Investigation Tips Following the NWT Health Authority Incident
When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.
The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.
Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.
What Happened
In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.
The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.
The Commissioner emphasized that there was no ill intent, stating:
“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”
Managing the Breach
The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.
Step 1 – Spot and Stop
The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.
Step 2 – Investigate
An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.
However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.
Step 3 – Notify
The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.
Step 4 – Prevent the Breach from Happening Again
The health authority directed the clerk to:
- Complete updated privacy training
- Review the oath of office
- Review patient confidentiality policies
No further disciplinary action was taken.
Commissioner’s Investigation
The IPC made several key recommendations:
- Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
- Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
- Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
- Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.
Take-Aways
Annual privacy training is not enough.
Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.
When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.
A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.
For more on how to manage privacy-related employee errors, listen to the podcast:
Managing Employees When They Make Mistakes – Episode #105
Need Help Training Your Privacy Team?
Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.
Reference
NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09
You May Also Be Interested In
Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information