(1) The Ministry shall —
(a) take appropriate security and organizational measures for the prevention of unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of the health information; and
(b) ensure that the measures provide a level of security appropriate to —
(i) the special risks that exist in the processing of the health information, and
(ii) the nature of the health information being processed.
(2) The Ministry shall take all reasonable steps to ensure that any person employed by the Ministry is aware of and complies with the security measures under subsection (1).