Former employees’ privacy breached in an incident
Privacy commissioner scolds Department of Transportation and Works in Grand Falls-Windsor
The province’s Information and Privacy Commissioner is calling out the Department of Transportation and Works after an incident in Grand FallsWindsor in which the personal information of several people was found to not be properly secured.
“After an employee informed the commissioner of the breach, the department subsequently declined to follow the commissioner’s recommendation that it notify impacted individuals of the privacy breach,” read the summary of the commissioner’s report, released Nov. 9. “While the department agreed, after commencement of this investigation, to notify impacted individuals, its response generally constituted a disregard of its responsibilities pursuant to the Access to Information and Protection of Privacy Act, 2015.”
The issue began when the department decided in April 2018 to re-open the Bishop’s Fall depot, which had been closed for several years. Fifty boxes containing personnel files, among other things, were found there and transported to the Grand Falls-Windsor depot April 19. There, the unmarked boxes – some in “rough condition” – were put on pallets, and shrink-wrapped four days later.
The report states that even so, the condition of the boxes was such that their contents could be seen, including things like social insurance numbers, a resignation letter, and medical information in the form of doctors’ notes. Furthermore, the main stockroom where the boxes were stored was open to staff and couriers dropping off and picking up parts.
According to the report, a department employee told a manager about the boxes April 23, and then took their concerns to the Office of the Information and Privacy Commissioner May 4. The commissioner, Donovan Molloy, wrote to the department executive later the same day and, if what the employee said was correct, requested the department secure the information immediately, determine what had been visible and whether or not to notify the people affected, and to file a breach notice with the office.
That notice was filed May 11. Three days later, the commissioner recommended the department notify the people whose information had been affected.
“On June 13, 2018, the department was asked to report on its progress in identifying and notifying impacted individuals,” the report reads. “On June 26, 2018, the department replied stating that it would not notify any individuals as only a small number of the boxes contained personal information, and the personal information in those boxes lay under blank forms and envelopes, thus not easily accessible.”
This, however, contradicted photos of the boxes provided to the commissioner, as well as the statements of the employee who made the original complaint. On June 27, the commissioner notified the department that he intended to undertake an investigation.
A statement from the Department of Transportation and Works Nov. 13 acknowledged that it is “too long to determine the right course of action on this matter.”
“In its own investigation, the department found that much of the personal information was contained in sealed envelopes or located at the bottom of a few boxes and not easily accessible,” it read.
The department, in conjunction with the office of the privacy commissioner, identified 15 records that contained personal information of past employees. Due to the age of the records, however, only one of the 15 could be contacted.
“Proper record management practices have been reviewed with staff,” the statement read. “The department will pilot a paperless system in 2019 which will provide more security for personal information. It is also reviewing its paper records to determine what can be disposed of in accordance with the Management of Information Act.”
Despite acknowledging some of the efforts made by the department earlier this year to modernize their practices—as well as noting the difficulties faced by remote operations and the hesitancy of employees to destroy what could be important documents—the commissioner did not absolve the department.
“Besides ignoring its legal obligations, when, as here, an employee recognizes the need for remedial action because of a privacy breach, what is the department communicating to its employees by failing to respond appropriately?” the report asked in its conclusion. “There is significant doubt that had the employee not contacted this office, the department would never have notified us of this breach.
“Employees should be recognized and commended for recognizing the need to protect personal information. Reports of breaches by staff should be promptly actioned and commended.”
The commissioner recommended the Department of Transportation and Works comply with privacy legislation, ensure protocol is followed in the event of a breach, and follow its own retention schedule in destroying documents containing personal information.
According to the report and legislation, the head of the department must give written notice of their decision on those recommendations within 10 business days of getting the report.