the outage and have taken steps to improve plans to prepare for similar scenarios in the future. As such, no further recommendations specific to the respondents were made.
“Business continuity and disaster recovery planning is an important component of an organization’s duty to protect personal and health information,” said Information and Privacy Commissioner Jill Clayton. “Failure to have these kinds of plans in place, or poorly implemented plans, can lead to increased risk.”
The Office of the Information and Privacy Commissioner made the following recommendations to all public bodies, organizations, and custodians in Alberta:
- Establish a planning process with identified teams, resources and executive support.
- Perform a business impact analysis to identify which systems and business processes are critical to continued operations. This analysis should include consideration of the sensitivity and amount of personal or health information involved.
- Review the business impact analysis regularly to assess whether priorities need to change to reflect changing requirements.
- Prepare plans to continue operations and recover from a disaster, based on criticality of systems. Assign priority to more critical systems, which means that critical systems will have faster recovery time objectives and more resources will be spent on recovery.
- Approve and distribute plans.
- Train those directly involved in the plan. Make all employees aware of what to do in case of a disaster and what their role may be in ensuring continuous operations. Test plans regularly.
- Revise and refine plans, based on test results and changing business requirements.
The Information and Privacy Commissioner works independent of government to protect the access and privacy rights of all Albertans.