The Office of the Information and Privacy Commissioner, after receiving written confirmation on acceptance of its recommendations from the Personnel Administration Office (PAO) and Solicitor General, today released its report into the disclosure of civil servants’ credit information.
On November 10, 2004, the Commissioner was notified that the Edmonton Police Service had recovered documents containing credit information of a number of civil servants. The documents related to the credit screening conducted by TransUnion of Canada Inc. under the Alberta Government Security Screening Directive. Subsequently, the Commissioner received two written complaints from affected civil servants. The Commissioner authorized an investigation pursuant to the Freedom of Information and Protection of Privacy Act (“the FOIP Act”).
The investigation concludes:
- The documents recovered by the Edmonton Police Service likely originated from the TransUnion office. There is no evidence that the breach came from a provincial government office
- Alberta PAO and Solicitor General did not fulfill their obligations to protect personal information as required by the FOIP Act in the contract with TransUnion. The contract did not include protection of privacy provisions, as is the policy of the Government of Alberta
- PAO and Solicitor General did not review the security arrangements at TransUnion to ensure that personal information was protected against such risks as unauthorized access, collection, use, disclosure or destruction
The investigation also found that:
- Personal information was collected in contravention of the FOIP Act when some ministries used the TransUnion Form and the CSIS form instead of the Alberta Government forms for the security screening process.
- The collection of TransUnion credit reports from employees and the identification information for the criminal record check are not authorized under section 33(c) of the FOIP Act.