A recent Alberta privacy case, P2019-ND-006 (in PDF), deals with a breach of salary information about identifiable individuals under the Personal Information Protection Act(PIPA). The Office of the Privacy Commissioner of Alberta found that “A reasonable person would consider that the identity and salary information could be used to cause the significant harms of hurt, humiliation and embarrassment, particularly if shared with individuals who have a personal or professional relationship with the affected individuals.”
On March 30, 2018, an employee of an Alberta organization went through his supervisor’s desk without permission and found a wage rate sheet for 20 of his fellow employees. However, he told his supervisor during a telephone conversation that same day that the wage rate sheet was on the desk.
The supervisor asked the employee to put the document inside the desk.
Unbeknownst to the supervisor, the employee took a photo of the wage rate sheet and shared the information with six other employees at the site.
On April 2, 2018, the supervisor was speaking with employees at the site, who mentioned that the employee was telling co-workers he knew their hourly rates and showed them a photo of the wage sheet he photographed.
How did the Organization address the breach?
The Organization conducted an investigation into the breach and found that the incident involved all or some of the following information for 20 employees in the organization:
- first name,
- work site,
- hourly rate,
- earnings 28 days prior, and
- statutory pay calculation.
The above information is about identifiable individuals and is “personal information” as defined in section 1(1)(k) of the PIPA.
Although the organization found that it is “not aware of any direct harm as a result of this breach,” it determined that “wage rate information should be private and confidential and the employees were likely uncomfortable with their personal wage rate information being known or shared with others without their consent.”
As a result, the employee was terminated, and the supervisor received training regarding the need to safeguard all personal information, the importance of the confidentiality of personal information and the need for physically secured computers that are password protected and locked when not in use.
Affected individuals were notified orally by their manager during the week of July 23, 2018, and August 4 and 5, 2018. A few individuals were notified by the end of September 2018 when they had a scheduled shift.
Reporting to the Office of the Privacy Commissioner of Alberta
Under section 34.1 of the PIPA, an organization with personal information under its control must notify the Commissioner, without reasonable delay, of a privacy breach where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
The Organization did complete their mandatory reporting to the Office of the Privacy Commissioner of Alberta; however, it indicated in the report that is “not aware of any direct harm as a result of this breach,” but determined that “wage rate information should be private and confidential and the employees were likely uncomfortable with their personal wage rate information being known or shared with others without their consent.”
The Commissioner conducted its own investigation and concluded,
“The Organization reported that it does “…not think the harm is significant as there is no evidence of direct harm or personal risk (for instance, fraud or theft) as a result of the breach.” Further, “It is not likely that harm could result from this breach. While there may be some upset feelings as of result of the breach, [Organization] has no knowledge that employees whose wage rate information was seen suffered any harm.”
While I agree with the Organization that it is unlikely the unintended recipients (who are known to the Organization) would use the information for fraudulent purposes, the information was in fact accessed and then disclosed in an unauthorized manner. It is not clear what the terminated employee’s intent was for taking the Organization’s wage list and sharing it amongst the employees. However, this use of the information, and the potential relationships, increases the likelihood of hurt, humiliation and embarrassment resulting from the incident.
Based on the information provided by the Organization and given the circumstances of the incident, I have decided that there is a real risk of significant harm to the affected individuals.
A reasonable person would consider that the identity and salary information could be used to cause the significant harms of hurt, humiliation and embarrassment, particularly if shared with individuals who have a personal or professional relationship with the affected individuals.”
Since the Organization had made plans to notify all of the affected employees, the Office of the Privacy Commissioner of Alberta did not require the affected employees to be notified again.
Management and leaders of an organization should commit and support such a privacy management program to create a culture of compliance. To this end, they should also name a privacy officer to lead the program and handle any privacy-related issues.
An initial risk assessment should be conducted to identify the type of personal information about identifiable individuals they hold, how they use the information, to determine the controls and safeguards that should be put in place to protect such information.
Continued risk assessment and monitoring should be conducted regularly to ensure the effectiveness of the privacy management program and that the program is up-to-date.
All employees including management should be trained to understand how to assess privacy risks and respond to potential data breaches to minimize damage if and when it arises.
Implement a breach and incident management response and investigation process in the event that a breach does occur, organizations should have a procedure and a team in place to manage the response, report and notify the Office of the Privacy Commissioner.
In addition, organizations should know how the personal information they retain is handled by third-party service providers they use to conduct business including third-party service providers that operate in a foreign jurisdiction.