Investigation of Correctional Service Canada’s collection and disclosure of an individual’s personal information from Facebook related to an employee’s 699-leave

Background

The complainant is the spouse of a former CSC employee (“the employee”). In July 2020, in the context of the Pandemic, the employee was on “other leave with pay (699)” due to the fact that their spouse, the complainant, was at high risk for severe illness from COVID-19, and it was not possible for the employee to telework.

At this time, an assistant warden, who was the employee’s divisional head, was advised by a manager that the employee had been seen in photos with others, without a mask and travelling away from home. The manager showed the assistant warden the photos on their cell phone.

The assistant warden subsequently used their personal Facebook account to look-up the employee and the complainant on Facebook, and printed nine screenshots from the complainant’s Facebook profile. The assistant warden subsequently shared the screenshots they collected with three other senior managers.

Investigation

Section 4 of the Act states that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.

In their submissions to our office, CSC explained that the complainant’s personal information was collected to respond to a claim that their spouse, a CSC employee, may be in contravention of the 699-leave policy regarding COVID-19. In particular, the personal information was collected to consider allegations raised that the employee was not self-isolating to protect the health of a family member at high risk, which was the basis for the 699-leave they had been granted. Ultimately, CSC did not revoke the employee’s leave.

699 leave is a type of leave that can be granted, at the discretion of management, to employees who are unable to work for reasons beyond their control. Treasury Board policy at the time of the use of 699 leave by employees unable to telework indicated that 699 leave could be provided in cases where an employee or someone they lived with was at high risk of severe illness from COVID-19 – while also noting that cases should be examined individually.

We reviewed the nine screenshots that the assistant warden collected and shared. We found that in addition to photos and comments that could conceivably be linked to assessing the employee’s use of 699 leave, the material included photos, comment threads and information about the complainant that had no connection to the concern brought to the assistant warden’s attention. We therefore found that CSC contravened the collection provisions of the Act in this case by collecting personal information that was not related directly to an operating program or activity of CSC.

CSC flagged that the information was collected from the complainant’s public-facing Facebook page. In relation to this, we reminded CSC that while the Privacy Act contains an exclusion for publicly available information under subsection 69(2), this exclusion stipulates only that the use and disclosure provisions (sections 7 and 8) of the Act do not apply to information that is publicly available. The remaining provisions of the Act still apply, including the collection provisions. In other words, whether or not information is publicly available, federal government institutions must ensure all personal information collected is related directly to an operating program or activity as required by section 4.

Since our Office determined that CSC should not have collected the complainant’s personal information that had no bearing on assessing the employee’s 699 leave claim, the information should therefore not have been subsequently disclosed to several members of the employee’s management team.

With respect to corrective action, CSC confirmed during the course of the investigation that it had deleted all copies of the screenshots collected. To reduce the risk of similar contraventions in the future, we recommended that CSC develop and disseminate to managers, guidance on processes to follow before collecting information in a labour relation context, to reduce the risk of incidental collection of unrelated third party personal information. CSC agreed, committing to disseminating guidance to managers related to the limits and processes in place to minimize the risk of privacy breaches, including who to contact before beginning to investigate or collect third party information, in the context of a labor relations matter.

Other

The complainant also raised concerns that as a member of the public, when they reached out to the CSC ATIP Office for information about how they would go about making a privacy complaint against a CSC employee, they were informed that receiving privacy complaints is not the role of the ATIP office. Instead, they were redirected to internal resources that would be suitable only for CSC employees (i.e., to raise their concern with CSC human resources or union representative).

CSC clarified to OPC that the ATIP Officer who responded to the complainant made an error and that the complainant should have been directed to submit a complaint to the OPC, as per CSC protocol when a member of the public raises a potential breach of personal information. We noted that while it is important that individuals be made aware of their right of recourse to complain to the OPC, this in no way precludes institutions from having internal processes to accept and attempt to informally address privacy complaints from Canadians. In fact, we would encourage institutions to do so as this may often be an effective way of resolving individuals’ privacy concerns and demonstrating the institutions’ commitment to privacy.