Toronto Port Authority worker misuses personal data for political fundraiser

A Member of Parliament complained that an employee of the Toronto Port Authority improperly used the organization’s e-mail database to invite people to a fundraising event for another MP. 

Our investigation determined that a port authority employee sent an e-mail to approximately 60 people, soliciting a financial donation and inviting their participation at a fundraising function. Recipient addresses were all confined to the “bcc” (blind carbon copy) field of the e-mail, where they could not be viewed by other recipients. In the signature block, however, the employee was identified as working for the Toronto Port Authority, which left the impression that the organization sanctioned the correspondence.

Our investigation found that the employee obtained the e-mail addresses from business cards, which we established are records collected by, and under the control of, the port authority. The employee selected both business and personal addresses for the mass e-mailing. We take the view that “personal” (typically home) addresses constitute personal information. 

We determined that the employee had used this personal information without the knowledge or authorization of the port authority, and for reasons unrelated to the organization’s business activities. 

We therefore concluded that the complaint was well founded.