The Office of the Saskatchewan Information and Privacy Commissioner (OSIPC) has released its investigative report into the decision by the Moose Jaw Police Service to fire two employees in 2018 over breaches of privacy.
The Moose Jaw Police service (MJPS) reported two separate privacy breaches to the privacy commissioner’s office on Nov. 6, 2018, due to unauthorized system access or “snooping” by two employees, the report explained. On Nov. 15, 2018, the MJPS provided summaries of both breaches that included details about each incident and the initial contents of the internal investigation.
After reviewing the information, privacy commissioner Ronald Kruzeniski found both breaches were contained; the MJPS provided appropriate notification of the breaches; the MJPS appropriately investigated breaches A and B and discovered the root causes were employees A and B disregarded police policy, their privacy training and their oath of secrecy; and that the police service is taking appropriate steps to prevent similar privacy breaches from occurring in the future.
Kruzeniski recommended that the Moose Jaw Police Service implement proactive audits for Versaterm, the application it uses to record information on investigations.
Beach A
On Sept. 17, 2018, the police service received a call from a parent of an alleged young offender with concerns that employee A had shared the alleged youth’s police file information with a third party, Kruzeniski explained. After reviewing Versaterm, the police service determined employee A had looked into the young offender on Sept. 1, 2018.
A minute after logging off, the employee’s internet history indicated a message had been sent to the third party through Facebook. The MJPS determined the message included details from the youth’s file, excluding the name. The employee admitted to accessing the information when approached by the MJPS.
Breach B
On Oct. 2, 2018, employee B, who was off-duty at the time, asked an on-duty communications officer to search licence plate information in the system to find the vehicle owner who had allegedly been involved in an accident with employee B’s child, the report said. The on-duty communications officer refused, stating it was not work-related. Employee B indicated the same request would be made to the communications officer on duty later that day; that person turned out to be employee A.
The privacy commissioner’s office asked the MJPS on Nov. 26, 2018, to complete a formal investigation into both breaches. The police service provided additional information to Kruzeniski on Nov. 30, 2018, also indicating it had fired employee A and employee B on Nov. 22, 2018.
Analyzing the situations
In his report, Kruzeniski reviewed the Moose Jaw Police Service’s management of the privacy breaches against the five best practice steps laid out in a document called Privacy Breach Guidelines for Government Institutions and Local Authorities.
Containing the breach
Once it became aware of the breaches, the MJPS suspended employee A on Oct. 16, 2018, and removed all access to internal systems and applications pending an investigation, Kruzeniski said. The organization sent officers to interview the recipient of the Facebook message, who resides in another province.
The MJPS suspended employee B from duties on Oct. 31, 2018, and removed all access to internal systems and applications pending an investigation.
Kruzeniski said the MJPS took the appropriate steps in containing both breaches. He commended the organization for taking additional steps with breach A to verify how much information had been disclosed through Facebook.
Notifying affected individuals or organizations
The police service contacted the young offender by phone on Sept. 21, 2018, and advised that the youth’s information may have been breached. It followed up by phone again on Oct. 5 and Nov. 22, 2018, advising the youth of the investigation’s outcome and that employee A had been fired for inappropriately using police systems for personal use.
Meanwhile, the MJPS chose not to provide information about the access to licence plate information since employee B did not appear to have used this information, said Kruzeniski. The MJPS audited the employee’s online activities and found further breaches that were also investigated. Notification was then provided to those affected individuals.
Kruzeniski found the MJPS provided appropriate notification to the affected people. He also pointed out the organization issued a news release about firing the two employees that, while not typical, demonstrated its commitment to protecting sensitive public information.
Investigating the breach
The MJPS audited its system on Oct. 3, 2018, and found employee A had accessed the system for the licence plate information for employee B and attributed the search to someone else. The audit also found the employee had sent information about the alleged young offender through Facebook, which is not a secure platform, the report said.
Employee B admitted accessing the information was done out of interest and curiosity and not for job-related reasons.
The MJPS told Kruzeniski’s office that employee A took in-house privacy training on Nov. 6, 2017, and employee B took similar training on Oct. 30, 2018. Both employees also signed an oath of secrecy upon commencement of employment, which promises that employees will not inspect or have access to any written statement or police service record.
Employees A and B should have known their roles in light of The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and their obligations to protect personal information, Kruzeniski said. Their actions contravened MJPS policy, their training, and their oath of secrecy. He found the MJPS appropriately investigated both breaches and their root causes.
Developing and implementing a prevention plan
One of the most important aspects to ensure the prevention of future breaches is to ensure appropriate safeguards exist, said Kruzeniski. Firing both employees was an appropriate step to prevent similar privacy breaches from happening.
Privacy training is another way to prevent privacy breaches from occurring, he continued. After reviewing the MJPS’s training curriculum, Kruzeniski said he was impressed with the various topics covered in the training for employees.
Kruzeniski also recommended that the MJPS proactively audit Versaterm, which could include auditing on random samples at specific time intervals, developing specific flags such as same-name or user/organization lookups, lookups without user notes, lookups on high-profile cases, or lookups on cases that are resolved or completed.Versaterm
Completing a report
Kruzeniski found that MJPS’s investigation report contained all the necessary elements. He commended the organization for developing a comprehensive approach to protecting privacy and treating privacy breaches seriously, especially since the MJPS had been under LA FOIP for only a short time.
