A town employee in La Scie, Canada, used his personal Facebook email account to send private information to two individuals, who then filed a privacy complaint over, inter alia, the insecure method of sending financial information. The town attempted to justify their action by saying that they had no other way to contact the residents as they had no phone numbers and… wait for it… the account was password protected (insert *facepalm* here).
From the Office of the Information and Privacy Commissioner of Newfoundland and Labrador:
The Information and Privacy Commissioner, Ed Ring, has released his Report P-2012-001 under authority of theAccess to Information and Protection of Privacy Act. A summary of the Report is included below.
To view the Report in its entirety, please go to www.oipc.nl.ca/privacyreports.htm
Report: P-2012-001
Report Date: September 27, 2012
Public Body: Town of La ScieSummary: On January 19, 2012 the Office of the Information and Privacy Commissioner received a Privacy Complaint under the Access to Information and Protection of Privacy Act (“ATIPPA”) filed collectively by two individuals regarding the Town of La Scie (the “Town”). The Complainants stated that their personal information had been sent to one of the Complainants by a Town employee via a private message on a social media website (“Facebook”). The message was sent using the employee’s personal Facebook account. The Complainants alleged that their personal information was not adequately protected pursuant to section 36; was improperly used pursuant to section 38; and was improperly disclosed pursuant to section 39.
The Commissioner found that the disclosure of the Complainants’ personal information was not contrary to the ATIPPA as the message was sent only to the Complainants. The Commissioner found that the Facebook message was a use of the Complainant’s personal information and that the method by which this use was carried out (i.e. Facebook) did not meet the limitations set out in section 38(2) or standard of necessity required by sections 38(1)(a) and 40(b) of the ATIPPA and, consequently, amounted to an improper use of personal information. Finally, the Commissioner found that the personal information had not been adequately protected. The Commissioner also provided commentary on the use of social media by public bodies and concluded that outside of community matters, announcements and notices, social media websites should not be used by public bodies to collect, use or disclose personal information regardless of the mechanism of delivery. The Commissioner recommended that the Town create and implement polices and practices regarding the use of social media and ensure that privacy training is provided to all Town employees.
h/t, Norwester