IRCC email breach creates risk of harm to individuals seeking Afghan emergency assistance
Immigration, Refugees and Citizenship Canada (IRCC) inadvertently disclosed the email addresses of 636 individuals seeking emergency assistance related to the situation in Afghanistan. These individuals were included in the "TO" field of mass emails, rather than the "BCC" field, exposing their contact information to other recipients. The Office of the Privacy Commissioner of Canada (OPC) found that IRCC contravened section 8 of the Privacy Act due to insufficient controls to prevent such disclosures and that the complaint was well-founded. While IRCC took immediate steps to mitigate the breach, the OPC emphasized the need for robust preventative measures.
- Disclosure of personal information without consent
- Adequacy of preventative measures for mass emails
- Mitigation of harm to affected individuals
- Risk of recurrence of similar breaches
Complaint well-founded and conditionally resolved
IRCC contravened section 8 of the Privacy Act by disclosing personal information erroneously. While IRCC implemented remedial actions, the OPC found that the institution's preventative measures were initially insufficient, leading to a conditionally resolved outcome pending further technological enhancements.
AI-generated summary for reference only. Always verify against the official decision ↗
IRCC committed to providing an update on further technological measures to mitigate misdirected email correspondence by March 3, 2023.
- s. 8 Privacy Act
This summary is informational only and not legal advice.