Alberta Commissioner Provides Advice on Disaster Recovery Planning

Alberta Commissioner Provides Advice on Disaster Recovery Planning

PrivaTips, Regulator Decisions, Regulator Guidance
The Office of the Information and Privacy Commissioner of Alberta (the “Office”) recently concluded an investigation into the outage that resulted from a fire at the Shaw Court building in Calgary, damaging equipment and infrastructure, including servers that stored personal and health information for Service Alberta, Alberta Treasury Branch, Alberta Health, and Alberta Health Services.
Email
Print

The Office of the Information and Privacy Commissioner of Alberta (the “Office”) recently concluded an investigation into the outage that resulted from a fire at the Shaw Court building in Calgary, damaging equipment and infrastructure, including servers that stored personal and health information for Service Alberta, Alberta Treasury Branch, Alberta Health, and Alberta Health Services.

The investigation focused on how prepared these government bodies were to maintain privacy in a disaster situation, that is, the safeguards in place to protect against unauthorized access, loss or destruction of personal and health information as required under Alberta’s privacy laws.

The investigation found that that Alberta Health Services had components of a business continuity plan in place, but no comprehensive plan, and was therefore found to be in contravention of the Health Information Act.

In addition, two main instances of increased risk were noted in the report:

  • Alberta Health relaxed one layer of security within its Netcare authentication system to allow users continued access during the outage; and
  • Alberta Health Services reported that some of its staff used personal email and text messages to communicate with each other during the outage, having lost access to internal email and messaging services.

The Office made the following recommendations to all public bodies, organizations, and custodians in Alberta:

  1. Establish a planning process with identified teams, resources and executive support.
  2. Perform a business impact analysis to identify which systems and business processes are critical to continued operations. This analysis should include consideration of the sensitivity and amount of personal or health information involved.
  3. Review the business impact analysis regularly to assess whether priorities need to change to reflect changing requirements.
  4. Prepare plans to continue operations and recover from a disaster, based on criticality of systems. Assign priority to more critical systems, which means that critical systems will have faster recovery time objectives and more resources will be spent on recovery.
  5. Approve and distribute plans.
  6. Train those directly involved in the plan. Make all employees aware of what to do in case of a disaster and what their role may be in ensuring continuous operations. Test plans regularly.
  7. Revise and refine plans, based on test results and changing business requirements.
Email
Print