TBS email breach illustrates the importance of considering context when assessing impact of a breach

Complaints under the Privacy Act

February 15, 2023

---

Description

Our Office received 20 complaints from current or former federal government employees after the Treasury Board of Canada Secretariat (TBS) mistakenly sent two sets of email to applicants for the Severe Phoenix Impacts program using the carbon copy (“cc”) field, instead of the blind carbon copy (“bcc”) field. This disclosed the individual’s email addresses (some of which included their names) and the fact they had filed a claim for damages to the other applicants in the email distribution list. Given the nature of the Severe Phoenix Impacts program, it also revealed they felt they had suffered Phoenix-related losses – financial or otherwise.

Key Takeaways

• When determining whether a privacy breach presents a real risk of significant harm to an affected individual, a proper analysis must be holistic and informed by contextual factors.
• When multiple people are involved, a privacy breach that could reasonably be expected to cause serious injury or harm to a single individual will be considered material, it need not impact all those affected. Additionally, the risk to affected individuals increases with the number of persons who receive personal information in error.
• An institution does not need to have proof of harm for a breach to be considered material.

---

Report of Findings

Overview

1. The complainants alleged that the Treasury Board of Canada Secretariat (“TBS” or the “respondent”) contravened the disclosure provisions of the Privacy Act (the “Act”) when their personal information was improperly disclosed to other individuals via email.
2. Our investigation confirmed that on May 3, 2022, TBS sent three emails to individuals^{Footnote 1} who had filed claims for “Severe Phoenix Impacts”. The first email was sent correctly where the names of recipients were included in the ‘bcc’ field. However, two subsequent emails were sent to 400 recipients using the ‘cc’ field, including to the twenty individuals who filed complaints with the Office of the Privacy Commissioner (the “OPC” or our “Office”).
3. The respondent acknowledged that the two emails, where the ‘cc’ field was used, were sent in error as they should not have revealed the email addresses (and names) of other claimants. That same day, TBS took steps to notify affected individuals, also informing them of their right to file a complaint with our Office. Our investigation found that the disclosure of the complainants’ personal information – including personal email addresses, the fact that they felt they had experienced severe Phoenix impacts, and that they had filed a claim for damages – was not authorized under the Act.
4. Our investigation also examined TBS’s assessment of the breach. The respondent advised that it had concluded that the breach was not “material”. Specifically, TBS asserted that the breach could not be expected to cause serious injury or harm to the affected individuals. The OPC does not agree with this conclusion. Context is relevant in assessing the sensitivity of personal information, and injury or harm to an individual. Several complainants indicated in their complaints to the OPC that they had not disclosed to others, outside the claims process, that they had suffered hardships, financial or otherwise. They found the exposing situation resulting from this breach to be humiliating and stressful.
5. In a Preliminary Report of Investigation, we made the following recommendations to TBS:
   1. TBS share our Final Report (once issued) with its staff, and: (i) remind them of their responsibilities and obligations for the proper handling of personal information, and (ii) raise awareness about possible causes of breaches to safeguard against similar incidents recurring;
   2. TBS incorporate these findings in the drafting of its policy and guidance instruments, such that institutions, including TBS, can more consistently and accurately assess harm and the materiality of breaches; and
   3. The TBS Claims Office – Severe Impacts Team (the “Claims Office”) engage with the Canadian Digital Service to explore more secure means to communicate with stakeholders, for example, using GC Notify which pushes individual messages out.
6. TBS has agreed to implement recommendations a) and c). With regards to recommendation b) TBS notes that it has developed and recently published (October 2022) significant updates to the policy suite on privacy protection. While we welcome changes that TBS has made to it policies, we remain concerned that privacy breach assessments made by government institutions, including TBS, will continue to be lacking for the reasons revealed in this investigation. More specifically, notwithstanding the expressed harm and damages of complainants, TBS has neither accepted the materiality of the fact situation for this breach, nor committed to incorporating it into its instruments.
7. We take this opportunity to further encourage TBS to add a comprehensive and systematic explanation of what constitutes a harm assessment for individuals in its policy documents, which should include multiple environmental factors, many of which are covered in this report.
8. As a consequence, our final determination for this matter is well-founded and conditionally resolved in part.

The complaints

9. The complainants (twenty in total) alleged that TBS contravened the disclosure provisions of the Act when their personal information was improperly disclosed to other individuals via email.
10. Several complainants indicated in their complaints to the OPC that they had not disclosed to others, outside the Phoenix impacts claims process, that they suffered hardships, financial or otherwise. They found the exposing situation resulting from this breach to be humiliating and stressful, and even created a feeling of being violated.

Background

11. On May 3, 2022, TBS sent three emails to individuals who had filed claims for “Severe Phoenix Impacts”. The first email was sent correctly where the email addresses of approximately 200 recipients were included in the ‘bcc’ field. However, two subsequent emails were sent to 400 recipients^{Footnote 2} using the ‘cc’ field, and thereby exposing to all recipients that each felt they had experienced severe Phoenix impacts, and that they had filed a claim for damages.
12. The same day, the TBS Claims Office sent another email to the recipients explaining that due to an administrative error the ‘cc’ line was used instead of the ‘bcc’ line. It further explained that as the messages were sent from a generic inbox, the earlier messages could not be recalled. Recipients were asked to delete the first email that they received from their inbox, sent box, trash and any other email folders, and to not distribute the earlier emails. The message went on to say:

    “The Claims Office takes very seriously its role in safeguarding the personal information it collects from individuals. We sincerely regret this occurrence and are reviewing our procedures and working diligently to ensure that an error like this does not occur in the future.”

    Recipients were also advised that they could file a complaint with our Office.
13. The OPC reached out to TBS on May 4, 2022, as nine of the twenty complaints submitted to our Office were received the previous day.

Issue 1: Was the disclosure authorized under the Act?

14. In making our determination, we considered sections 3 and 8 of the Act.
15. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information related to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions.
16. The Act states that personal information can only be disclosed with an individual’s consent – subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
17. The complainants’ email addresses (many personal) which revealed their identities, tied with the fact that they felt they had suffered severe Phoenix impacts and had filed claims for damages, constitutes personal information under section 3 of the Act.
18. The respondent does not dispute that a privacy breach occurred. It categorized the incident as an inadvertent administrative error. The affected individuals did not consent to the disclosure of their personal information, nor was the disclosure in accordance with any of the categories of permitted disclosures found under subsection 8(2) of the Act.
19. Accordingly, we find that TBS contravened section 8 of the Act and that the complaints are well-founded.

Issue 2: Is the privacy breach “material” in nature?

20. The TBS Directive on Privacy Practices required institutions to establish plans and procedures for addressing privacy breaches, including notifying the OPC and TBS of privacy breaches deemed material^{Footnote 3}. The TBS Guidelines for Privacy Breaches (the “Guidelines”) in place at the time of the breach defined a “material” breach^{Footnote 4} as one:
    • Involving sensitive personal information; and
    • Could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.
21. The Guidelines contained a non-exhaustive list of examples of serious injury or harm to an individual, including:
    • Identity theft or other related fraud;
    • Material loss to the individual; or
    • Lasting harm or embarrassment that will have direct negative effects on a litigation involving the individual or on an individual’s career, reputation, financial position, safety, health or well-being.

TBS’s assessment of the privacy breach

22. TBS did not assess this breach as “material”. It explained in an email to our Office dated May 16, 2022, that the breach did not involve any disclosure of sensitive personal information, such as specific details about the claim or pay issue, Social Insurance Numbers, banking information, or health/medical information, or any other unique identifiers that generally might be used to validate an individual’s identity. It also noted that the severe impact claimed was not specified, and that the emails did not include any other information about individual claims. TBS concluded in its written submission to our Office that:

    “the breach should not be considered a material privacy breach because we have not received evidence or can reasonably deduce that the sharing of this information could be expected to cause serious injury or harm to the affected individuals (such as identity theft, material loss, or lasting harm or embarrassment).”

23. On October 7, 2022, the OPC submitted to TBS a Preliminary Report of Investigation with preliminary findings, analysis, and recommendations. This report highlighted the humiliation and stress that had been expressed by complainants as a consequence of this breach.
24. In its final representations to our Office, received on November 7, 2022, TBS stated that while it did not flag the breach as being “material”, it reported the breach to the OPC on May 4, 2022, and had several interactions with the OPC during TBS’s investigation of the incident.
25. On this latter point, it was the OPC that first reached out to TBS as several complaints were received the previous day. And while our respective officials did discuss the breach, our Office did not receive a written breach report from TBS on May 4, 2022, nor on any subsequent date.
26. TBS further explained that before deciding on the materiality of the privacy breach, its responsible privacy officials consulted the TBS privacy policy instruments and reviewed policy considerations in consultation with the TBS Privacy and Data Protection Division – the policy centre responsible for the government’s privacy policies. TBS deemed the breach as non-material due to various factors including that:
    1. the content of the emails that were sent to recipients did not contain sensitive personal information as it was a generic message intended for 600 recipients; and
    2. the email addresses were shared among a group of individuals that shared the same circumstances (i.e., that they filed a claim for severe damages to the TBS Claims Office).
    It determined that the sharing of this information among this group rather than a broader disclosure was unfortunate and certainly one to avoid in the future, but that the release of information to individuals in similar circumstances was unlikely to result in severe impacts such as identity theft, reputational loss, lasting harm or embarrassment.

Criteria for compensation for severe Phoenix impacts

27. Compensation for severe Phoenix impacts is open to current and former employees, and the estates of deceased employees who worked during a specified period. Severe impacts could include:
    • financial costs or lost investment income due to delays in pay
    • leave taken because of health issues
    • severe damages and personal hardship
    The claims process is available to individuals who, because of Phoenix pay issues, experienced severe personal or financial hardship such as, but not limited to, bankruptcy, significant impacts to credit ratings, mental anguish or trauma.

OPC’s assessment of the privacy breach

28. While we accept that the breach was the result of an administrative error, we disagree with TBS’s assessment that the privacy breach was not material. The group of affected individuals was categorically labelled “Severe Phoenix Impacts”, to which each had self-identified as having suffered Phoenix related harms. Further, the emails sent using the ‘cc’ field confirmed to all recipients that others on the distribution list also identified as having suffered severe personal or financial hardship as a result of Phoenix pay issues, and that they had submitted a claim for compensation.
29. Several complainants highlighted in their complaint to our Office that they were humiliated, embarrassed, or even felt violated. Complainants also reported that the breach has caused them additional stress and mental anguish. Many complainants also noted that they had not disclosed to anyone, outside of the claims process, that they had submitted a claim. In one instance, a complainant indicated that they were contacted by the media following the breach.
30. Given the nature of the personal information disclosed and the criteria for breach reporting set out in the then TBS Guidelines, we find that the breach should have been assessed as material by TBS. In our view, the proper analysis of the risk of injury or harm to an individual must be holistic and informed by contextual factors of the personal information disclosure.
31. It is also not necessary for an institution to receive evidence of an injury or harm to assess the materiality of a breach. Indeed, a breach involving sensitive personal information gives rise to reporting and notification obligations when it could reasonably be expected to result in serious injury or harm.
32. Further, a privacy breach that could reasonably be expected to cause serious injury or harm to a single individual will be considered material, it need not impact all those affected. The level of injury or harm will vary depending on the individual and the circumstances of their case.
33. Finally, the risk to affected individuals increases with the number of persons who receive personal information in error. The sensitivity of personal information or risk of harm to an individual is not automatically reduced by the fact that others who receive the information share identical or similar circumstances. In this case there were two emails sent in error, each having 200 individuals on the ‘cc’ line. Further, other than the request of TBS to delete and not re-distribute, there was nothing preventing any of the recipients from sharing the email outside the intended list, which appears to have occurred as the media contacted a complainant.
34. As noted above, in this matter the context of the personal information disclosed was related to individuals who felt that they had experienced “severe impacts” in accordance with the claims program’s definition. In our view, given the context and nature of the information and the number of recipients, it could reasonably be expected that the breach would result in serious injury or harm, which includes embarrassment having negative effects on an individual’s well-being.
35. TBS has an important leadership role with respect to privacy. It supports the President of the Treasury Board as the designated Minister under the Privacy Act. As such it is responsible for establishing policies and prescribing forms concerning the operation of the Act and its Regulations, which apply to all government institutions^{Footnote 5} that are subject to the Act.
36. We published in our 2017-2018 Annual Report to Parliament the results of a study that the OPC conducted on breach reporting across government institutions. We noted, amongst other findings, that institutions did not have proper tools to assess the risk of injury or harm to individuals. We shared our findings with TBS, which undertook in response to our study’s recommendations to take actions, including, the review of its policies, tools, and training for all employees to identify opportunities to strengthen guidance and tools for identifying, reporting and managing privacy breaches.
37. On October 26, 2022, TBS published updates to its policy suite on privacy protection. We see this as a step in the right direction. However, after our review of these and related products, we remain concerned that government institutions, including TBS, will continue to inadequately assess harms to affected individuals and apply a too narrow interpretation of what constitutes a material privacy breach. As a consequence, there is an ongoing risk that privacy breaches will go unreported, and affected individuals not notified. Breach reporting and notification are necessary to achieve transparency and accountability, which are stated objectives of the TBS Policy on Privacy Protection^{Footnote 6}. Further, if affected individuals are not notified of a breach, they will be unable to take precautions to protect themselves from any and all harms stemming from the breach.

Recommendations

38. In view of the above, we recommended in our Preliminary Report of Investigation that:
    1. TBS share our Final Report (once issued) with its staff, and: (i) remind them of their responsibilities and obligations for the proper handling of personal information, and (ii) raise awareness about possible causes of breaches to safeguard against similar incidents recurring;
    2. TBS incorporate these findings in the drafting of its policy and guidance instruments, such that institutions, including TBS, can more consistently and accurately assess harm and the materiality of breaches; and
    3. The TBS Claims Office engage with the Canadian Digital Service to explore more secure means to communicate with stakeholders, for example, using GC Notify which pushes individual messages out.
39. TBS has agreed to implement recommendations a) and c). It also noted in its final representations that the Claims Office has also been directed to not forward emails unless the recipient has been carefully verified and considered before sending. Emails that analysts need to share with other members of the team to complete claims are viewed either within the generic mailbox or in a claimant’s file in GCDocs. Analysts have been directed to ensure that information is being shared with only those who have a need-to-know.
40. With regards to recommendation b) TBS stated that it has developed and recently published (October 2022) significant updates to the policy suite on privacy protection. TBS noted that best practices related to privacy breaches have been codified with the intention of enhancing accountability and ensuring consistency across government in identifying and responding to privacy breaches.
41. The OPC welcomes many of the changes made to government privacy policy instruments, in particular, its definition of a material privacy breach^{Footnote 7} which now aligns with the definition found in the Personal Information Protection and Electronic Documents Act (Canada’s federal private sector privacy legislation). However, our Office remains concerned, as noted above, with the interpretation of the “materiality” of privacy breaches and the conduct of harm assessments.
42. In its final representations to our Office, TBS did not change its position on the material nature of the breach at hand, notwithstanding our sharing with TBS of our October 7, 2022 Preliminary Report, where we underscored the fact that complainants conveyed harms including humiliation, embarrassment, and even feeling violated, which are key factors of materiality. As stated, in our view, a breach involving personal information is to be considered material when it could reasonably be expected to result in serious injury or harm even to just one individual – it need not impact everyone the same way. A proper assessment of harm needs to be holistic, taking into consideration a broad range of factors, including, at a minimum, the recipient(s) of the breached personal information, the sensitivity of the personal information involved, and the probability that the personal information has been, is being, or could be misused. Further, it should be clarified that it is not necessary for an institution to receive evidence of an injury or harm to assess the materiality of a breach.
43. In summary, as reflected in our analyses, it is important to not simply focus on the type of personal information that is breached (in this case emails/contact information) but the context in which such information was breached, potential harms, and how that may inform its sensitivity (in this case, severe Phoenix impact claimants).
44. In line with our recommendations a) and c), we expect TBS to update our Office within four months on the details of the steps it has taken to comply.
45. We conclude that the complaints are well founded as the disclosure was in contravention of the provision of the Act, and conditionally resolved in part as TBS has accepted to implement recommendations a) and c). However, we remain concerned that policy instruments and supporting tools and guidance will not enhance consistency across government in identifying and responding to privacy breaches, specifically as it relates to the assessment of materiality and harms to affected individuals.
46. The OPC encourages TBS to continue to develop and refine its policy instruments, with a particular focus on rectifying the identified issues in assessing harm and evaluating the materiality of a privacy breach. Given the leadership role of TBS, we would have expected TBS to have recognized and acknowledged the materiality of this breach under either its old or new policy definitions.
47. Owing to its enforcement role, the OPC has been receiving breach incidents/complaints and historically tracking/investigating privacy breaches in both the public and private sectors both before and after reporting obligations came into effect. As such, it has accumulated a body of experience and developed tools to assess harms to affected individuals. The OPC would welcome the opportunity to work with TBS in a meaningful way and share its tools and knowledge in this regard.