In June 2023, PogoWasRight.org reported that DataBreaches.net (DataBreaches) had submitted a complaint and inquiry to Canada’s Commissioner of Privacy and Alberta’s Information and Privacy Commissioner. The complaint stemmed from a data leak involving mental health-related information that appeared to be collected by university researchers. The leak had been found by a member of the public who brought it to DataBreaches’ attention with a question about whether the researchers were required to have consent to collect data for research on “mental health.” More details on the leaked data set, the university’s failure to answer questions and questions to the provincial regulator can be found in the 2023 post. The Commissioner of Privacy’s office notified DataBreaches that this was a provincial matter for Alberta.
[Note: although all correspondence in this matter was under the DataBreaches.net domain, it is being posted on PogoWasRight.org because of the emphasis on the privacy aspects of the data collection and data leak.]
Since then, DataBreaches was contacted by the Senior Information and Privacy Manager, Compliance Support, for the Office of the Information and Privacy Commissioner of Alberta in July 2023 and then again in September 2023, seeking additional information and copies of emails. There was no further communication from the University of Alberta until March 18 of this year, when DataBreaches received an email thanking this site for notifying them of the exposed database in April 2023. But they still wouldn’t directly answer this site’s questions about whether consent had been required or obtained. They wrote:
Bringing forward your concern allowed the universities to secure the database within 24 hours. I understand that you seek additional information about this matter. In this regard, I would kindly invite you to submit an access to information request to the UA’s Information and Privacy Office (IPO). The IPO’s website can be accessed here <https://www.ualberta.ca/information-and-privacy-office/index.html>, and will provide you with information on how to submit your access request. Thank you again and if you have any questions about how to submit your access to information request, please contact the IPO at [email protected]
They cc’d the same individual from the Office of the Information and Privacy Commissioner of Alberta who had been in contact with DataBreaches on the matter.
So after one year, the university said thank you for alerting them a year ago but didn’t answer questions. DataBreaches replied, asking them why they wouldn’t just answer two simple questions:
1. Did U. Alberta need consent to compile people’s social media posts for any “mental health” research or data analyses?
2. Did U. Alberta request and obtain prior consent from individuals to use their social media posts for “mental health” research?
I would strongly encourage you to just answer the two questions already as failure to answer forthrightly looks like an attempt to cover up something.
I cc’d the provincial compliance officer as they had done.
The university replied to DataBreaches:
I am the new Director of the University of Alberta’s Information and Privacy Office and I am responding to your most recent email to the University.
We again thank you for bringing the original matter to our attention. However, in the interest of maintaining information security we will not be communicating with you further about this matter.
We understand you have been in contact with the provincial regulator, the Office of the Information and Privacy Commissioner (OIPC) of Alberta, about this matter.
As an institution subject to Alberta’s *Freedom of Information and Protection of Privacy (FOIP) Act*, we will cooperate with OIPC with any further investigation.
Their response seemed clearly pretextual. There was nothing in the two questions that asked about infosecurity. The questions asked about consent.
[Note: DataBreaches is not saying that the university was required to obtain consent for harvesting or using publicly posted content, but it is shocked that they would not forthrightly answer simple questions about whether they believe they were or were not required to obtain consent and whether they requested or obtained consent.]
Because they refused to answer, DataBreaches promptly submitted an access to information request and paid the required $25.00 for a general request. In light of their lack of transparency, the request was for:
1. Records relating to any discussion of, or decision about, whether University of Alberta and any researchers involved in the CRATE DB research who collected social media tweets, posts, and other materials related to “mental health” required the informed and opt-in consent of members of the public. Requested records include, but are not limited to, any emails or communications among researchers, their colleagues, university legal counsel, and university privacy and data protection counsel or personnel.
2. Records that specifically address or consider whether the researchers might be intentionally or unknowingly collecting “mental health” materials from minor children, and if so, what they would do.
3. Records relating to whether data with personally identifiable information and mental health content was to be secured via encryption or to have any other heightened data protection or security.
4. Records relating to any consent forms sent to members of the public relating to the collection, storage, and/or analysis of any tweets or other social media materials that relate to “mental health.”
5. Records relating to any public announcement by the university or the researchers prior to the start of data collection that would alert the public that there was to be research on “mental health” and social media or online activity using publicly posted tweets, instagram posts, or other social media and that the individuals’ names, usernames, and content were to be collected.
The university’s website states, “The university must make every reasonable effort to respond to a request no later than 30 calendar days after receiving it, unless specific exceptions apply that warrant an extended period of time for the University to respond.” Within minutes of submitting the request via email with a cc to the provincial regulator, DataBreaches received an email saying:
To whom it may concern,
We are currently experiencing staff shortages that are impacting our response time to this account. We appreciate your patience and will get back to you as soon as possible.
Getting an answer about consent from a public university should not be so difficult. The university may have done nothing wrong, but its transparency failure is quite concerning. DataBreaches will continue to provide updates when available, regardless of any confidentiality sigblocks the university may add to its emails.