Violating principle of "need-to-know" leads to data breach
Complaint under the Privacy Act (the Act)
- On September 4, 2014, our Office received a request from the complainant to investigate an alleged disclosure of personal information by Aboriginal Affairs and Northern Development Canada (AANDC) to La Presse newspaper. Specifically, the complainant indicated in his letter that La Presse published an article reporting that AANDC had created a document (the document) that contained a list of applicants who had made requests under the Access to Information Act (ATIA) for information related to former Minister Jim Prentice. The complainant also specified that a staff member from AANDC was quoted in the article as stating that the document had been shared with people outside of the Access to Information and Privacy (ATIP) division. The complainant expressed concern over this situation and asked us to investigate the nature and extent of the breach.
- On September 4, 2014, AANDC reported to our Office that La Presse had gained access to the aforementioned document. It submitted that the document had been created in order to respond to several ATIA requests for information related to Mr. Prentice. In response to the disclosure, AANDC hired a third party to conduct a security investigation into the incident. With respect to the extent of the breach, AANDC provided a list of those within AANDC who had accessed the document.
- After reviewing the available evidence we found that AANDC improperly disclosed the personal information of those listed in the document, which ultimately came into the possession of La Presse. Furthermore, our investigation revealed that AANDC shared the information with officials who did not have a legitimate need-to-know. Therefore, the complaint is well-founded. Our reasons are outlined below.
Scope of the Investigation
- The purpose of our investigation was to determine if the incident under investigation constituted a violation of the Privacy Act (the Act).
- The question of who was responsible for the disclosure is a security matter that is beyond the scope of our investigation.
Relevant Facts and Issues
- Our Office received formal representations and established the following facts.
How did La Presse acquire the document?
- We confirmed that La Presse newspaper acquired a document, created by AANDC that contained the names of individuals who had requested information under the ATIA related to former Minister Jim Prentice.
- On September 2, 2014, the Director of ATIP at AANDC (the director) became aware that the document had been acquired by La Presse. On September 4, 2014, an article was published in La Presse that referenced the document and disclosed the name of at least one requester. The article also included a statement from the director suggesting that individuals within AANDC but outside of the ATIP division, including the Deputy Minister and an Assistant Deputy Minister, had accessed the document. On the same day, an article published in the Globe and Mail referenced the document.
- In response to the newspaper articles AANDC sent letters informing each requester that his or her name had been released to a "media outlet".
- AANDC contracted a third party to conduct a security investigation into the incident.Footnote 1
- AANDC provided our Office with the factual findings of the security investigation, which was based on interviews with several individuals and a review of over 90,000 records. The security investigation traced the document provided to La Presse to a copy that was made for an official in the Communications branch by his assistant. The document had been stored in a secure filing cabinet. However, at the time the security investigation was conducted, the document was missing.
- According to the available evidence, the most likely explanation for the disclosure was that a reporter for La Presse received a physical copy of the document. However, we did not find sufficient evidence to determine who provided the document to the reporter.
Why was the document created in the first place?
- The disclosure of the document raises the question of why it was created in the first place. We asked AANDC to explain its reasons for creating the document.
- According to AANDC, it received in the spring of 2014, several requests for information under the ATIA related to the expenses of Mr. Prentice. On or around May 6, 2014, the AANDC ATIP director responded that no records existed. Between May 29 and June 16, 2014, additional requests for information related to Mr. Prentice's expenses were received. During the course of processing these requests, documents responsive to the earlier requests (which had received nil responses) were found. AANDC determined that its responses to the original requests were incorrect and decided to take measures to provide the responsive documents to the original requesters.
- In order to organize its responses to the original requests, AANDC ATIP created a document that included a list of names of the requesters and their respective requests. This is the document that was acquired by La Presse.
- Some two weeks later, the document was modified. The names of the ATIA requester were removed and replaced by a colour code.
Who within AANDC accessed the document?
- In addition to the disclosure to La Presse and the reason for creating the document, we sought to determine who within AANDC accessed the document and for what purpose.
- AANDC submitted that the document was used by AANDC officials from both the ATIP and Corporate Secretariat divisions to identify the information required to respond to the requests.
- The document was also shared with an official from Financing and Contracting Services, and an official from Planning Resource Management. According to AANDC, the document was provided because these individuals assisted in locating the documents responsive to the requests and preparing the document that was ultimately disclosed.
- In addition, the document was provided to an official from the Communications division because, according to AANDC, "the situation was attracting considerable media attention."
- With respect to the question of whether the Deputy Minister or the Assistant Deputy Minister accessed the document, AANDC submitted that neither had done so. When we interviewed the director regarding his statement to La Presse, he submitted that he had explained to the reporter the ministerial delegation at AANDC. According to this delegation, the Deputy Minister, the Assistant Deputy Minister, the Corporate Secretary, the Director of ATIP, as well as officials who give support to these employees to respond to access to information requests, would have had the right to access the document on a need to know basis. However, the director insisted that he never actually told the journalist that the document was accessed by the Deputy Minister or the Assistant Deputy Minister.
Analysis of Facts and Issues
- 22. In making our determination, we considered sections 3, 7 and 8 of the Act, and section 6.2.3 of the Treasury Board Secretariat (TBS) Policy on Access to Information
Did the document contain personal information?
- Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form and provides a non-exhaustive list. According to this definition, the names of the individuals combined with their respective requests for information constitute their personal information.
Did all the AANDC officials who accessed the document have a need-to-know the identity of the requesters?
- Paragraph 7(a) of the Act states that personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose. This means that institutions should only use personal information that is necessary for the intended purpose.
- Section 6.2.3 of the TBS Policy on Access to Information states that the disclosure of a requester's identity must be protected and only disclosed when there is a clear need-to-know in order to perform duties or functions related to a lawful program or activity.
- The information in question was collected for the purpose of processing and responding to requests made under the ATIA.Footnote 2 According to AANDC, the names of the requesters were shared with AANDC officials charged with providing responses to the information requests and responding to potential "media attention". However, in our view there was no need for all of these officials to know the names of the requesters. Rather, most only needed to know the substance of the requests in order to respond with the appropriate information. The only AANDC officials who needed to know the names of the requesters were those responsible for receiving the requests and sending responses to the requesters. Therefore, AANDC contravened the Act by sharing personal information with officials who did not have a legitimate need-to-know the identity of the ATIA requesters
- This said, we found no evidence to suggest that the Deputy Minister or Assistant Deputy Minister accessed the information.
Did the disclosure of the information to La Presse constitute a contravention of the Act?
- The Act states that personal information can only be disclosed with an individual's consent - subsection 8(1) - or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act. The investigation confirmed that La Presse gained access to a document that was created by AANDC and contained the personal information of the ATIA requesters. It is not known precisely how the document reached La Presse, be it that an employee provided the document directly to La Presse or by some intermediary. However, it is clear that the document originated within AANDC and was improperly disclosed.
- In our view, AANDC contravened the Act in two distinct ways. First, it distributed a document with names of individuals who requested information under the ATIA to officials who did not have a need-to-know this information. Second, it was responsible for the disclosure of the list to La Presse in contravention of the Act. For these reasons the complaint is well-founded.
- With respect to the issue of providing access to personal information to officials who do not have a legitimate need-to-know, we recommend that AANDC review its policies and procedures for processing ATIP requests in order to ensure that appropriate mechanisms are in place to ensure that the need-to-know principle is respected. We ask that, within six months of receiving this report, AANDC report to us the measures it has taken.