Saanich’s mayor is satisfied with the district’s response to privacy concerns that arose last year after it was learned that spyware had been installed on the mayor’s and other municipal computers.
“There’s now a privacy officer in place, that’s one of the main concerns I had, as recently as December,” said Mayor Richard Atwell. “I would have liked the privacy officer put in place within 60 days [of the March 2015 recommendations]… but better late that never.”
Senior Saanich staff members met with B.C. Information and Privacy Commissioner Elizabeth Denham last week to go over the progress made by the district on the recommendations she had set out last year.
Denham made five recommendations to improve Saanich’s management of personal information in March 2015 in the wake of the controversy that surfaced after Atwell brought attention to the spyware that had been installed on district computers.
“There were two lingering items, one was to have a privacy officer in place and to start a proper audit of the organization and an upgrading of Saanich’s privacy understanding,” said Atwell. “The second is to modernize the computer systems so there’s proper control of information and privacy, and that’s an ongoing thing that will take some time.”
The district has been working on implementing the recommendations over the past year with former privacy commissioner David Loukidelis, who has issued his final report outlining Saanich’s progress.
“The goal of my work has been to review the district’s present-state compliance and to help it move forward with a programmatic approach to managing its privacy obligations,” Loukidelis concluded in his report.
“Continued implementation of my recommendations and of the privacy management plan described in this report will help ensure that the district continues to demonstrate that commitment. It will also demonstrate that the district is transparent about, and accountable for, how it collects, uses, discloses and protects the personal information of citizens as it carries out its work.”
The district has already met a number of the recommendations laid out by Denham, including discontinuing the use of the Spector 360 software program that records personal information and destroying any personal information that may have been collected.
The district has also hired a privacy officer and completed a review of its privacy management practices. An updated acceptable use policy for information technology is in the process of being rolled out to staff.
The lone recommendation that has not been met was for the district to generate logs of administrator-level access to IT systems that collect, store, use or disclose personal information.
“The district’s IT systems do not have this capability at this time,” Loukidelis said in his report, adding Saanich has retained the firm Deloitte to provide advice on the implementation of this recommendation and created an interim policy to monitor administrator access to personal information.