Yukon Information and Privacy Commissioner
IPC finds inadequate security & unauthorized disclosure of employee personal information by the Public Service Commission
Tue, Jan 29, 2019
NEWS RELEASE
FOR IMMEDIATE RELEASE
JANUARY 29, 2019
IPC finds inadequate security & unauthorized disclosure of employee personal information by the Public Service Commission
WHITEHORSE – Yukon’s Information and Privacy Commissioner (IPC) has found that the Public Service Commission (PSC) disclosed the personal information of thousands of Yukon government employees and other public sector employees, contrary to the requirements of the Access to Information and Protection of Privacy Act (ATIPP Act). Diane McLeod-McKay also found that the personal information has not been adequately secured by the PSC.
A complaint was made to the IPC on November 3, 2016 by an employee of the Yukon government, who was concerned that too many Yukon government employees were able to access the information of all government employees and others through the PSC’s Human Resource Management System (HRMS). This employee was also concerned that the security of the information was inadequate.
McLeod-McKay looked into the complaints and has issued an Investigation Report (some sections of the report have been redacted for security reasons).
“This case demonstrates the importance of evaluating information technology systems, which are used to process personal information, for compliance with privacy laws,” said McLeod-McKay. “These systems store a large amount of personal information, including sensitive information. Mismanagement of this information can cause significant breaches of privacy that can negatively impact large numbers of individuals. In providing their personal information to public bodies or health information custodians, individuals expect that it will be managed in accordance with their rights under Yukon’s privacy laws.”
The PSC’s position in respect of the complaint was that it was authorized to disclose personal information to Yukon government public bodies because it is responsible to manage employees who work within these public bodies or move between them during their careers. The PSC did not make any representations regarding the security of the HRMS.
The IPC determined that Yukon government employees, most of whom were responsible for human resources functions in all government departments and the Yukon Legislative Assembly, had access to the personal information of other employees for management purposes. She found that the PSC had authority to disclose personal information about an employee to their home department, as well as to the Department of Finance, but did not have authority to disclose this same information to other Yukon government departments which have no responsibility for the employee.
McLeod-McKay’s conclusion is that the PSC was disclosing employees’ personal information contrary to the requirements of the ATIPP Act. She also concluded that the security of the personal information is not in accordance with the requirements of the ATIPP Act.
McLeod-McKay made 17 recommendations to remedy the non-compliance. The PSC accepted the recommendations and is working with the Office of the IPC on their implementation.
“This is Data Privacy Week, a week celebrated around the world to highlight the impact that technology is having on our privacy rights and to emphasize the importance of valuing and protecting personal information,” added McLeod-McKay. “During Data Privacy week, I encourage bodies subject to Yukon’s privacy laws to evaluate their information technology systems for compliance and to address any shortcomings. My office would be pleased to answer any questions about how to address these risks.”
Contact:
Diane McLeod-McKay
Information and Privacy Commissioner
867-667-8468
info@ombudsman.yk.ca