WINNIPEG – Manitoba’s Vital Statistics Agency needs to do more to manage the security, privacy and integrity of the vital events information it holds, says Auditor General Tyson Shtykalo. The findings are contained in the report, Vital Statistics Agency, released today.
“The Vital Statistics Agency holds a significant amount of personal and sensitive information about Manitobans that must be properly protected and used effectively and efficiently,” Shtykalo said. ”Failing to do so increases the risk that vital statistics information could be compromised, or is not complete and accurate.”
The Vital Statistics Agency (the Agency) holds nearly four million records of vital events going back as far as 1882. Vital events include registrations of births, deaths, adoptions, name changes, and changes of sex designation.
Security and privacy risks
The audit found information security controls need to be improved. The Auditor General noted, for example, that the Agency did not regularly review staff access rights to its registry software. “If this isn’t done, there’s a greater risk that invalid or fictitious information is entered into the registry, resulting in incorrect or false certificates being issued,” Shtykalo said.
The report noted the Agency did not always use secure mail for delivering certificates and registration forms. “As a result, vital events certificates and registration information may be lost or delivered to the wrong person, which could lead to privacy breaches, identity theft or fraud,” Shtykalo said.
The audit also found weak physical security controls within the Agency’s office — including inadequate separation between work and public areas.
Integrity of vital events information
The Auditor General found several issues with event registrars. Registrars include staff designated by hospitals and funeral homes to certify births and deaths, and forward vital events information to the Agency for processing.
The audit notes:
- The Agency did not maintain a complete list of event registrars, or validate their identity.
- The Agency did not train event registrars on how to prepare, forward or maintain the privacy and security of vital events information.
“These issues create a greater risk that mistakes will be made registering vital events information, and increase the chance of delays and privacy breaches,” Shtykalo said.
The report contains 19 recommendations. Sensitive security findings were presented to management separately. To view the public report, please visit http://www.oag.mb.ca/reports.
ABOUT THE AUDITOR GENERAL OF MANITOBA
The Auditor General is an officer of the Legislative Assembly mandated to provide independent assurance and advice to Members of the Legislative Assembly. Through its audits, the Office of the Auditor General seeks to identify opportunities to strengthen government operations and enhance performance management and reporting. For more information visit http://www.oag.mb.ca./
For more information contact:
Frank Landry, Communications Manager