The NWT’s privacy commissioner says the Tłı̨chǫ Community Services Agency should consider referring an “egregious” policy breach to territorial authorities for prosecution.
According to a recent report by commissioner Andrew Fox, a former employee of the Tłı̨chǫ Community Services Agency, or TCSA, forwarded 654 emails from his work email to his personal email account over a 22-month period.
Several of those emails contained private personal or health information. Fox said the employee did not have the authority to share any of the emails outside the TCSA.
“This is one of the more egregious privacy breaches my office has reviewed,” he wrote.
“The duration and repetition of disclosing work-related email to his own personal email demonstrates a fundamental disregard for the privacy protections TCSA had in place.”
Advertisement.
Advertisement.
Fox said while he is not aware of any previous case of a public body referring a privacy breach for prosecution in the NWT, he recommended that the TCSA provide the territorial prosecutor with evidence it collected during its investigation of this breach.
The report does not state the name of the former employee nor the role he held with the TCSA, other than that he worked in a unit that provides healthcare services to people in their homes.
According to Fox’s report, the breach was discovered after two TCSA employees found that a text message containing a photo of a client had been sent from a shared work phone to a number they did not recognize in October 2025.
The employees reported the matter to their manager, who learned the phone number belonged to another employee. Wondering if that employee had sent other messages to his personal account, management requested an audit of the employee’s work email.
Advertisement.
Advertisement.
The audit found that between January 18, 2024 and November 26, 2025, the employee had forwarded 654 work emails to his personal account.
Fox said 24 of those emails contained the personal health information of at least 12 TCSA clients, including information about their healthcare history and the health services provided to them.
Further emails included the personal information of current and past TCSA staff, including names, personal opinions and information about clients. Some emails contained “other types of confidential information that TCSA employees were expected to safeguard.”
‘An ongoing risk’
Fox said the employee did not disclose his actions to his employer and later refused to cooperate with TCSA’s investigation into the privacy breach.
The report states the employee initially told the TCSA he had forwarded the emails to “defend” himself and that he intended to use some of the emails in a complaint against his supervisor. The employee later suggested some of the emails had been requested by his regulatory body, but did not provide evidence to back up that claim.
“None of the explanations excuse or justify the unauthorized use and disclosure of the personal information in the emails,” Fox concluded.
“The explanations offered to TCSA are illogical and appear to be attempts to subvert attention or confuse the issue. In my view, this lack of candour during the investigation suggests a possible intention to misuse these emails.”
At some point, the employee stopped responding to the TCSA’s questions about the breach.
Advertisement.
Advertisement.
He went on leave on December 4, 2025 and resigned on December 22.
“It remains unclear whether the former employee still has the emails, or whether he has disclosed them to his regulatory body or to other people,” Fox said. “This presents an ongoing risk.”
An intentional and repeated breach
Fox said the employee had repeatedly and intentionally breached both the Health Information Act and the Access to Information and Protection of Privacy Act.
He said the employee was aware of his obligations to protect clients’ privacy. Some of the emails he shared even contained references to the employee being directed not to forward emails to his personal account.
“Ironically, in some of the subject emails the employee expressed concern about possible privacy breaches,” Fox wrote.
“During the period when he was forwarding himself these emails, this employee repeatedly contacted my office claiming to be concerned about privacy breaches.”
Fox said the employee had committed a privacy breach before.
Fox concluded the TCSA had reasonable security measures in place, including policies on the appropriate use of email and electronic information, a privacy breach policy, required annual privacy training, a clear reporting structure, and promises to protect confidentiality in employment agreements.
Advertisement.
Advertisement.
“Unfortunately, those arrangements were thwarted by deliberate employee misconduct,” Fox said.
“An employee who breaches his employer’s trust and deliberately misuses personal information presents a significant security risk to TCSA.”
Aside from providing evidence to the territorial prosecutor, Fox recommended that the TCSA assess the risk of harm to each person whose information was shared and notify those it assesses to be “at a real risk of significant harm.”
Cabin Radio has requested comment from the Tłı̨chǫ Community Services Agency and NWT Department of Justice.
