The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, June 22, 2007
I got a call yesterday from Lindsay Jones of the Halifax Daily News (Canada's top journalist) to discuss an interesting sitution that has popped up here in Nova Scotia. It appears that an e-mail was sent out to hundreds of defaulted student loan recipients to advise that their case officer was changing. Whoever hit the send button didn't notice that everyone was on the "TO:" line, so each receipient also got a list of all the other defaulted debtors. Not good form.
Of course, the e-mail was forwarded to the Halifax Daily News and the rest is history... (I understand that a journalist from another publication was on the list.)
I've been saying for years that security and safeguards are probably the most important principles in any privacy plan. You won't be on the front page of the newspaper for having a confusing privacy policy or for using opt-out consent instead of opt-in. But if you have a security breach like this, the odds are that you're in for a rough ride.
(Also interesting: part of the response is a hotline for personal apologies.)
Here's Lindsay's article:
Halifax, The Daily News: News Names of student-loan defaulters sent in mass e-mailLast updated at 7:32 AM on 22/06/07
LINDSAY JONES
The Daily News
An embarrassing breach of personal privacy has led to policy changes at the provincial government department that deals with student loans.
Full names, and in many cases workplaces, were inadvertently disclosed in a mass e-mail sent by a Service Nova Scotia and Municipal Relations collection officer.
The subject line of the June 8 e-mail said "Defaulted Nova Scotia government guaranteed student loans - new contact name."
The e-mail was to inform the employee's clients that she had been reassigned.
Ian Daye, whose name appeared on the list, is annoyed at the lack of discretion.
"It's just: 'You have student loan problems. And here's a list so you can see who else has student loan problems.' This really isn't right, as far as I'm concerned," said the 33-year-old, who works for Research In Motion.
"It's something that should've been done in confidence," Daye added. "It's not really very professional of her to put everyone's addresses out there."
Some of the e-mail addresses on the list belonged to people who work in government offices, banks and local businesses.
Canada's top privacy lawyer said the e-mail is a "highly embarrassing" violation of the freedom of information and protection of privacy (FOIPOP) act.
"People's financial information is some of the most sensitive information out there," David Fraser of Halifax said.
"It really needs to be protected with measured safeguards that are appropriate to the sensitivity of the information."
Fraser said people have the right to complain to the provincial FOIPOP office, though there's no legislation for redress.
"The bigger thing is likely the embarrassment for those individuals whose information was released into the wild," he said.
While accidental privacy breaches do sometimes occur, Fraser said it's also embarrassing for the government that an employee allowed this to happen.
A spokeswoman for Service Nova Scotia and Municipal Relations said steps were taken the day after the email went out to ensure no mass communication of this nature would happen again.
"Every employee that deals with clients has received education about the ongoing importance of protecting personal information," Donna Chislett said.
The computer system for student loans is being revamped to prohibit staff from sending such mass e-mails, she added.
About one third of the e-mails were returned as undeliverable mail.
"It was certainly done inadvertently and it was an oversight. We do apologize for that," Chislett said.
Staff are providing personal apologies and explanations of the privacy breach to anyone with concerns; call 494-4961 for details.
ljones@hfxnews.ca
Labels: privacy, public sector
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.