Home Featured Memorial University urged to implement policy restricting use of personal email for official business

Memorial University urged to implement policy restricting use of personal email for official business

by HR Law Canada

Memorial University of Newfoundland has been advised to establish a comprehensive policy to prohibit employees and officials from using personal email accounts for university business. This recommendation came from the province’s Information and Privacy Commissioner following a complaint about the university’s handling of an access-to-information request.

The report concluded that Memorial had conducted a reasonable search for the records requested but noted significant issues stemming from the use of personal email accounts by senior university officials. The Commissioner stressed that the absence of a clear and enforceable email policy posed risks to transparency, accountability, and effective information management.

The complaint arose after an access-to-information request was filed on June 28, 2024, seeking emails from a senior university official, identified only as the Chair of the University’s Board of Regents, relating to a specific topic during a limited time frame. Memorial University informed the complainant that no records responsive to the request were found, prompting the complaint to the Office of the Information and Privacy Commissioner.

According to the report, the official did not use the university’s designated @mun.ca email account for business-related communication but instead relied on a personal email address. Memorial was unable to access or search the personal account directly, requiring the official to conduct the search himself. However, the official informed the university that technical difficulties with the personal email account had led to the deletion of numerous messages, and no responsive records were located during the search.

The Commissioner’s report emphasized that while the university’s explanation for the failure to locate records was deemed reasonable, the lack of an enforceable policy on email usage left a substantial gap in Memorial’s ability to ensure transparency. “This issue is core to the questions and complaints raised in this investigation,” the Commissioner noted, referencing the need for the university to create a policy prohibiting the use of personal email for university business.

A further concern was raised by the complainant about the integrity of the search process itself. The university’s request for the official to search his email was conducted primarily by telephone, deviating from the usual process of handling such requests in writing. The complainant argued that this “lack of a well-documented search erodes any confidence in transparency.”

Although the Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015) does not mandate how public bodies should document searches for records, the report identified best practices that were not followed. “Having a written record of how a request was processed, and documenting efforts to locate records, is a best practice,” the Commissioner stated. In this case, the lack of formal documentation and the reliance on a personal email account, which was already experiencing technical issues, amplified the challenges faced by Memorial in responding to the request.

While the Commissioner found no evidence to suggest that the official had intentionally deleted records after learning of the access request, the report underscored the importance of preventing similar situations in the future. The university had been aware that certain officials were using personal email accounts for official business. The report highlighted that Memorial “should have recognized that this was inappropriate and taken steps to develop a policy to eliminate this practice.”

The Commissioner pointed to a directive issued by the provincial government’s Office of the Chief Information Officer (OCIO) as an example of how such matters should be handled. The OCIO’s directive prohibits the use of non-government email accounts for public body business except under narrowly defined and documented circumstances. The directive is grounded in the Management of Information Act, which requires public bodies to manage and protect government records, including emails, to ensure transparency and accountability.

The Commissioner’s report went on to state that while Memorial had made university-issued @mun.ca email accounts available to employees and officials, there was no policy requiring them to use these accounts. As a result, important university business was being conducted through unmonitored personal email accounts, leading to potential information management and privacy concerns.

In the days leading up to the report, the newly appointed Chair of the Board of Regents issued a directive requiring board members to use their university email accounts for board-related business. While this was seen as a positive step, the Commissioner maintained that a university-wide policy was needed. “The issue warrants a University-wide, enforceable policy which covers all members of the University community, rather than a personal directive by the new Chair of the Board of Regents,” the report stated.

In conclusion, the Commissioner recommended that Memorial University develop and implement a clear and enforceable policy within three months, ensuring all employees and officials use university-issued email accounts for university business. This policy, according to the Commissioner, would help prevent similar issues in the future and promote greater transparency and accountability in how the university handles its records.

For more information, see Report A-2024-047.

You may also like