Personal information accidentally emailed by councillor
St. John’s Coun. Wally Collins was not aware he had breached an individual’s privacy when he forwarded a traffic report to two residents in October last year, a city spokesperson wrote in an emailed statement to The Telegram.
“The breach was a result of a mistake on his part and Councillor Collins apologizes for his error,” reads a part of the statement.
According to the Office of the Information and Privacy Commissioner (OIPC), the breach contained the personal information of an individual that was not highly sensitive, such as their personal contact information that is not otherwise available publicly.
Even so, all members of council are being scheduled for privacy training “in the near future,” according to the emailed statement from the city spokesperson.
The spokesperson said the breach was brought to the attention of the city clerk on Feb. 27 and was investigated internally. The OIPC was notified on March 5.
Sean Murray, director of research and quality assurance at the OIPC, said the office is notified of privacy breaches by public bodies “on a regular basis.”
Public bodies are required to report all breaches to the commissioner.
“In most cases, they are inadvertent – accidental,” he said.
Murray said in this particular case, the affected person was told they had the right to file a complaint with the privacy commissioner, at which point the OIPC would investigate.
The privacy commissioner’s office investigates when there is a serious breach – for example, when many people are affected – or if the breach involves highly sensitive information, such as medical information. Otherwise, it investigates if the affected person makes a complaint.
In this case, the OIPC would only investigate the breach if the person filed a complaint.
Murray said the office has not yet received a complaint from the affected individual, so at this point it was dealt with internally at the city.
Councillors were sent an email by the city clerk’s office reminding them to “take care when sending electronic documents and forwarding emails as there may be personal information attached.”
The email stated councillors should always review documents and emails to ensure there is no personal information contained within them before sending or forwarding emails, and to double-check email addresses before sending.
Murray said this breach is a reminder for council “to be mindful.” He said such inadvertent breaches do not happen more often in St. John’s than with other comparable public bodies.
The OIPC issues a quarterly newsletter that lists the number of privacy breaches reported during the quarter.
Between Oct. 1 to Dec. 31, the OIPC received 48 privacy breach reports from 24 public bodies. That number of breaches is down from the previous reporting period, but the number of public bodies with reported breaches increased.
In that reporting period, there were two breaches reported by the City of St. John’s, two by Mount Pearl, one from Corner Brook and one from Torbay. Others involved other public bodies, with the highest number of breaches occurring at the Newfoundland and Labrador Legal Aid Commission, which reported six breaches.
Most often – in 20 of the 48 cases – the breaches happened via email. Regular letter mail was the next most common type of privacy breach, accounting for 12 breaches.