Audit finds security, privacy weaknesses in Manitoba’s Vital Statistics Agency

By | September 9, 2020

The Manitoba agency charged with registering and providing documentation for events like births, deaths, marriages and name changes needs to do more to ensure privacy is protected, according to a report from the province’s auditor general.

An audit of Manitoba’s Vital Statistics Agency released Wednesday found security and privacy weaknesses in the way the records of these vital events are documented.

“The Vital Statistics Agency holds a significant amount of personal and sensitive information about Manitobans that must be properly protected and used effectively and efficiently,” Auditor General Tyson Shtykalo said in a news release.

“Failing to do so increases the risk that vital statistics information could be compromised, or is not complete and accurate.”

The primary function of the agency, which falls under the provincial department of finance, is to register vital events like births, deaths, adoptions, marriages, stillbirths, changes in sex designation and name changes, and to provide documentation of such events.

The audit, which included 19 findings and recommendations for the agency, covered a period between March 2015 and March 2017.

Security risks

The report’s key finding was weak management of security and privacy risks by the agency.

That’s in part because the agency doesn’t have a comprehensive risk-management process, which would identify possible dangers and implement controls to safeguard against them, the report says.

That weakness could lead to disclosure of sensitive information, identity theft, negative publicity and damage to reputation, it says, and could potentially result in lawsuits, fines and penalties.

Too many people have access to private information, the report found, and their access to that information isn’t monitored well enough.

In fact, two out of five users had inappropriate access to the information registry, the audit found. One user had access to the system for more than two years after leaving the agency, while another had access that did not fit with their job responsibilities.

The auditor general recommended the agency start a process to review users’ access rights on a regular basis.

In addition, the audit found security and privacy were compromised by inadequate physical separation between private and public areas — including door locks, gates to prevent people from going into private spaces and surveillance systems.

Delays, inaccuracies in reporting events

The audit also found weaknesses in ensuring the integrity of the information Vital Statistics handles.

A complete list of vital event registrars isn’t kept, the audit found. Registrars are tasked with recording births, deaths and marriages and forwarding that information to the agency.

Midwives, doctors who plan home deaths and medical examiners who determine causes of death weren’t on the list, the report found.

The Office of the Auditor General found the Vital Statistics Agency didn’t keep an up to date list of registrars in charge of documenting births, deaths and marriages. The audit also found it sometimes took more than two months to register births. (Meagan Fiddler/CBC)

There were also sometimes significant delays in registering events like births — more than two months, in some cases — which can have significant impacts on Manitobans, the report says.

Delays in recording a birth can mean parents aren’t able to get a social insurance number, health card or passport for their child or receive child welfare benefits.

Meanwhile, delays in linking deaths to birth records can mean long waits in setting inheritance claims for an estate.

“These issues create a greater risk that mistakes will be made registering vital events information, and increase the chance of delays and privacy breaches,” Shtykalo said.

A response from Manitoba’s Department of Finance, which oversees the Vital Statistics Agency, was included in the audit.

The statement says the department has been working on initiating steps to improve its privacy and security since before it received the report, but will continue to do so.

“We will review how these recommendations will be implemented, and develop and monitor plans of action where needed,” the department’s statement said.

The department says it will work to implement all 19 recommendations over the short and long-term.

View original article here Source