PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Update: Why isn’t the University of Alberta more transparent about research consent?

Posted on March 29, 2024 by Dissent

In June 2023, PogoWasRight.org reported that DataBreaches.net (DataBreaches) had submitted a complaint and inquiry to Canada’s Commissioner of Privacy and Alberta’s Information and Privacy Commissioner. The complaint stemmed from a data leak involving mental health-related information that appeared to be collected by university researchers. The leak had been found by a member of the public who brought it to DataBreaches’ attention with a question about whether the researchers were required to have consent to collect data for research on “mental health.” More details on the leaked data set,  the university’s failure to answer questions and questions to the provincial regulator can be found in the 2023 post. The Commissioner of Privacy’s office notified DataBreaches that this was a provincial matter for Alberta.

[Note: although all correspondence in this matter was under the DataBreaches.net domain, it is being posted on PogoWasRight.org because of the emphasis on the privacy aspects of the data collection and data leak.]

Since then, DataBreaches was contacted by the Senior Information and Privacy Manager, Compliance Support, for the Office of the Information and Privacy Commissioner of Alberta in July 2023 and then again in September 2023, seeking additional information and copies of emails. There was no further communication from the University of Alberta until March 18 of this year, when DataBreaches received an email thanking this site for notifying them of the exposed database in April 2023. But they still wouldn’t directly answer this site’s questions about whether consent had been required or obtained. They wrote:

Bringing forward your concern allowed the universities to secure the database within 24 hours. I understand that you seek additional information about this matter. In this regard, I would kindly invite you to submit an access to information request to the UA’s Information and Privacy Office (IPO). The IPO’s website can be accessed here <https://www.ualberta.ca/information-and-privacy-office/index.html>, and will provide you with information on how to submit your access request. Thank you again and if you have any questions about how to submit your access to information request, please contact the IPO at privacy@ualberta.ca

They cc’d the same individual from the Office of the Information and Privacy Commissioner of Alberta who had been in contact with DataBreaches on the matter.

So after one year, the university said thank you for alerting them a year ago but didn’t answer questions. DataBreaches replied, asking them why they wouldn’t just answer two simple questions:

1. Did U. Alberta need consent to compile people’s social media posts for any “mental health” research or data analyses?

2. Did U. Alberta request and obtain prior consent from individuals to use their social media posts for “mental health” research?

I would strongly encourage you to just answer the two questions already as failure to answer forthrightly looks like an attempt to cover up something.

I cc’d the provincial compliance officer as they had done.

The university replied to DataBreaches:

I am the new Director of the University of Alberta’s Information and Privacy Office and I am responding to your most recent email to the University.

We again thank you for bringing the original matter to our attention. However, in the interest of maintaining information security we will not be communicating with you further about this matter.

We understand you have been in contact with the provincial regulator, the Office of the Information and Privacy Commissioner (OIPC) of Alberta, about this matter.

As an institution subject to Alberta’s *Freedom of Information and Protection of Privacy (FOIP) Act*, we will cooperate with OIPC with any further investigation.

Their response seemed clearly pretextual. There was nothing in the two questions that asked about infosecurity. The questions asked about consent.

[Note: DataBreaches is not saying that the university was required to obtain consent for harvesting or using publicly posted content, but it is shocked that they would not forthrightly answer simple questions about whether they believe they were or were not required to obtain consent and whether they requested or obtained consent.]

Because they refused to answer, DataBreaches promptly submitted an access to information request and paid the required $25.00 for a general request. In light of their lack of transparency, the request was for:

1. Records relating to any discussion of, or decision about, whether University of Alberta and any researchers involved in the CRATE DB research who collected social media tweets, posts, and other materials related to “mental health” required the informed and opt-in consent of members of the public. Requested records include, but are not limited to, any emails or communications among researchers, their colleagues, university legal counsel, and university privacy and data protection counsel or personnel.

2. Records that specifically address or consider whether the researchers might be intentionally or unknowingly collecting “mental health” materials from minor children, and if so, what they would do.

3. Records relating to whether data with personally identifiable information and mental health content was to be secured via encryption or to have any other heightened data protection or security.

4. Records relating to any consent forms sent to members of the public relating to the collection, storage, and/or analysis of any tweets or other social media materials that relate to “mental health.”

5. Records relating to any public announcement by the university or the researchers prior to the start of data collection that would alert the public that there was to be research  on “mental health” and social media or online activity using publicly posted tweets, instagram posts, or other social media and that the individuals’ names, usernames, and content were to be collected.

The university’s website states, “The university must make every reasonable effort to respond to a request no later than 30 calendar days after receiving it, unless specific exceptions apply that warrant an extended period of time for the University to respond.” Within minutes of submitting the request via email with a cc to the provincial regulator, DataBreaches received an email saying:

To whom it may concern,

We are currently experiencing staff shortages that are impacting our response time to this account. We appreciate your patience and will get back to you as soon as possible.

Getting an answer about consent from a public university should not be so difficult. The university may have done nothing wrong, but its transparency failure is quite concerning. DataBreaches will continue to provide updates when available, regardless of any confidentiality sigblocks the university may add to its emails.

Category: Artificial IntelligenceBreachesNon-U.S.OnlineYouth & Schools

Post navigation

← Florida’s DeSantis signs one of the country’s most restrictive social media bans for minors
Meta Can’t Delay FTC Review of Privacy Terms, Appeals Court Says →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows
  • FTC dismisses privacy concerns in Google breakup
  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech

RSS Recent Posts on DataBreaches.net

  • Turkish Group Hacks Zero-Day Flaw to Spy on Kurdish Forces
  • Cyberattacks on Long Island Schools Highlight Growing Threat
  • Dior faces scrutiny, fine in Korea for insufficient data breach reporting; data of wealthy clients in China, South Korea stolen
  • Administrator Of Online Criminal Marketplace Extradited From Kosovo To The United States
  • Twilio denies breach following leak of alleged Steam 2FA codes
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy