The Office of the Information and Privacy Commissioner (OIPC) released an investigation report that looked into a privacy breach by the City of Calgary under the Freedom of Information and Protection of Privacy Act (FOIP Act).
In June 2016, the City of Calgary voluntarily reported to the OIPC that a breach occurred when an employee, who was “seeking technical assistance from a close contact” on two different job assignments, disclosed spreadsheets containing personal information without authorization. The spreadsheets were emailed to the recipient’s work and personal email addresses and contained information on occupational health and safety incidents the City of Calgary reported to the Workers’ Compensation Board between 2012 and 2016, concerning 3,123 City of Calgary employees.
Upon being notified about the breach by the City of Calgary, seven individuals affected by the breach submitted privacy complaints to the OIPC. The Commissioner opened an investigation to look at whether the City of Calgary contravened the FOIP Act when the employee disclosed personal information, whether reasonable safeguards to protect personal information were in place and, based on the concerns of complainants, reviewed whether the City of Calgary followed the key steps in responding to a privacy breach.
The investigation found, and the City of Calgary acknowledged, that sending the emails and attachments to the “close contact” constituted an unauthorized disclosure under the FOIP Act.
The investigation also found that reasonable safeguards to protect personal information were generally in place. However, a breach response protocol had not been formally established at the time of the incident.
Finally, the investigation determined that the City of Calgary followed the key steps in responding to the breach:
- The City of Calgary’s actions to contain the breach were timely and appropriate in the circumstances. The recipient and the recipient’s employer confirmed all documents were deleted and not disclosed further.
- The City of Calgary made a reasonable assessment of the risks to affected individuals.
- The City of Calgary made a decision to notify, and directly notified affected individuals through registered mail, as well as indirectly through other means (e.g. news release).
- Since the incident occurred, and during this investigation, the City of Calgary took preventative steps to reduce the risk of a reoccurrence. The City of Calgary also indicated that “…the plan is to develop a process for future breaches”.
The investigation’s one recommendation was for the City of Calgary to complete its work to develop and communicate a breach response protocol to all staff.