The Northwest Territories Department of Justice has landed in a bit of hot water after a privacy complaint revealed it was being less than diligent in controlling access to sensitive employee information.
A complaint to the Information and Privacy Commissioner alleged the department failed to turn off a worker’s email when he left, nor did it remove his permission to access the government’s servers.
In particular, the former employee alleged:
- As a manager, he had access to the PeopleSoft files of his employees and he continued to have access to sensitive third-party personal information about his former employees through the PeopleSoft HR software long after he left and had no reason to have access.
- He continued to receive automated email messages at his personal Gmail account containing sensitive personal information about third parties for up to eight months after his departure.
- His government email address remained active and monitored by another employee for at least six months after his departure.
He said that when he left in 2014, his status in PeopleSoft was not properly updated to reflect his status as a former employee. Instead, his access rights were delegated to his former supervisor without his knowledge or consent.
He was able to view information for 11 of his former employees, including vacation leave, sick leave, overtime and other personnel management information.
The information being forwarded to his Gmail address automatically included details like wage information, requests for approval of leave and information about another employee’s contract ending.
He brought these concerns to the attention of management over a period of several years, he said.
The commissioners ruling stated that:
“With respect to his apparent ongoing access to the PeopleSoft information of other employees, he was told that because of the circumstances of his departure (he was no longer working for the Department but was still an “employee” for the purpose of pay and benefits for a period of six months), though he was no longer an employee, he was still being paid, which meant that he still had to be attached to a position number and because that position number was that of a manager, it included various permissions needed to supervise employees.”
He also noted that he was never asked to delete, destroy or return the personal information in his possession when he alerted management.
He also pointed out that, because the government didn’t decommission his email but instead had another supervisor monitoring it, his privacy was breached in that “there was a very real possibility that emails of a personal nature were sent to his former GNWT address and were read by the supervisor receiving his emails.”
The complainant quoted from the 2016/2017 annual report of the Information and Privacy Commissioner of the Northwest Territories citing a case. It stated:
“The failure of the public body to decommission the Complainant’s email address after his departure constituted a breach of the privacy of not only the Complainant, but also of others who sent emails to that address not knowing that someone other than the complainant was receiving them.
“She found that a public body email address is an identifier attached to a person’s name and that the email address assigned to the Complainant during his employment with the public body was his personal information, even though the address itself belongs to the public body.
“As such, keeping that email active means that there was an ongoing breach of the privacy of not only the Complainant, but potentially of third parties communicating with that email address thinking that the person reading the correspondence is the identified person. She found that six months is far too long to allow an email address to remain active after an individual is no longer an employee of the public body.”
In 2017, he filed a complaint with the privacy commissioner for N.W.T.
The department’s response
The Department of Justice said it was aware of the initial issues with PeopleSoft access and the automated emails going to his Gmail account.
It believed it had taken the necessary steps to correct the issue. The issue came down to the way the software worked – the system was designed to identify employees as being either active or terminated. It said this case was unusual because the worker in question was no longer employed, but was still being paid. Therefore, PeopleSoft recognized him as an active employee.
As a result of this incident, it said it was working to implement a process to identify the need for manual overrides to the notification system for employee identified on a termination agreement.
In regards to the worker’s government email address remaining active for six months, it didn’t have a good explanation. It noted that steps were being taken to address the issue, including a revision to its offboarding protocol.
It would allow the employee’s email account to remain open for a maximum of two weeks to identify that the employee is no longer with the department and to inform where inquiries can be directed.
Privacy commissioner’s recommendations
The commissioner made a number of recommendations to the employer as a result of this case.
Email: “I recommend that the department do do a thorough review of its policies and procedures with respect to the management of email accounts and, in particular, what must happen when an employee ceases to work for the GNWT. I further recommend that there be one or two individuals within the department or within each division of the department responsible for ensuring that these policies are followed when an employee leaves.”
PeopleSoft access: The commissioner said the HR system created a number of issues.
“The most significant of these is the fact that when the Complainant changed his preferred email address for receiving notices, it resulted in notices being sent to him not only with respect to his own employment matters, but also about other employees who he used to supervise,” it said. “The fact that he received automatic email from the system about the employment status of his former staff members is clearly a breach of their privacy.”
The commissioner didn’t buy the argument that this was a unique situation.
“Many people retire after many years with the GNWT and take unused holidays immediately prior to their retirement, sometimes several months. They are no longer “employees” with any authority or right to have access to the files of those they might have managed, though they will continue to be paid for a period of time after they are no longer in the office,” it said.
“Based on the public body’s comments, each one of these people will continue to be associated with a position number so that they can continue to be paid, which means that they will continue to have access to the PeopleSoft information of their former staff and, like the Complainant in this case, would likely to continue to receive automatic notifications from the system about those employees. This is unacceptable.”
A second concern was that any manager or supervisor has the ability to designate a private email address, outside the relative security of the GNWT system. That meant notifications about third parties’ employment and benefits are being sent to that outside email address rather than a secure GNWT address.
“This is a breach of the privacy of those employees and should not be allowed or even possible,” the commissioner said.
It recommended a technical solution be found that allows a former employee to continue to have access to his/her PeopleSoft information for as long as needed to ensure that all employment-related correspondence is finalized; and allows a supervisor/manager to set his/her preferences in PeopleSoft so that he receives notices about his own employment matters at a personal email address rather his/her GNWT assigned address.
But it should not give that former employee access to or notices about any other employee; and it should not forward messages from PeopleSoft about any other employee outside of the GNWT system.
Lastly, the commissioner recommended that steps be taken to ensure any third party personal information sent to the complainant since the end of his employment be returned and/or destroyed.
For more information see: Northwest Territories (Justice) (Re), 2018 NTIPC 12 (CanLII)