Organizations should take note of a recent decision in which the Alberta Office of the Information Privacy Commissioner (OIPC) recognized that human error does not in and of itself render the security arrangements of an organization deficient under the Personal Information Protection Act (PIPA).
In Order P2012-02 Alberta Teachers' Association, it was held that the Alberta Teachers' Association (ATA) was not liable for a breach of PIPA despite accidentally mailing personal information to the wrong recipient. The Adjudicator held that the privacy breach was an excusable human error and not due to any deficiency in the ATA's security arrangements to protect personal information.
The Teacher Qualification Service (TQS) assesses teachers' educational experience on behalf of the ATA to help determine a teacher's wage. On April 17, 2008, the Complainant requested a reassessment of her educational experience. TQS made an assessment and mistakenly sent the results (which were not favourable) to another teacher. When it was discovered that the assessment letter had been sent to the wrong teacher, TQS requested the letter be returned. The letter had been opened and was returned to TQS who forwarded it to the correct recipient. The Complainant became aware of TQS' error and, in late January 2009, submitted a complaint to the OIPC, which led to an inquiry into the incident and the ATA's privacy practices.
The misdirected mail consisted of a cover letter, a Statement of Qualifications and a TQS Evaluation Summary and included the Complainant's full name, profession, educational institutions attended, the years that she attended them, the degrees and certificates conferred and their dates, and some details of the programs pursued. The cover letter revealed that the Complainant requested a reassessment of her educational experience and indicated the outcome of the reassessment, as compared to the previous assessment. Together, the three items indicate how TQS viewed the Complainant's educational qualifications for the purpose of teaching.
Reasonable Security Arrangements
The Adjudicator focused on sections 34 and 2 of PIPA. Section 34 creates a duty for an organization to protect personal information in its custody or under its control. An organization must make reasonable security arrangements to prevent risks to personal information including risks of unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. Section 2 of PIPA defines the reasonableness standard to be applied as "what a reasonable person would consider appropriate in the circumstances". The Adjudicator stated that, to be in compliance with s. 34, an organization is required to guard against reasonably foreseeable risks and implement deliberate, prudent and functional measures that demonstrate that it considered and mitigated such risks.
The ATA admitted to improperly disclosing personal information, but argued that this was due to an isolated clerical error. It argued that the organization took the privacy of teacher information very seriously and had reasonable security arrangements in place to prevent breaches by having staff verify that envelope addresses matched the letters inserted in the envelopes, which were then double-checked by a supervisor before the letters were sent out. The Adjudicator agreed that this procedure constituted a "reasonable security arrangement".
Two other factors the Adjudicator considered when making the decision included the level of sensitivity of the information and the frequency of privacy breaches by TQS. It was held that a teacher's reassessment of educational experience, which identifies a teacher's educational and employment experience, is low-sensitivity information and insufficient to lead to potential identity theft. It was also held that the information was not of a nature that would cause serious harm and humiliation to the Complainant's reputation. Noting that TQS deals with thousands of mailings to teachers and this was one of a very few mistakes the organization had made in recent years, the Adjudicator held that due to the low sensitivity of the information and the low frequency of breaches, TQS and the ATA were not responsible for the breach under PIPA.
In assessing the ATA's privacy breach, the Adjudicator used the wrong recipient's character as another teacher and her lack of personal connection to the Complainant as factors in determining the harm of the breach. Given that the person who received the information was a teacher who was subject to the profession's code of conduct and did not know the Complainant, that person had little motivation or opportunity to harm the Complainant's reputation.
This decision indicates that Adjudicators will assess breaches of privacy using a number of factors particular to the breach, not the least being the actual harm caused to the person whose personal private information was disclosed. Moreover, the level of protection of personal information required for each organization will be different and will be based on the sensitivity of information each organization possesses, along with its previous record for privacy breaches.
Organizations should ensure their security arrangements for privacy protection are matched to the level of sensitive information they possess. The OIPC will consider such arrangements on an objective basis, assessing what a reasonable person would consider sufficient security for the protection of that information. When breaches of privacy do occur, the OIPC will make a determination of liability based upon the arrangements, the sensitivity of information, and the amount of actual or potential harm that arises.
The OIPC has previously recognized that the requirement of reasonableness does not mean that it must be perfect or flawless. This decision takes a similar approach as the Adjudicator did not evaluate the actions of the ATA on a standard of perfection with the benefit of 20-20 hindsight, recognizing that human error will occur even when strong security arrangements are in place.