Key privacy practices for public servants working on the GCWCC campaign

October 11, 2019

Office of the Privacy Commissioner of Canada Privacy Alerts are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

---

Is your department participating in the Government of Canada Workplace Charitable Campaign (GCWCC) campaign? Each fall, federal public service employees and retirees take the opportunity to raise funds and donate time for those in need.

The campaign is the largest workplace campaign in Canada and supports thousands of charities across the country, delivering critical care and services and making a difference in the lives of many Canadians. Last year, employees and retirees gave close to $30 million to charities across Canada.

It also involves a great deal of personal information. It’s important that personal information collected from donors is handled with the utmost care and security.

Campaign champions and volunteers need to remember to incorporate appropriate privacy practices in every step of the process.

Issue:

Since 2014, several privacy breaches involving the GCWCC charitable campaign have been brought to the attention of the Office of the Privacy Commissioner of Canada.

In one case, a completed pledge sheet containing a public servant’s personal information, including date of birth and personal financial information, was lost and could not be located.

In another, a donation report was sent to department officials that inadvertently included an additional sheet with the personal information, including Personal Record Identifiers (PRIs), of more than 100 donors.

These incidents could likely have been avoided if appropriate privacy protections had been put in place.

Best Practices:

• The campaign champion needs to establish a privacy protocol to review its privacy practices and mitigate privacy risks.
• Campaign team members need to understand how they are to generate reports in a privacy sensitive manner. Those team members also need reminders about the acceptable use of IT systems for records containing personal information.
• Security safeguards must be put in place in order to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
• Departments must take steps to limit access to personal information. In other words, only share information with individuals who need to access it. Limits could involve administrative, technical or physical means. Measures may include locked filing cabinets, restricting access to offices, password protection, encryption, firewalls, and security patches.
• Departments are also required to ensure that both access to, and use and disclosure of personal information are monitored and documented. This will also allow them to take action in cases of inappropriate or unauthorized access or where personal information has been mishandled.

In the case of a breach:

• Federal institutions are required to notify the OPC and the Treasury Board of Canada Secretariat of all material privacy breaches and of the mitigation measures being implemented. A breach is deemed material if the breach involves sensitive personal information and could reasonably be expected to cause serious injury to the individual.
• To the extent possible, it is strongly recommended that institutions notify all affected individuals whose personal information has been or may have been compromised through theft, loss or unauthorized disclosure. Notification should occur as soon as possible following the breach to allow individuals to take actions to protect themselves against, or mitigate the damage from, identity theft or other possible harm.

Sign up for future Privacy Alerts by subscribing to our RSS feed. Privacy alerts are also posted on our website.