More than 1,000 NWT residents had private information regarding their student loans mistakenly shared in an email from the Department of Education, Culture, and Employment earlier this year.
According to a notice sent on behalf of the deputy minister of the department to those affected, information on the amount of interest they had paid on student loans was “disclosed in error” in a document attached to an email sent to one person on February 23.
The department confirmed to Cabin Radio that 1,159 people had their information shared with one individual, who contacted the Office of the Information and Privacy Commissioner to report the breach. The department said it was first notified of the issue by the privacy office on April 12. The breach was first reported by CKLB.
“ECE takes this breach very seriously and has implemented procedural changes and staff training to ensure a breach of this sort does not occur again,” the department said in a statement, adding it is working with the privacy office on an “ongoing investigation.”
Asral Kamran was among those who had his name, address, and student loan information shared.
He said he learned about the breach on May 5 in a letter that did not indicate how many people were affected. The letter stated the education department had confirmed the email was deleted and had not been shared.
Kamran said when he contacted the department, however, he learned officials weren’t “actually sure yet” if the information was deleted and that an investigation into the breach was ongoing. Kamran said he was also informed that while his credit card and social insurance information were not disclosed in the email, he was advised to “keep an eye” on his financial situation.
“I was mostly irritated when I made the call and I learned it wasn’t dealt with,” he said. “There’s no evidence that they can prove that things have been deleted.”
Kamran said he would like the territorial government to take more accountability and explain what happened. He noted the onus was placed on him to contact the department to learn the extent of the breach and whether he should monitor his finances.
“The fact that it’s so many people and the letter misleads you into a sense of security that everything is OK … it’s just kind-of off-putting to hear that when the reality is, ‘Oh, we don’t know yet.’”
NWT privacy commissioner Andrew Fox said he could not comment on the incident as the investigation is ongoing.
Generally, he said, if personal health information has been breached, the public body responsible is required to notify both the privacy commissioner and those affected. For information breached under the Access to Information and Protection of Privacy Act, however, those obligations don’t yet exist, although Fox said amendments are coming.
Once someone learns their privacy has been breached, Fox said they can request a review from the privacy office, which will decide if an investigation is warranted, adding it’s “not a terribly high threshold.” He said once an investigation is concluded, the privacy office will make recommendations to avoid future breaches.
This is not the first privacy breach reported by the NWT government this year. In April, Protect NWT admitted a staff member had mistakenly made an email distribution list visible to all recipients, disclosing the email addresses and some names of people isolating in Yellowknife between March 31 and April 17.
‘Record-breaking’ number of information, privacy files
The 2019-20 annual report from the Office of the Information and Privacy Commissioner – the final report from commissioner Elaine Keenan Bengts after nearly 24 years in the role – states a “record-breaking” 63 files were opened under the Access to Information and Protection Privacy Act between April 1, 2019 and March 31, 2020. That included 27 privacy breach complaints and five breach notifications from public bodies.
Keenan Bengts said there was “no clear indication” as to why privacy-related files had outnumbered access to information matters for the first time, but suggested it might be due to “the public becoming increasingly aware and protective of their personal privacy.”
The report stated the privacy office “saw a literal explosion of files” opened under the Health Information Act with 86 new files compared to 29 the previous year.
Keenan Bengts highlighted the misdirection of documents by fax and email as a common cause for those privacy breaches along with a “surprising number of incidents” where records with personal health information were sent to the wrong printer.
‘The government does take privacy seriously’
Fox said the privacy office’s latest annual report will likely be published by the end of the month.
“Certainly this office has been quite busy,” he said, noting the office is in the process of hiring another investigator.
Fox said if people have concerns about their privacy they should share those with their MLA or his office.
“I think it’s fair to say that the government does take privacy seriously,” he said, pointing to recent amendments intended to improve NWT privacy legislation.
“But mistakes happen and, as long as the institutions pay attention to those mistakes and seek to avoid them in the future, then I think we can rely on the good faith of the institutions.
“I haven’t seen any evidence that there’s a cavalier attitude or anything toward privacy.”