Ten years after NWT health privacy legislation came into force, an overview shows how often issues are arising and where the next problem areas are.
The 10-year report on the NWT Health Information Act – tabled in the legislature this week – shows privacy breaches happen in the territory’s healthcare at the rate of six or seven a month.
The report expresses concern about “snooping” – the act of healthcare workers prying into medical records they shouldn’t be accessing – and finds the current legislation inadequate for some uses, like cancer screening or getting departments to work together more closely.
In a news release that noted the report’s publication but did not engage with its contents, the NWT government said it was a “key part of the GNWT’s broader work on privacy.”
Here are some of the report’s headlines.
Advertisement.
Advertisement.
1. The NWT had 773 health privacy breaches in a decade.
The NWT’s health authority recorded 574 health information privacy breaches between 2015 and 2025.
Hay River’s health authority had 70, the Covid-19 Secretariat (in its brief existence) had 51, the Department of Health and Social Services had 44 and the Tłı̨chǫ Community Services Agency had 34.
Across the territory, that’s an average of about three breaches every two weeks.
The number of breaches is not the same as the number of people affected. In 2018, a single breach involving a stolen laptop was estimated to have involved the data of more than 30,000 NWT residents.
Advertisement.
Advertisement.
There was a spike in breaches between 2020 and 2023 that the report attributes to factors like staff redeployment during the pandemic, the introduction of new systems and long working hours.
2. The NWT needs a snooping law.
The report recommends creating a specific criminal offence for healthcare workers who intentionally access patient records without authorization, which it terms “snooping.”
Right now, the NWT’s Health Information Act has only a general rule that anyone breaking its terms can be fined up to $50,000 (or $500,000 for a corporation).
Provinces like Ontario and Alberta already have distinct snooping offences with higher penalties, the report states, stretching up to $200,000 for individuals or $1 million for corporations, and where jail time is a possibility.
“An explicit offence for snooping recognizes snooping as a serious wrongdoing with significant consequences, which may further deter employees,” the report adds.
3. Cancer screening is in a legal grey area.
The report finds the current law doesn’t clearly allow the territorial cancer surveillance program to proactively contact average-risk people for screening – for example, by sending out colorectal screening kits in the mail.
Screening programs already exist. The report’s argument is that the legislation doesn’t contain any obvious exemption allowing staff to use your patient data to establish that you’re in the right bracket to be contacted.
“There is a lack of clarity for custodians about permissible actions, increasing legal and reputational risk,” the report states. It suggests amending the regulations to make clear that screening programs have the right to use data this way.
Advertisement.
Advertisement.
4. No patient portal (and our systems can’t support one).
Six provinces already have online patient portals where people can access their own health records. The NWT doesn’t.
“The benefit of this approach is patients can access their information without attending a health centre to make a request, they can see all their cumulative results, and they can access the portal from anywhere there is the internet, including when out of the NWT,” the report states.
But although the report notes “growing expectations” that the NWT should introduce this service, it adds that the territory’s existing electronic systems “are currently unable to provide access.”
The GNWT’s intent is to build that capability when systems are eventually updated or replaced, but the report gives no timeline for that.
5. The law can’t keep up with the territory’s service integration push.
The GNWT has spent years promoting integrated case management, an approach designed to simplify the experience of interacting with multiple government agencies.
The idea is that you go to one government employee who can navigate the system with you, rather than you having to do so alone.
However, that’s running into the fact that health information custodians can’t legally share patient data with other GNWT divisions, like staff working on education or income support, without consent.
The report flags this as a barrier and says a legislative amendment may be needed.
Other issues the report notes
Private doctors and pharmacists sometimes don’t realize the same privacy laws apply to them, too.
Indigenous data sovereignty isn’t addressed in the legislation. “There is great interest by Indigenous governments and organizations to have access to information of their members,” the report notes, but no Canadian jurisdiction has taken action on that yet.
Artificial intelligence is increasingly used in healthcare but is flagged as a privacy risk. For example, reidentification is an issue: efforts to anonymize data might be undermined if you give AI so much data, from so many sources, that models can piece back together who is who. Cloud computing also presents a problem if security isn’t good enough.
Sometimes, NWT doctors take photos of patients’ problems and text or WhatsApp them to colleagues for advice. “This practice, while potentially beneficial for timely and effective patient care, raises concerns regarding compliance,” the report states.
Related Articles