In two investigation reports released by the Office of the Information and Privacy Commissioner (OIPC), the Alberta Energy and Utilities Board (EUB) and West Energy Ltd. were found to be in breach of the Freedom of Information and Protection of Privacy Act (FOIP) and the Personal Information Protection Act (PIPA) respectively.
The investigations were done because personal information, submitted in a well licensing application, was posted on the public website after the EUB electronically received it from West Energy. The information was about residents in the emergency planning zone of two proposed sour-gas wells and included, among other sensitive data, health information, information about the whereabouts of children and when homes would be vacant.
The Commissioner launched the FOIP investigation under his own motion following media reports in November 2006 about the EUB. The investigation found that the information dealing with emergency planning activities was disclosed by the EUB contrary to FOIP. The investigation also concluded that the EUB did not have reasonable security arrangements to guard against unauthorized disclosure when information is submitted electronically. This report made a number of recommendations for the EUB to consider including making arrangements to prevent a reoccurrence.
Since one of the affected residents made a complaint to the OIPC against Calgary-based West Energy for the part it played in this incident, a second investigation under PIPA was conducted. That report concluded that West Energy failed to limit disclosure of residents’ personal information (to the EUB) to the extent necessary and reasonable, contrary to PIPA. West Energy combined the licensing application and emergency planning requirements into a single document and electronically submitted it to the EUB under its application process. Application information is immediately posted by the EUB onto its public website.
The investigator concluded that West Energy ought to have known that licensing applications are made public on the EUB website and should therefore not have included sensitive information intended for the confidential emergency response plan. It was recommended that West Energy review with the EUB the application requirements; develop a privacy policy; have a specially trained privacy officer review all of its applications prior to submission to the EUB to ensure the personal information disclosed is limited to only that which is required.
Both the EUB and West Energy were found to be jointly accountable for this incident. It was suggested that the EUB improve the guidelines it provides to energy companies in terms of the various submission requirements, and that energy companies work to ensure that personal information is protected during that process. Both the EUB and West Energy agreed to implement the recommendations, took the matter seriously, and were cooperative throughout the process.