In December 2022, the Office of the Privacy Commissioner of Saskatchewan (IPC) released an Investigation Report following its investigation into an incident where the blind carbon copy (BCC) function was not used when emailing ratepayers, leading to personal email addresses being leaked.
Last year, we discussed a near identical circumstance and associated Investigation Report in To BCC or Not to BCC? That Is the Question. This recent Investigation Report acts as an additional reminder for public bodies to ensure that they are meeting their obligations under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).
Over 200 Email Addresses Leaked
In February, 2022 the hamlet chairperson sent out an email to over 200 email addresses - as the BCC function was not used, all recipients could view the addresses. Following the email, the hamlet chairperson sent a short note requesting that recipients delete the addresses, and apologizing for the error. A complaint was then filed at the Office of the Privacy Commissioner as a result of the breach, which indicated that this was not the first time this had happened and previous assurances had been given that it would not happen again.
The IPC has previously stated that following a breach a public body must take steps to contain the breach, notify affected individuals, investigate the breach and prevent future breaches.
In this case, the IPC found that although the hamlet conducted an adequate investigation and took appropriate steps to prevent future breaches, its containment and notification processes were inadequate.
In particular, the IPC made the following findings:
- Containment: By sending an initial email five minutes after the breach, the hamlet chairperson acted in a timely manner. However, the hamlet did not confirm whether it had followed the previous recommendations of the IPC to try to recall the email or request recipients confirm that they deleted the email.
- Notification: The hamlet chairperson acted appropriately by notifying recipients and the RM's Chief Administrative Officer on the same day of the breach - however, as the notification did not contain sufficient information on the breach nor proactively report the breach to the IPC adequate notification was not provided.
- Investigation: The internal response to the breach demonstrated that the root cause of the breach had been determined and consequently an adequate investigation was conducted.
- Steps to Prevent Future Breaches: After the previous Investigation Report, the IPC concluded that the hamlet did not have appropriate safeguards in place. However, for this breach the IPC found that a plan to have two persons present for future emails and changing to an alternate email platform which allowed the BCC function to be the default were appropriate steps to prevent future breaches. In doing so, the IPC reemphasized its previous recommendations.
Are You Meeting Your Privacy Law Obligations?
This Investigation Report emphasizes the need for public bodies to ensure that appropriate safeguards are in place to protect personal information. The steps that public bodies can take to ensure appropriate safeguards are in place include:
- implementing a policy to response to privacy breaches as well as with respect to the collection use, disclosure and safeguarding of personal information
- having confidentiality agreements in place internally
- having staff, council, and board members complete access and privacy training at least once annually
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.