Mishandling employees’ personal information – Parole Board of Canada
Complaint under the Privacy Act (the Act)
- This report concerns our investigation into the complainant's allegation that the Parole Board of Canada (PBC) contravened the disclosure provisions of the Act when her medical information was disclosed by a PBC human resources employee to individuals involved in a Public Service Staffing Tribunal (PSST) hearing.
- The PBC acknowledges that the disclosure occurred. In response, it apologized to the complainant, ensured that the recipients of the material disposed of the information, and filed a breach report with its Access to Information and Privacy division.
- After examining the evidence and representations from both parties, we determined that the complaint is well-founded. The reasons supporting this decision are explained below.
- We received representations from both parties and established the following facts.
- On April 3, 2013, two complaints were made to the Public Service Staffing Tribunal (PSST) concerning the appointment of the complainant to her position at the PBC and the appointment of another employee.
- On March 14, 2014, the PSST ordered the PBC to provide “all material/assessment methods relating to the assessment of the appointees… indicating scores.” The PSST also required that certain information be removed from the documents, including “Personal Record Identifier (PRI), personal telephone number, residential and email address, and medical/health information” (emphasis added).
- The material included notes made by the complainant's interviewers during her interview for the abovementioned position. These notes contained the complainant's medical information, which was outside the scope of what the PSST ordered the PBC to provide.
- On March 19, 2014, a PBC human resources staff member complied with the PSST order by emailing material to specific individuals involved in the complaints. However, the complainant's medical information was not removed from the material. On the same day, a second email was sent to inform the complainant and her director what had been sent.
- On March 20, 2014, the complainant's director responded to the email by informing the PBC human resources staff member that the complainant's medical information had been released with the material.
- When made aware that the medical information had been included with the package, the PBC acknowledged the mistake, apologized to the complainant, and requested that those who received the material dispose of the information. We received confirmation from the PBC that the recipients deleted the information in question.
- On March 20, 2014, the breach was reported to the PBC Access to Information and Privacy division.
Analysis of Facts and Issues
- In making our determination, we considered sections 3 and 8 of the Act.
- Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form. The complainant's medical information constitutes her personal information according to this definition. Therefore, it is clear that the material in question contained the complainant's personal information.
- The Act states that personal information can only be disclosed with an individual's consent - subsection 8(1) - or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act. The investigation established that the complainant's medical information was disclosed. The complainant did not consent to this disclosure and it was not in accordance with any provision of subsection 8(2). Therefore, in our view, the PBC contravened the disclosure provisions of the Act.
- Accordingly, the complaint is well-founded.
- We are satisfied with the measures that PBC took in response to the breach. Therefore, we have no further recommendations.