TBS email breach illustrates the importance of considering context when assessing impact of a breach
Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.
- Was the disclosure of personal information authorized under the Privacy Act?
- Was the privacy breach considered "material" by TBS?
- Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?
Complaint well-founded and conditionally resolved in part
TBS contravened the Privacy Act by improperly disclosing personal information. While TBS agreed to implement two of the OPC's recommendations, it did not fully commit to improving its assessment of breach materiality, leading to a conditional resolution.
AI-generated summary for reference only. Always verify against the official decision ↗
TBS agreed to share the OPC's final report with staff, reminding them of their privacy obligations, and to engage with the Canadian Digital Service to explore more secure communication methods.
- s. 8 Privacy Act
- s. 3 Privacy Act
This summary is informational only and not legal advice.