B.C.’s local government IT departments are about to take delivery of a new database that will raise the bar in terms of the data security expectations imposed upon them. Bill 25 is a new amendment to the Safety Standards Act that gives B.C. local government the legislated authority to demand residential customer consumption data from their local electric utility. This provision is part of an initiative designed to assist fire departments and bylaw enforcement officers in local governments to locate marijuana grow operations in residential premises within their jurisdiction. These clandestine operations have been identified as a major risk to public safety. Many of them have had their electrical equipment installed by amateur or unlicensed electricians, resulting in an inordinately high incidence of electrical fires.
Predictably, privacy advocates are not too happy about the prospect of this information becoming accessible to local government. The B.C. Privacy Commissioner has also expressed concerns about the proposal to release this data into the hands of local governments. At the same time, a number of spectacular data privacy blunders have resulted in the public growing increasingly skeptical about the ability of government IT officials to manage personal information. The most notable of these was the discovery of a massive volume of personal and medical information remaining on a series of used backup tapes that were sold to a member of the public in March 2006 by a provincial ministry. With these facts in mind, it is clear that local governments that take delivery of electrical consumption data are going to be in the spotlight in terms of how they handle the information. Any unintentional disclosures are going to become a matter of public interest that could have an effect that reaches beyond the boundaries of the offending local government.
This database not a first
In spite of all the attention this issue is attracting, local governments already have extensive databases that contain personal information about their residents. More importantly, most local governments have GIS and property records systems that allow them to consolidate this information to the point where they can get a pretty clear understanding of the lifestyle and habits of the property’s occupant. Electrical consumption data is really no more personal than the water utility and garbage service consumption data that is already on file. With all this personal data on file, it is reasonable to wonder why we would need to take any special precautions with electrical utility data. The answer to this question is that there are folks out there who will be watching us closely and looking for an opportunity to make an example of any local government that makes a mistake. In fact it’s probably safe to assume that privacy advocates will use any unintentional disclosure as a reason to argue that local governments shouldn’t be trusted with the data.
If they haven’t already done so, all B.C. local governments should conduct a data security audit. The Freedom of Information and Protection of Privacy Act of B.C. requires public bodies to take reasonable security measures to protect against unauthorized access or use of personal information. The privacy commissioner has the authority to investigate, issue orders and impose fines on your organization if you fail to meet this requirement. Does your local government have a reasonably sophisticated firewall? Do you have good physical security to control access to your computers and backup media? Do you have and enforce a data security policy? Do you take precautions to prevent staff from taking data or backup media home? Do you restrict access to databases remotely? Do you have strict and sophisticated practices in place to deal with the disposal of old disks, tapes and memory devices? If you can’t confidently answer yes to every one of these questions, then your organization is at risk of unintentionally disclosing personal information. Bill 25 has the effect of dumping all local governments in B.C. into the same boat in terms of their responsibility for data security. Local governments have an obligation to their elected officials, their constituents and in this case, other local governments to take these obligations seriously. A consistently applied data security policy and a detailed security audit is the only defence against criticism if an unintended disclosure occurs.