The Commissioner received a complaint about the activities of the Alberta Regional Council of Carpenters (“RCC”) in May of 2005. The RCC is a chartered council of the United Brotherhood of Carpenters and Joiners of America (an international union representing carpenters and allied trades). The RCC is the central governing and policy-making body for all locals in Alberta and the Northwest Territories.
The Complainant was concerned that:
- The RCC failed to assist him when he sought information about an international membership data base
- The RCC did not have adequate safeguards in place to protect electronic membership information, and
- The RCC retained membership information beyond what was necessary for its business purposes.
The Complainant requested information about the security of union members’ personal information stored in the Union’s membership database (located in the U.S. and operated by the international union). His verbal request was denied and he was referred to the international union for answers to his inquiries.
During this investigation, an incident occurred involving a breach of privacy and security by a union dispatcher. After reviewing the organization’s policies and procedures, both international and local, the investigator found that (notwithstanding this breach of personal information) the RCC had reasonable administrative and technical safeguards in place to protect personal information. The extent and method of the breach of privacy and security was not foreseeable.
The investigator recommended improvements to the RCC’s process for responding to privacy and access requests, and required the RCC to limit retention of membership information in the database. She recommended that the RCC retain only a core amount of data to support its legal and business requirements.
The RCC accepted all the investigator’s recommendations and the complainant was satisfied with the report and the resolution of his complaint.
Throughout the investigation, the organization cooperated fully with the investigator and took steps to review and enhance their policies and procedures and refresh the communication of the policies with all employees.