To BCC or Not to BCC? Additional Recommendations from the Privacy Commissioner of Saskatchewan

In December 2022, the Office of the Privacy Commissioner of Saskatchewan (IPC) released an Investigation Report following its investigation into an incident where the blind carbon copy (BCC) function was not used when emailing ratepayers, leading to personal email addresses being leaked.

Last year, we discussed a near identical circumstance and associated Investigation Report in To BCC or Not to BCC? That Is the Question. This recent Investigation Report acts as an additional reminder for public bodies to ensure that they are meeting their obligations under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).

Over 200 Email Addresses Leaked

In February, 2022 the hamlet chairperson sent out an email to over 200 email addresses – as the BCC function was not used, all recipients could view the addresses. Following the email, the hamlet chairperson sent a short note requesting that recipients delete the addresses, and apologizing for the error. A complaint was then filed at the Office of the Privacy Commissioner as a result of the breach, which indicated that this was not the first time this had happened and previous assurances had been given that it would not happen again.

IPC Findings

The IPC has previously stated that following a breach a public body must take steps to contain the breach, notify affected individuals, investigate the breach and prevent future breaches.

In this case, the IPC found that although the hamlet conducted an adequate investigation and took appropriate steps to prevent future breaches, its containment and notification processes were inadequate.

In particular, the IPC made the following findings:

  • Containment: By sending an initial email five minutes after the breach, the hamlet chairperson acted in a timely manner. However, the hamlet did not confirm whether it had followed the previous recommendations of the IPC to try to recall the email or request recipients confirm that they deleted the email.
  • Notification: The hamlet chairperson acted appropriately by notifying recipients and the RM’s Chief Administrative Officer on the same day of the breach – however, as the notification did not contain sufficient information on the breach nor proactively report the breach to the IPC adequate notification was not provided.
  • Investigation: The internal response to the breach demonstrated that the root cause of the breach had been determined and consequently an adequate investigation was conducted.
  • Steps to Prevent Future Breaches: After the previous Investigation Report, the IPC concluded that the hamlet did not have appropriate safeguards in place. However, for this breach the IPC found that a plan to have two persons present for future emails and changing to an alternate email platform which allowed the BCC function to be the default were appropriate steps to prevent future breaches. In doing so, the IPC reemphasized its previous recommendations.

Are You Meeting Your Privacy Law Obligations?

This Investigation Report emphasizes the need for public bodies to ensure that appropriate safeguards are in place to protect personal information. The steps that public bodies can take to ensure appropriate safeguards are in place include:

  • implementing a policy to response to privacy breaches as well as with respect to the collection use, disclosure and safeguarding of personal information
  • having confidentiality agreements in place internally
  • having staff, council, and board members complete access and privacy training at least once annually

MLT Aikins has extensive experience advising public bodies on their privacy law obligations. We have helped public bodies develop privacy policies, confidentiality agreements, breach response policies and privacy training for staff. Contact our Municipal or Privacy, Data Protection & Cybersecurity group to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.