For­mer em­ploy­ees’ pri­vacy breached in an in­ci­dent

Pri­vacy com­mis­sioner scolds Depart­ment of Trans­porta­tion and Works in Grand Falls-Windsor

The Central Voice - - News - BY SARAH LADIK [email protected]­cen­tralvoice.ca

The prov­ince’s In­for­ma­tion and Pri­vacy Com­mis­sioner is call­ing out the Depart­ment of Trans­porta­tion and Works af­ter an in­ci­dent in Grand Fall­sWind­sor in which the per­sonal in­for­ma­tion of sev­eral peo­ple was found to not be prop­erly se­cured.

“Af­ter an em­ployee in­formed the com­mis­sioner of the breach, the depart­ment sub­se­quently de­clined to fol­low the com­mis­sioner’s rec­om­men­da­tion that it no­tify im­pacted in­di­vid­u­als of the pri­vacy breach,” read the sum­mary of the com­mis­sioner’s re­port, re­leased Nov. 9. “While the depart­ment agreed, af­ter com­mence­ment of this in­ves­ti­ga­tion, to no­tify im­pacted in­di­vid­u­als, its re­sponse gen­er­ally con­sti­tuted a dis­re­gard of its re­spon­si­bil­i­ties pur­suant to the Ac­cess to In­for­ma­tion and Pro­tec­tion of Pri­vacy Act, 2015.”

The is­sue be­gan when the depart­ment de­cided in April 2018 to re-open the Bishop’s Fall de­pot, which had been closed for sev­eral years. Fifty boxes con­tain­ing per­son­nel files, among other things, were found there and trans­ported to the Grand Falls-Windsor de­pot April 19. There, the un­marked boxes – some in “rough con­di­tion” – were put on pal­lets, and shrink-wrapped four days later.

The re­port states that even so, the con­di­tion of the boxes was such that their con­tents could be seen, in­clud­ing things like so­cial in­sur­ance num­bers, a res­ig­na­tion let­ter, and med­i­cal in­for­ma­tion in the form of doc­tors’ notes. Fur­ther­more, the main stock­room where the boxes were stored was open to staff and couri­ers drop­ping off and pick­ing up parts.

Ac­cord­ing to the re­port, a depart­ment em­ployee told a man­ager about the boxes April 23, and then took their con­cerns to the Of­fice of the In­for­ma­tion and Pri­vacy Com­mis­sioner May 4. The com­mis­sioner, Donovan Mol­loy, wrote to the depart­ment ex­ec­u­tive later the same day and, if what the em­ployee said was cor­rect, re­quested the depart­ment se­cure the in­for­ma­tion im­me­di­ately, de­ter­mine what had been vis­i­ble and whether or not to no­tify the peo­ple af­fected, and to file a breach no­tice with the of­fice.

That no­tice was filed May 11. Three days later, the com­mis­sioner rec­om­mended the depart­ment no­tify the peo­ple whose in­for­ma­tion had been af­fected.

“On June 13, 2018, the depart­ment was asked to re­port on its progress in iden­ti­fy­ing and no­ti­fy­ing im­pacted in­di­vid­u­als,” the re­port reads. “On June 26, 2018, the depart­ment replied stat­ing that it would not no­tify any in­di­vid­u­als as only a small num­ber of the boxes con­tained per­sonal in­for­ma­tion, and the per­sonal in­for­ma­tion in those boxes lay un­der blank forms and en­velopes, thus not eas­ily ac­ces­si­ble.”

This, how­ever, con­tra­dicted pho­tos of the boxes pro­vided to the com­mis­sioner, as well as the state­ments of the em­ployee who made the orig­i­nal com­plaint. On June 27, the com­mis­sioner no­ti­fied the depart­ment that he in­tended to un­der­take an in­ves­ti­ga­tion.

A state­ment from the Depart­ment of Trans­porta­tion and Works Nov. 13 ac­knowl­edged that it is “too long to de­ter­mine the right course of ac­tion on this mat­ter.”

“In its own in­ves­ti­ga­tion, the depart­ment found that much of the per­sonal in­for­ma­tion was con­tained in sealed en­velopes or lo­cated at the bot­tom of a few boxes and not eas­ily ac­ces­si­ble,” it read.

The depart­ment, in con­junc­tion with the of­fice of the pri­vacy com­mis­sioner, iden­ti­fied 15 records that con­tained per­sonal in­for­ma­tion of past em­ploy­ees. Due to the age of the records, how­ever, only one of the 15 could be con­tacted.

“Proper record man­age­ment prac­tices have been re­viewed with staff,” the state­ment read. “The depart­ment will pi­lot a pa­per­less sys­tem in 2019 which will pro­vide more se­cu­rity for per­sonal in­for­ma­tion. It is also re­view­ing its pa­per records to de­ter­mine what can be dis­posed of in ac­cor­dance with the Man­age­ment of In­for­ma­tion Act.”

De­spite ac­knowl­edg­ing some of the ef­forts made by the depart­ment ear­lier this year to mod­ern­ize their prac­tices—as well as not­ing the dif­fi­cul­ties faced by re­mote op­er­a­tions and the hes­i­tancy of em­ploy­ees to de­stroy what could be im­por­tant doc­u­ments—the com­mis­sioner did not ab­solve the depart­ment.

“Be­sides ig­nor­ing its le­gal obli­ga­tions, when, as here, an em­ployee rec­og­nizes the need for re­me­dial ac­tion be­cause of a pri­vacy breach, what is the depart­ment com­mu­ni­cat­ing to its em­ploy­ees by fail­ing to re­spond ap­pro­pri­ately?” the re­port asked in its con­clu­sion. “There is sig­nif­i­cant doubt that had the em­ployee not con­tacted this of­fice, the depart­ment would never have no­ti­fied us of this breach.

“Em­ploy­ees should be rec­og­nized and com­mended for rec­og­niz­ing the need to pro­tect per­sonal in­for­ma­tion. Re­ports of breaches by staff should be promptly ac­tioned and com­mended.”

The com­mis­sioner rec­om­mended the Depart­ment of Trans­porta­tion and Works com­ply with pri­vacy leg­is­la­tion, en­sure pro­to­col is fol­lowed in the event of a breach, and fol­low its own re­ten­tion sched­ule in de­stroy­ing doc­u­ments con­tain­ing per­sonal in­for­ma­tion.

Ac­cord­ing to the re­port and leg­is­la­tion, the head of the depart­ment must give writ­ten no­tice of their de­ci­sion on those rec­om­men­da­tions within 10 busi­ness days of get­ting the re­port.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.