An investigation report issued today by the Office of the Information and Privacy Commissioner (OIPC) found that Executive Council used and disclosed personal information in contravention of the Freedom of Information and Protection of Privacy Act (FOIP Act).
The investigation of Service Alberta and Executive Council was launched on the Commissioner’s own motion following a leak to the media in August 2014 of documents showing cellphone and data charges for four former Executive Council officials, including former Deputy Premier Thomas Lukaszuk.
The objectives of the investigation were to determine whether the public bodies:
- Used or disclosed personal information in contravention of the FOIP Act
- Implemented reasonable safeguards to protect the personal information at issue
Determining who might have leaked the information was outside the scope of the investigation. None of the affected individuals asked the Commissioner to review the matter. Had they done so, it would have afforded them additional rights under the FOIP Act, such as the ability to request an inquiry, which is a formal adjudicative process to determine all issues of fact of law.
The investigation found that, on a balance of probabilities, the documents were disclosed by Executive Council. Because the personal information was disclosed in an uncontrolled manner, without due consideration of all the circumstances (including the four affected individuals’ privacy interests), the disclosure was a contravention of the FOIP Act (paras. 26-30).
Executive Council was also found to have used personal information in contravention of the FOIP Act. In late 2012 and early 2013, the billing information was circulated within Executive Council as officials attempted to reduce the charges. The investigation determined this use of the information supported an understandable business purpose (paras. 32-37). However, the information was circulated again in March 2014 – two years after the cellphone charges were incurred. No one in Executive Council explained the purpose for this use of personal information and there was no evidence to support an authorized business purpose, which resulted in this second use being a contravention of the FOIP Act.
The investigation found that there were reasonable administrative, technical and physical safeguards to protect the information, given its relatively low sensitivity (public officials’ names, business phone numbers, data usage and related cellphone carrier charges). While the investigation recognized it would be unreasonable to expect public bodies to have extraordinary measures in place to protect this kind of information, the report noted that the government may store other more sensitive information in the same systems and recommended that Service Alberta and Executive Council review their security arrangements to prevent future leaks.
“The FOIP Act provides an outlet for the controlled release of information about the operations of public bodies. While it is arguable that the release of information about cellphone charges may have been in the public interest, it was leaked in an uncontrolled manner – nobody’s privacy interests were considered,” said Commissioner Jill Clayton. “Government needs to carefully consider its security arrangements for paper records and electronic systems to reduce the risk of another leak of what could possibly be more sensitive information.”