NWT email errors led to ‘significant’ privacy breaches
The NWT’s longstanding practice of faxing sensitive records keeps resulting in privacy breaches, but email is proving to be not much better – particularly during the pandemic.
In his latest annual report, information and privacy commissioner Andrew Fox said his office received notice of several “significant breaches of privacy” involving the Covid-19 Secretariat’s use of email.
“It is apparent that privacy breaches are too frequently caused by staff who are under-resourced, or untrained in, or unaware of the policies and procedures governing privacy protection,” Fox wrote.
“Privacy protection is not an option or ‘add-on’ to a public body’s main purposes and responsibilities: it is fundamental.”
A spokesperson for the Covid-19 Secretariat told Cabin Radio there have been 39 privacy breaches attributed to the secretariat since it was established in September 2020.
In April 2021, a Protect NWT employee emailed everyone isolating in Yellowknife between March 31 and April 17 without blind-copying their names and addresses.
While the Covid-19 Secretariat said at the time steps had been taken to prevent another breach, a similar incident occurred in June. In that case, a Protect NWT worker sent an email that inadvertently disclosed the emails and some names of 259 people isolating across the NWT.
A spokesperson for the secretariat told Cabin Radio all staff are trained in protecting the privacy of health information and the importance of privacy is discussed in “daily huddles” and written updates to staff.
The secretariat said it has a new software system to automate email delivery – to prevent human error – and a new protocol to regularly delete the email cache and remove the auto-fill function.
Other territorial departments have reported privacy breaches involving staff error when sending sensitive information by email.
In February, the Department of Education, Culture, and Employment sent an email to one person that accidentally disclosed the private information of 1,159 people related to student loans. According to a notice from the department, a document attached to that email included people’s names, addresses, and the amount of loan interest they had paid.
Remote work challenges
There were more incidents as people began working from home during the pandemic’s opening months. Fox’s report, published late last year, spans the period between April 2020 and March 2021.
In May 2020, an employee at the territory’s health and social services authority accidentally attached a partially completed foster parent application, which contained personal information, in an email to two other potential foster parents.
The employee, working from home, said they had tried to access a government website where blank forms are stored – as is the authority’s policy – but was unable to do so. Instead, they used a version of the form shared to their computer desktop without first ensuring it was blank.
The health authority said the incident occurred early in the territory’s pandemic response, before all NWT government employees were properly equipped to work from home. The authority said it had little time to prepare when the work-from-home order was issued.
The authority said it acted quickly to ensure the email recipients deleted the partially completed form and did not share it further. Remote computer access to the shared document website was improved.
While Fox was satisfied with that response, he said the case highlighted the need for government bodies to address privacy and security concerns when employees are working remotely.
Fox pointed to a privacy breach in 2018 where a government employee working in Ottawa had downloaded a “significant amount” of personal health information to an unsecured laptop, which was then stolen. The case, which he called “one of the largest breaches in recent Northwest Territories history,” affected more than 30,000 NWT residents.
“Not only must the government provide the means to access government servers in a safe and secure way, it must also provide employees with the necessary policies, guidelines, and training to ensure they are handling personal information properly and in a way that will not lead to unauthorized collection, use, or disclosure,” he wrote.
Other email errors shared the private information of territorial employees internally.
In July 2020, a Department of Infrastructure employee had their privacy breached when documents regarding their sick leave were emailed to another staff member to print, left in plain view for several days, and delivered in an unsecure manner.
The staff member complained to the information and privacy commissioner after their supervisor dropped off unsealed documents containing their private information with a co-worker, and they saw their prognosis letter left out in an area of the office that was open to the public.
The department said the document was left on top of a filing cabinet for four days because the supervisor reprinted it by mistake and placed it there with the intention to shred it but forgot.
While the office was closed to the public at the time due to Covid-19, Fox said there was still risk that the information could have been disclosed and the department did not meet its obligation to protect privacy.
The employee’s co-worker also admitted the supervisor had emailed them the letter to print because the supervisor was having difficulty doing so. The supervisor said they believed the complainant had told their co-worker about their medical condition.
The supervisor did not give a clear answer as to why the co-worker was with them when they dropped off the confidential documents, or why the documents were not put in an envelope.
As a result of the complaint, the department directed the supervisor to take basic privacy training. Fox recommended that all supervisors, managers, and senior staff be required to complete such training when hired and to repeat it at least once every two years.
Despite numerous privacy breaches, Fox stated in his report he is “optimistic” and his office has seen “real improvement” in public bodies’ awareness of privacy issues.
“Having effective privacy protection policies and procedures in place is essential, and it is evident that public bodies are making efforts to ensure these are in place when deficiencies or issues are identified by this office,” he wrote.