Worker concerned over SIN usage: Analysis of a privacy complaint

Privacy laws are still a relatively new realm for employers, particularly when it comes to safeguarding employee data. A recent ruling by Alberta’s Information and Privacy Commissioner involving a union member in Edmonton who filed a complaint over how the union safeguarded personal information that was stored on a server in Las Vegas sheds some light on what employers should be doing to protect employee’s personal information and how to respond to a privacy complaint.

The worker was a member of the Alberta Regional Council of Carpenters Union (RCC) who was based in Edmonton. The RCC is a chartered council of the United Brotherhood of Carpenters and Joiners of America, an international union representing carpenters and allied trades.

The international union maintains personal information about its members in an electronic system called ULTRA. This system is a member record-keeping system that is capable of recording information about union members, including name, address, phone number, birth date, language, citizenship, gender, employer, membership status, classification, age and years of service. It also has a field for political affiliation, but the RCC did not collect that information.

ULTRA was developed in 1998 using proprietary software owned and developed by the international union. The servers are located in the union’s data centre in Las Vegas.

In May 2005, a union member asked RCC about the ULTRA system because he was concerned about the security of members’ data. He asked, “How it works with the use of my social insurance number (SIN) number and how the international union is using SIN numbers.”

He did not put his request in writing, but rather simply posed the question verbally to RCC’s privacy officer. He said he received a verbal message that the request was denied and he was told to communicate directly with the international union.

The union member then contacted Alberta’s Information and Privacy Commissioner to lodge a complaint.

“He was concerned about the union’s failure to respond to his inquiry about the ULTRA system and had concerns about the security and confidentiality of union members’ personal information at the local and international level,” wrote Elizabeth Denham of the Office of the Information and Privacy Commissioner of Alberta in the decision.

In July 2005, during the investigation of the complaint against RCC, an incident occurred involving an alleged breach of privacy and confidentiality of membership information by a dispatcher. The RCC alleged the dispatcher exported membership information from the ULTRA database and from an internal database operated locally through the Edmonton union.

The RCC said the individual accessed the systems from his own home computer and, in response, it fired the worker and sought redress through the courts. The union member brought this incident to Denham’s attention as evidence of lax security measures by the union.

Denham pointed out that it was uncontested that the union member asked for information about the use of SINs in the system. But the inquiry was a verbal request to RCC’s privacy officer and was never put in writing.

Therefore, technically, the union member was not an “applicant” as defined in Alberta’s Personal Information Protection Act (PIPA). However, Denham said she believes the privacy officer or senior officials at the union had a duty to suggest that he put his request in writing.

“I find that there was a positive duty to inform him that his request had to be in writing in order to get a response, rather than referring him to the international union,” she said.

She pointed out that, under PIPA, organizations must “develop and follow policies and practices that are reasonable for the organization to meet its obligation under this act” and “make information about the policies and practices … available upon request.”

The international union issued a policy statement regarding the use of SINs in February 2003. It implemented an internal identification number to replace the use of SINs, restricted the use of the numbers and implemented further controls for printed documents containing SINs.

Denham said it would have been “relatively easy” for the union’s privacy officer to provide a copy of the policy to the union member rather than referring him to the international union.

“It may have eased some of his concerns about the security of the data.”

Denham said the union contravened PIPA by failing to respond to his request for policy information. But she stopped sort of saying it had contravened the section of the legislation that says employers have a duty to assist, because the union member did not put his complaint in writing.

“I cannot find that the organization contravened s. 27 in failing to advise the complainant of his right to file a written request for access under the act because (he) is not technically ‘an applicant’ as defined by the act,” said Denham.

Denham said the RCC has since implemented a policy that details the responsibilities of the privacy officer, including annual reporting requirements, proactive policy dissemination and a complaint-handling process.

“In the spirit of the ‘duty to assist,’ the RCC has agreed to enhance this policy by including a process for responding to informal requests for access to information,” she said.

For more information see:

Investigation P2006-IR-004, Alberta Information and Privacy Commissioner.



What’s ‘reasonable’ security?

Under Alberta’s privacy legislation, an organization must protect personal information by making “reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.”

But what is reasonable? Is the fact there was a security breach evidence the organization didn’t go far enough?

“I believe that it is incorrect to assume that an employee’s unauthorized use and disclosure of personal information is conclusive evidence of unreasonable security practices,” said Denham. “Although under PIPA organizations are responsible for the actions of employees, intentional wrongdoings by a trusted employee who legitimately required full access to the system for his job functions is not conclusive of a breach … however, PIPA requires that organizations take measures to guard against reasonably foreseeable risks.”

In this case, the extent of the unauthorized use and disclosure of information from the ULTRA system was not a reasonably foreseeable risk. The employee allegedly exported membership information from the ULTRA database and from an internal database operated locally. Court records indicate computer forensic experts determined that a file-sharing program which allowed people to bypass the security, download unauthorized software and activate remote access to the work computer was activated.

“I do not believe that these actions could have been reasonably foreseen by the organization,” said Denham, citing the following reasons:

•the employee was a trusted senior staff member with no performance issues;

•he had been an elected union official;

•extensive security and confidentiality training was provided to the employee;

•he had taken a confidentiality oath; and

•the log-on procedures and the audit capacity of the system.

“I hesitate to recommend that, in this case, more should have been done to protect against this type of threat by a trusted member of the staff who had legitimate access to the system,” said Denham. “I considered whether every organization holding personal information in a computer system could reasonably be expected to proactively monitor all employee activity with respect to every database.”



How long should information be kept?

The union member was also concerned about the length of time information was being retained. Denham pointed out that, unlike B.C., Alberta’s legislation does not contain a general obligation that an organization destroy documents containing personal information or remove identifiers as soon as it is reasonable to assume the information is no longer necessary.

“However, I believe that for privacy best practices and data security purposes, organizations are well served by deleting or disposing of personal data no longer required for the purpose for which it was collected,” said Denham. The ULTRA system contained a lot of information and detail about individuals, and perhaps RCC could establish that only a core amount of data is needed for legal and business requirements, she said.

“Any data fields that are not needed for long-term business purposes could be purged at a specific trigger point,” she said, such as a certain number of years from the membership enrolment date or at death.



How the union fixed the problem

The union took the following steps to secure the data and to mitigate the risk in the future:

•within six days of the alleged export of the membership records, RCC’s executive secretary treasurer was advised by the international union’s director of technology of the problem;

•RCC brought in an external IT contractor to review the incident. The following day, the employee was terminated;

•immediately after termination (the same day) RCC reviewed the employee’s e-mail, removed his pass code and blocked him from administrative access to the website and access to the telephone system;

•retained Deloitte & Touche to conduct a forensic investigation;

•commenced legal action to protect the confidentiality of the exported data;

•revised privacy policy to include detailed responsibilities for privacy officer and incident response protocol; added specific rules regarding remote access, laptop and electronic storage devices and removal of records from the office; and

•outsourced IT functions to separate the functions of dispatcher and IT.

To read the full story, login below.

Not a subscriber?

Start your subscription today!