People across BC provide ICBC with their personal information and a new report finds ICBC could be doing more to protect that information.
The report was led by acting information and privacy commissioner Drew McArthur.
In a press release, McArthur says “We have to provide our personal information to government in order to access the programs we need. That information is collected, shared, used and shared again — sometimes without our knowledge or consent. ICBC holds one of B.C.’s most complete personal information data sets and shares that data with many other organizations, from bailiff services and municipalities, to parking lot operators and tow companies”
McArthur made 12 recommendations, which includes the following.
- Amending ISAs regularly to incorporate collection authority, rationale for disclosure, custody and control, breach management, training and notification to ICBC in the event of staff termination.
- Tracking and reviewing third-party access to personal information held by ICBC, including removing duplicate and outdated user IDs, and ensuring that an ISA is in place before granting access to third parties
- Conducting additional compliance monitoring with third parties, as well as internal audits and reviews of ICBC systems, policies and information sharing governance.
Deputy Commissioner Jay Fedorak on report
Deputy Commissioner Jay Fedorak worked on the report for 6 months and says one of the biggest liabilities was letting third parties have extra user ID’s.
“These extra user ID’s are in a sense a privacy liability. Now we didn’t see any evidence that anyone had in fact used them, but as I said they become a risk and liability. We want to do everything to eliminate those risks and liabilities”
He says ICBC needs to do a better job of keeping up to date with the number of user ID’s.
“What we’re saying is that when they’ve issued a user ID, that they do a better job of preventing the reissue of an additional user ID to the same person and that they do a better job of keeping up to date when individuals no longer requires access.”
Fedorak adds that ” The danger would be that an unauthorized individual might be able to obtain access to an active account and than use it for unauthorized purposes”
ICBC response to the report
ICBC hasn’t formally released a statement on MacArthur’s findings yet, however, they did respond to Roundhouse Radio Reporter Sean Bideshi’s tweet.
.@SeanKR101 We take the protection of personal information seriously and we’ve already taken steps to implement the recommendations. ^kp
— ICBC (@icbc) September 13, 2017
McArthur also confirmed that ICBC contacted him, saying “ICBC has contacted me and indicated that they will immediately undertake efforts to address all of my recommendations”
The full report can be found here at, https://www.oipc.bc.ca/reports/audit-compliance/.