Tories seek probe into possible WE breach
Online platform may have stored data of applicants for student grant program outside Canada
OTTAWA — Conservatives are asking the privacy commissioner to investigate if the online platform used by WE Charity to process applications to the Canada Student Grant Program violated federal privacy laws by potentially storing their data abroad.
“When Canadians sign up for taxpayer-funded programs, there is a reasonable assumption that their data is kept within Canada and will be protected under Canadian privacy law,” Conservative MPs Michelle Rempel Garner and Michael Barrett wrote in a letter to commissioner Daniel Therrien’s office Wednesday.
At issue for the Conservatives is the website IWantToHelp.org, set up by WE Charity to receive applications to the Canada Student Service Grant (CSSG).
According to a Toronto Sun report last week, U.S.-based company JazzHR operated the application portal for the program, which promised to pay eligible students between $1,000 and $5,000 for volunteer work done until the end of October.
Before it pulled out of its controversial deal to run the CSSG with the Trudeau government in early July, WE says more than 35,000 Canadian students had signed up to the program.
To apply for the CSSG, students had to provide their full name, email address, phone number, address, date of birth, Canadian citizenship status, school status and language of preference.
According to the Toronto Sun report, the application website’s terms of reference warned that the data submitted through the portal could both be sent to a third-party organization and be stored in servers outside of Canada, such as in the U.S. or the U.K.
“When this occurs, your information becomes subject to the laws of those jurisdictions,” the website read, according to the report.
For the Conservatives, that is in direct contradiction with the government’s current IT strategic plan, which asks all federal departments and agencies to adopt the policy of storing sensitive or protected government data on servers in Canada.
“The WE organization has yet to clarify if the data collected under the guise of the CSSG was kept on servers located in Canada or in other jurisdictions,” Rempell Garner and Barrett’s letter reads. “It is also concerning that information collected for the taxpayer-funded CSSG may have been sent to third-party organizations.”
The party also suspects the IWantToHelp.org portal creates a potential privacy breach, which it wants commissioner Therrien to investigate. His office said it had received the request and was “carefully” assessing the situation and potential next steps.
In a statement, WE contested the Conservatives’ interpretation of privacy laws, arguing that “Canadian law does not prohibit data storage outside Canada.”
“WE maintains high standards of privacy protection and safeguarding of personal information. WE complied fully with the privacy requirements of the funding agreement,” reads the statement. “Further, WE was and remains in full compliance with the requirements of applicable privacy legislation regarding storage of personal information outside of Canada.”
Responding to questions about its commitment to reimburse every penny of the $30 million already paid by the Trudeau government for it to administer the CSSG, WE told the National Post that it had already sent back $22 million. Any taxpayer moneys left in their accounts are waiting for government approval to be sent over, the Toronto-based organization added.
“WE Charity is in the process of returning all of the funds . ... ,” it said in a separate statement on Wednesday.