GlaxoSmithKline Inc., ViiV Healthcare ULC, ID Biomedical Corporation of Quebec, and GlaxoSmithKline Consumer Healthcare Inc.
In May and November 2016, an Excel spreadsheet was distributed via email for the purpose of ?conducting performance rating calibration meetings with people managers?. A hidden tab/sheet was inadvertently included in the spreadsheet. As a result, the recipients of the emails inadvertently received the personal information of employees for whom they were not the intended recipients. The incident was discovered when two recipients of the email discovered the hidden tab/sheet and logged incident reports on November 17, 2016 (see OIPC breach notification decision P2019-ND-042). As a result of the Organizations? investigation of this incident, it was discovered that spreadsheets containing the information at issue were sent in 2014 and 2015. The 2014 spreadsheet was distributed to approximately 20 recipients, and the 2015 spreadsheet was distributed to approximately 40 recipients. The Organizations have an email retention policy whereby emails not saved separately on a shared drive or on an employee’s desktop are automatically deleted after one year, so the exact date of the 2014 and 2015 incidents cannot be ascertained. The 2014 and 2015 incidents were discovered by the Organizations on November 18, 2016 as a result of the investigation of the 2016 incident.