Mishandling employees’ personal information – RCMP

Complaint under the Privacy Act (the Act)

1. The complainant alleges that the Royal Canadian Mounted Police (RCMP) inappropriately used numerous employees’ personal information during a training course for Respectful Workplace Advisors on the use of the RCMP’s National Administrative Records Management System (NARMS) in December 2013.
2. The complainant is an employee in the Information Management & Technology Branch of one of theRCMP’s Divisions. On December 10, 2013, she attended a training session on the use ofNARMS in the administration of theRCMP’s Respectful Workplace Program. During the course, participants were provided with sheets of paper containing the following information as part of a data entry exercise:
   • Date
   • Complainant’s Name
   • Complainant’s Rank
   • Complainant’s HRMIS Number
   • Complainant’s Gender
   • Complainant’s Contact Information
   • Complainant’s Detachment or Unit Name
   • The type of incident (for example: Regular Member – Harassment)
   • A description of the incident, including the names of individuals or rank/position of other individuals
3. While participating in the data entry exercise, the complainant realized that the data she was inputting was real personal information and not simply generic training examples as she had expected. She immediately raised her concerns regarding the use of this sensitive personal information with the course instructor as well as the RCMP member responsible for the Respectful Workplace Program, since course participants had not been advised that real data would be used during the exercise and they had not been required to sign a confidentiality agreement prior to commencing the training.

Summary of Investigation

4. TheRCMP provided the following representations in response to the complainant’s allegation:
   • The Respectful Workplace Program of the Division was established in 2012 with a number of initiatives in support of the program, including the identification and training of Respectful Workplace Advisors. The advisors are experienced, credible, trustworthy, and knowledgeable resources for employees to reach out to if they are experiencing a disrespectful work environment. Information received from employees is to be treated in a respectful, compassionate and confidential manner.
   • NARMS is the system used by the RCMP to provide case management support for non-operational processes such as administrative investigations. NARMS has numerous domains, which are specific to a business process; the information housed within a domain is only visible to users with an account in that specific domain. Access to a domain is assigned based on “need to know” requirements.
   • The RCMP created a Workplace Issues reporting domain in NARMS in 2013 to support the Respectful Workplace Program’s administrative processes, namely managing the requests received from RCMP employees for advice and guidance regarding respectful workplace issues and concerns. It is the responsibility of each Respectful Workplace Advisor to enter information received from employees into the NARMS database.
   • In order to train Respectful Workplace Advisors on the use of NARMS, two NARMS training sessions were scheduled for December 10 and 11, 2013, as part of a three-day Respectful Workplace Advisor training workshop.
   • The Superintendent in charge of the Respectful Workplace Program made the decision to use real data for training purposes in order to help alleviate a backlog of information that needed to be entered into NARMS. During the training course, a total of 146 entries were made into NARMS by the course participants.
   • The complainant ultimately raised her concerns with the Commanding Officer for the RCMP Division, who requested that the matter be investigated by the Ethics Officer of the Division. During the course of that investigation, an Inspector in the RCMP’s Access to Information and Privacy (ATIP) Branch at National Headquarters was consulted. The ATIP branch took the position that unless the applicable Personal Information Bank (PIB)^{Footnote 1} states that consistent uses of information in that bank includes training, it is not an acceptable use of the information. The Inspector advised that in order to remedy the breach, all persons whose information was shared in this manner should be notified by letter of the circumstances relating to the breach of their personal information.
   • The applicable PIB associated with the Workplace Issues Reporting Domain is Standard PIB PSU 915. The Ethics Officer of the Division reviewed that specific PIB and all other Info Source standard and RCMP-specific PIBs by determined that none describe training as a consistent use of personal information.
   • Based on his review of the matter and consultations with the ATIP branch, the Ethics Officer recommended that all persons whose information was shared during the NARMS training sessions be notified of the breach by letter from the Office of Superintendent in charge of the Respectful Workplace Program.
   • The RCMP determined that the 146 entries that were made in NARMS included the personal information of 91 employees. On February 11, 2014, letters were sent to all 91 employees, advising them of what occurred, what steps have been taken to ensure no further breaches occur in the future, and who to contact for further information.
5. As part of its representations, the RCMP also provided copies of the February 11, 2014, correspondence.

Application

6. In making our determination, we considered sections 3 and 7 of the Act.
7. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
8. The information at issue is clearly personal information as defined under the Act, since it includes the name, gender, and elements of the employment history of each of the 91 affected employees.
9. Paragraph 7(a) of the Act states that personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.
10. The RCMP itself has determined that the use of the 91 employees’ personal information during the NARMS training sessions was not authorized under section 7 of the Act.

Findings

11. The representations made by the RCMP in this matter substantiate the allegations made by the complainant. Based on the evidence presented during the course of the investigation, and the apparent contravention of section 7 of the Act, we consider this complaint to be well-founded.
12. In this matter, the complainant was not personally affected by the inappropriate use of personal information during the course of the NARMS training sessions but correctly raised the issue with the proper authorities at the RCMP. Based on the RCMP’s representations, the matter was taken seriously and appropriate measures were taken to ensure that personal information would no longer be used for training purposes.