It is commonplace to provide certain levels of clearance to different individuals in an organization. Typically, individuals with more power will have more access rights than lower level employees. Organization must be aware of what access limits an individual has, and more importantly, they must have the ability to limit or completely revoke access. In a recent Nunavut case, a federal government employee account was not deactivated which allowed him to access records long after his employment contract expired.
The Complainant, the government employee, filed a request with the Nunavut Information and Privacy Commissioner to investigate an alleged privacy breach by the Department of Justice (“DOJ”). The Complainant was on a contract with the Government of Nunavut (“GN”) employed as the “Superintendent of Securities”. In this position, he had access to a database that was owned and managed by the Canadian Securities Administrator. He was also able to manipulate the information in the database. The Complainant notified the DOJ when his contract expired.
About two years after he stopped working for the GN, the Complainant went to the database and was still able to access it. He “took the opportunity” to do several searches and downloaded over 700 pages of reports. The documentation included personal information, potentially of thousands of individuals (such as date and place of birth; eye colour; hair colour; height and weight; residential address; citizenship; and educational and employment history).
In response to the complaint, the DOJ admitted that it failed to rescind the Complainant’s access by oversight. Although they ensured that the Complainant’s access to the files that he had worked on in the database had been revoked, they did not realize that they were required to request the deletion of the Complainant’s complete account. As soon as they became aware, the DOJ ensured that the account was deleted.
The DOJ also took the position that the actions of the Complainant did not constitute a breach. Instead, they argued that the Complainant was bound by his contractual confidentiality agreement even after the end of the contract. This argument was rejected by the Commissioner. Despite the fact that access was granted at one point, this authorization ended when the contract ended. The incident, two years later, was unauthorized and not within the scope of the confidentiality provision of the contract.
The Commissioner concluded that the Department of Justice, in failing to take active steps to fully revoke access to the database, facilitated the unauthorized access. The Commissioner found that the failure was inadvertent and the error had been corrected.
The Commissioner held that the Complainant was “far more culpable” with respect to the breach. He was a member of a profession with ethical obligations and access had been provided in good faith. The Commissioner concluded:
[h]e chose to ignore both of these ethical and contractual obligations to prove a point. He could have pointed out the issue to the GN without searching through and downloading hundreds of pages of information from the database.
The Commissioner recommended that the Complainant be reported to the disciplinary division of his professional governing body. Further, it was recommended that the DOJ take the necessary steps to have the Complainant prosecuted under section 59 of the Access to Information and Protection of Privacy Act. Under this provision, where an individual knowingly collects, uses or discloses personal information, they can be found guilty of an offence publishable by summary conviction and liable for a fine not exceeding $5,000.00.
One of the fundamental principles of privacy in an organization is that employees should only be permitted to access documents that are relevant to their job. For instance, unless a bank teller is assisting a customer, they are not permitted to access the account of one of their friends – this is snooping. Snooping, or unauthorized access, is particularly problematic in medical and financial institutions. In order to avoid privacy breaches such as this one, organizations should: (1) limit access rights for user accounts based on what they need to access for their job; (2) implement and enforce a policy of deactivating user accounts upon termination of an employee; and, (3) conduct occasional spot checks to rule out patterns of privacy breaches and identify those who may be engaging in snooping behaviour.