Investigation into the treatment by a government institution of the personal information of two employees with the same name

Complaint under the Privacy Act (the “Act”)

March 28, 2024

Description

Our Office received a complaint from an employee of the government institution, alleging that her personal information was disclosed numerous times to another employee with the same name as her also working for the government institution. In addition, she alleges that numerous administrative errors in their respective files occurred over the years. These privacy breaches accumulated without the knowledge of the Access to Information and Privacy office.

Takeaways

All employees have a responsibility to take immediate measures to contain any incident affecting privacy.
All privacy breaches, whether material or non-material, must be reported to the ATIP office.
The ATIP office role is essential, as it has an obligation to implement measures to contain privacy breaches, complete thorough assessments of incidents in relation to the circumstances and risks to the individuals concerned and implement strategies to mitigate the risk of reoccurrence. In addition, the ATIP office has the responsibility to educate, train and disseminate information to the various areas of the government institution.

Report of findings

Overview and context

The complainant has been an employee of the government institution since 2009. She alleges that since the arrival of an employee with the same name as her (“the second employee”), numerous incidents have occurred involving their respective privacy.^{Footnote 1}
To begin, she contends that her personal information was repeatedly disclosed by the government institution to the second employee without her consent. The first issue investigated in this report is therefore whether these disclosures were permitted under section 8 of the Act. That section states that personal information may only be disclosed with an individual’s consent or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
In addition, the complainant alleges that, since the arrival of the second employee, the government institution’s staff has been unable to distinguish them, resulting in a number of errors in their respective employee files. As a result, the Office of the Privacy Commissioner of Canada (“OPC”) also investigated whether the government institution contravened subsection 6(2) of the Act. That section requires that a government institution take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
Following a review of the facts and the documentary evidence submitted by the complainant, we determined that the government institution contravened the provisions of the Act in this case. First, we consider that it repeatedly disclosed the complainant’s personal information in error, thereby contravening section 8 of the Act. Finally, we consider that the government institution contravened subsection 6(2) of the Act by failing to implement measures to properly identify employees before making changes to their respective files. We find both allegations to be well-founded.
In light of these conclusions, we recommended that the government institution undertake, within two weeks of the issuance of the preliminary report to:
1. provide a copy of the results of the preliminary assessments of the incidents and inform the OPC of any updates on the steps taken by the government institution in this matter;
2. indicate to the OPC what concrete measures will be implemented to (a) prevent unauthorized disclosure of the personal information of the employees concerned and (b) ensure that the personal information used to make changes in their respective files is as accurate as possible.
We also recommended that the government institution confirm, within two months of the issuance of this report, that a reminder was sent to all areas of the government institution to the effect that any privacy breach, whether material or non-material, must be reported to the Access to Information and Privacy (“ATIP”) office.
In response to the preliminary report of findings, the government institution accepted all the above recommendations and undertook to take concrete steps to remedy the issues raised in this report. We therefore find the complaint to be conditionally resolved.

Analysis

Issue 1: The government institution contravened section 8 of the Act by mistakenly disclosing the complainant’s personal information

Section 8 of the Act provides that personal information may only be disclosed with the consent of the individual or in accordance with one of the exceptions set out in subsection 8(2) of the Act.
The complainant alleges that since 2017, her personal information has been disclosed to the second employee, without her consent, by various areas within the government institution. In fact, the complainant demonstrated that numerous incidents led to the disclosure of, among other things, her Personal Record Identifier (“PRI”), personal e-mail address, mailing address, and financial and health information.
According to the complainant, these incidents occur because of the similarity between their work e mail addresses. In fact, the two e-mail addresses are identical, with the exception of the number “2” added to distinguish between the two employees. The complainant maintains that this is insufficient and that when other employees are not careful, they select the wrong e-mail address even though the two employees hold different positions.
In this context, the complainant acknowledged that these repeated errors are made by various areas of the government institution. In reviewing the documentary evidence submitted by the complainant, the OPC was able to confirm that the disclosures of personal information were the result of human error, as the senders confused the two employees.
The complainant also provided the OPC with several e-mail exchanges demonstrating that she had signaled the breaches to the people concerned in the various areas. In fact, she repeatedly explained to the various employees of the government institution that two employees of the institution had the same name and that they should be more vigilant when communicating with either of them. The complainant explained that she receives apologies when an incident occurs, but that the institution makes no effort to try to prevent the recurrence of such communications.
During the investigation, the government institution made no submissions to demonstrate that these communications were permitted under section 8 of the Act. It explained that it had no knowledge of these incidents, as the breaches had never been reported to its ATIP office. When questioned about this, the complainant indicated that she was not familiar with the procedure to follow in the event of privacy breaches, or to whom they should be reported, apart from her manager and the areas concerned. She also indicated that, in her opinion, other employees of the government institution were also unfamiliar with the subject.
The Directive on Privacy Practices provides that employees have an obligation to follow the procedures set out in Appendix B when they become aware of a privacy breach. These procedures, in effect since October 26, 2022,^{Footnote 2} include taking immediate measures to contain any potential or confirmed privacy breach and immediately notifying the head of the institution or their delegate. The breach must be subsequently documented, and a full assessment must be carried out. In addition, institutions are required to notify the OPC and the Treasury Board Secretariat of any material privacy breach, if the breach involves sensitive personal information that could reasonably be expected to cause significant harm to the affected individual.
In our opinion, the fact that none of these breaches were reported by the areas concerned confirms a general lack of knowledge among employees of the government institution as to the procedure for reporting a privacy breach, their obligations and the role and responsibilities of the ATIP office.
In addition, we note that the institution indicated to the OPC that it considers the sensitivity of the information disclosed to be [translation] “low to medium.”
We do not agree with that position in this case. In our opinion, the combination of extensive personal information disclosed should be considered more serious by the government institution. In fact, much of the information disclosed could, in other contexts, have increased the possibility of identity theft. Moreover, we believe that the disclosure of information relating to the complainant’s health status, or even her financial statements, could equally damage her reputation, or have repercussions for her health.
Considering the amount of information disclosed, its sensitivity and the period during which these incidents occurred, we consider that this is a systemic problem and that measures should have been implemented by the government institution to prevent these accidental disclosures.
In view of the foregoing, we are of the view that the government institution contravened the provisions of the Act relating to the disclosure of the complainant’s personal information and we conclude that this allegation is well-founded.

Issue 2: The government institution contravened subsection 6(2) of the Act by failing to ensure that the information it uses for administrative purposes is accurate

Subsection 6(2) states that a government institution must take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
During this investigation, the complainant demonstrated that several incidents related to the accuracy of personal information have occurred since the arrival of the second employee, and that others continue to arise.^{Footnote 3} Among other things, she claims that changes in human resources and information technology systems are often made to the wrong employee’s account.
For the employees concerned, these errors are a source of stress and misunderstanding. In fact, according to the complainant, these incidents should not occur, as the employees do not have the same PRI or the same date of birth.
In reviewing the documentary evidence submitted by the complainant, we confirm that the government institution used inaccurate information on several occasions in recent years to make changes to the complainant’s file, despite the fact that she reported the errors to the areas concerned.
From our point of view, examined individually, most of these incidents could have been considered the result of simple human error. However, as indicated in the analysis in the previous section, the fact that these errors are repetitive, are committed by employees working in several areas of the government institution and are still occurring demonstrates, in our opinion, the systemic nature of the problem.
In this context, we consider that these incidents could have been avoided if the government institution, from the very first incident, had implemented measures to validate the identity of the two employees before making any changes to their respective accounts. More specifically, we consider that employees in the various areas should verify an employees’ identity by using several data fields, such as the employee’s PRI or date of birth, before making major changes in the systems.
We also note that these changes may have significant repercussions for the individuals concerned. For example, a change in the pay of the wrong employee can result in financial loss and be a source of considerable stress. In addition, the number of incidents reported since 2017, and that persist to this day, may also have led to a loss of trust in the institution, particularly with regard to the protection of its employees’ personal information.
We questioned the government institution about the measures it has implemented to ensure that information used for administrative purposes is up-to-date, accurate and complete as possible. However, the institution did not provide any comments in this regard.
In view of the foregoing, we conclude that the government institution failed to ensure the accuracy of the information used before making changes to employee files. We also note a lack of reasonable measures implemented by the government institution to prevent further incidents of a similar nature. We therefore find this second allegation to be well-founded.

Other

The complainant also raised other concerns in addition to the incidents relating to the disclosure and accuracy of her own personal information. For example, she indicated that she has received numerous communications intended for the second employee, such as e-mails from other employees reporting their absences, etc.
The complainant maintains that this situation could lead to other privacy incidents, since she does not need to know this information and an employee or institutional partner could be e-mailing sensitive or personal information to the wrong person.
The complainant also mentioned that errors are made by suppliers working with the government institution and even by other institutions.^{Footnote 4} Although these are not errors committed by the institution concerned, it is important to emphasize that such incidents can lead to stress and other consequences for the employees involved.
We consider that these additional incidents reinforce the OPC’s conclusion that appropriate measures must be implemented by the government institution to prevent, among other things, personal information from being inadvertently disclosed to the wrong employee.

Conclusion and recommendations

Despite the OPC’s repeated attempts during this investigation, we were unable to obtain a firm commitment from the institution to implement measures to prevent these problems from recurring.
Although the ATIP office of the government institution indicated that it had taken steps to provide the OPC with a response concerning the incidents in question, at the time that the preliminary report of findings was issued, the institution had not communicated the results of these steps to the OPC, despite several follow-ups.
Accordingly, in our preliminary report of findings to the institution, we recommended that the institution undertake, within two weeks of the issuance of the preliminary report to:
1. provide a copy of the results of the preliminary assessments of the incidents that occurred, and inform the OPC of any updates concerning the steps taken by the government institution in connection with these incidents.
2. inform the OPC of the concrete measures that will be implemented to
  - prevent unauthorized disclosure of the personal information of the employees concerned;
  - ensure that the personal information used to make changes in their respective files is as accurate as possible.
In response to the preliminary report of findings, the government institution accepted the OPC’s recommendations and acknowledged the importance of implementing them through concrete actions to remedy the problems described in the report. The government institution forwarded some preliminary assessments of the incidents and committed to inform the OPC of any updates concerning these incidents. Given the seriousness of the personal information disclosed, we encourage the government institution to provide the remaining preliminary assessments in a timely manner, ensure they are comprehensive, and follow up concretely and promptly on any measures required to avoid such incidents. It is important to note that any privacy breach should be reviewed by the ATIP office and reported to the appropriate institutions if it is determined to be material.
With regard to measures specific to the employees concerned, the government institution noted that the unit concerned now verifies the PRI and the information indicated in the systems before sending any communication to the complainant, although the majority of communications are now sent via the Pay Centre. In addition, the government institution has indicated that since the incidents, employees of the government institution who send communications to the two employees in question have been more vigilant, reviewing and validating recipients’ e-mail addresses when they need to contact them.
In addition to the above measures, we encourage the government institution to consider any other measures that could be implemented to prevent harm to the two employees concerned.
Furthermore, as indicated in paragraph 13, the OPC observed that employees in the various areas of the government institution do not seem to be fully aware of their obligations and the procedures for reporting privacy breaches. We consider this to be a significant factor in this case, since the areas concerned did not inform the ATIP office of the numerous breaches that had occurred, which prevented it from taking corrective action. We consider this to be one of the reasons that the privacy breaches concerning these two employees persist to this day.
In light of the foregoing, we also recommended that the government institution confirm, within two months of the issuance of the final report, that a reminder has been sent to all its areas to the effect that any privacy breach, whether material or non-material, must be reported to the ATIP office.
In response to this recommendation, the government institution confirmed that a reminder will be sent to all areas within two months of the issuance of this report of findings.
In addition to this reminder, we suggested that the ATIP office of the government institution maintain regular communications with the various areas. The situation described in this report illustrates the important role of this office, which is to make employees in all areas aware of privacy protection and the processes to follow when breaches occur, in order to prevent such a situation from recurring.
In addition to undertaking to continue to engage with the various areas in order to raise awareness, the government institution also indicated that it had developed policies, tools and resources to help employees ensure that the institution’s obligations under the Act are respected, such as:
- Privacy Management Framework;
- Privacy manual;
- Directive on Privacy Impact Assessment;
- Guidelines for Privacy Breaches;
- Security Sweep Program; and
- Information-sharing tools.
According to the government institution, this will help employees identify and mitigate potential privacy issues and improve the protection of personal information under the control of the institution.
Given that the government institution has accepted all the recommendations detailed in this report, we find this complaint to be conditionally resolved.

Footnotes

Footnote 1

In this regard, it is important to note that while the analysis that follows is based on the complainant’s allegations, it takes into account the fact that these numerous incidents relate to both employees.

Return to footnote 1

Footnote 2

The OPC notes that even prior to 2022, the policies and directives on the protection of personal information provided that employees were required to take measures to prevent any privacy breaches, and report them to the ATIP office.

Return to footnote 2

Footnote 3

For example, the complainant noticed changes in the MyGCPay application related to a change in the second employee’s position. Specifically, the classification, salary and tax location were erroneously modified in the complainant’s account.

Return to footnote 3

Footnote 4

For example, the complainant stated that the School of Public Service had mixed up their files and that she no longer had access to all of the training she had taken over the years.

Return to footnote 4

Date modified:: 2024-06-06

Language selection

Search and menus

Search