‘Infobreach’ website alleges GNWT privacy negligence

An anonymously authored website alleges the territorial government acted negligently in allowing an employee access to confidential staff information long after they left the GNWT.

The site, infobreach.ca, appears to be authored by the same employee – who does not give their name but claims to have been formerly employed as a lawyer with the territorial government.

The site’s author claims they were able to access records generated by human resources management software PeopleSoft – and were sent auto-generated emails from PeopleSoft containing confidential information – for many months after leaving the GNWT in March 2014.

The same website had earlier published examples of that confidential staff data. Those examples were removed after the territorial government took legal action, claiming the data was being shared without the affected employees’ consent.

A new version of the website, no longer containing confidential information but accusing the territorial government of negligence, was made public last week.

The former employee – earlier identified by the CBC as Donn McDougall – writes: “The GNWT would like you to believe that their breach of their obligations [regarding the privacy and security of employee data] is actually my breach.”

Defending their initial decision to publish confidential information online, the author adds: “Posting redacted material wouldn’t have gotten anyone’s attention, and I also wanted to ensure that the GNWT couldn’t claim plausible deniability or make some claim that the documents and breach were a hoax.

“Honestly, and please believe me here, the information was four years old and virtually worthless, but verifiable.

“For the GNWT, that was information that was meant to be confidential in their hands, but once they gave someone else access to the information … well, that confidentiality is lost.”

Claiming they had contacted the territorial government in a timely fashion once they began receiving confidential information in error, the author writes: “I told the GNWT to fix a problem. Instead they diverted emails instead of actually fixing the problem.

“It’s my opinion that that’s when the GNWT crossed over from inadvertence into negligence.”

The website, which claims the territorial government has no obligation to report such privacy breaches, calls for mandatory reporting of breaches to be added to the NWT’s legislation.

‘An odd situation’

Responding to the website’s contents, Martin Goldney – deputy minister of the Department of Justice – told Cabin Radio by email: “The department recognizes that this is an odd situation, where an individual who received and accessed the personal information of former coworkers in 2014, is complaining of the very breach he has perpetuated with the creation a website in December 2018.

“The department has taken all necessary steps to stop the unauthorized disclosure of personal information, including legal action after the individual refused a request from the Department of Justice, following the recommendation of the NWT Information and Privacy Commissioner to seek the destruction or return of the information.”

Goldney disputed the website’s suggestion that affected staff were not properly informed by the territorial government that their data had been sent to the former employee.

Goldney said his department will be applying for a permanent injunction to prevent the website sharing confidential information, and claimed the process of taking such legal action meant he could not answer questions related to the website’s accusation of territorial government negligence and the alleged facts set out by the website’s author.

However, Goldney did address the website’s call for mandatory breach reporting to become law in the NWT.

“The website appears to suggest that the question of mandatory breach reporting is new and has not been identified to the public, which is not the case,” Goldney wrote.

He said a public review of privacy legislation in 2016 identified that “privacy breach reporting was required,” but suggested such reporting could either be handled through legislation or as a matter of government policy.

Goldney said defining the GNWT’s approach to privacy breaches in policy, not legislation, could offer “flexibility … to address different situations.”

Breaches are currently handled by the Office of the Chief Information Officer, Goldney said, adding the Department of Justice is working to strengthen its own privacy program – which includes a privacy protection policy, guidelines, training, and “a series of privacy-related tools and resources which will include an updated privacy breach reporting protocol.”

PeopleSoft defence

This is not the first time this specific privacy breach has been examined in public.

Last year, Elaine Keenan Bengts – the territory’s privacy commissioner – published a report looking into this exact matter, noting the original breach appears to hinge on GNWT workers’ inability to effectively use the PeopleSoft software.

The employee suggested to the privacy commissioner they would never have remained able to access confidential data after leaving the GNWT, nor received the auto-generated emails, had their status within PeopleSoft been correctly updated.

In its defence, the Department of Justice told the privacy commissioner part of the reason for the breach was a limitation of PeopleSoft which required “a manual override.”

McDougall subsequently wrote an analysis of the privacy commissioner’s report for the website CanLII Connects – which is billed as a place to “access high-quality legal commentary on Canadian court decisions.”

In his analysis, McDougall writes as though he is unaware of the complainant’s identity, despite the CBC later naming McDougall himself as the complainant.

Writing on CanLII Connects, McDougall summed up the territorial government’s response to the privacy commissioner as “the ‘PeopleSoft is hard’ defence.”

He wrote, in part: “Incredibly, this is not the first time that the Government of the Northwest Territories has used the ‘PeopleSoft is hard’ defence.”

McDougall cited a case involving the GNWT from 2016 in which an arbitrator had stated: “Arguments based on administrative difficulties or the design of PeopleSoft are …. not persuasive.”