The Northwest Territories’ Information and Privacy Commissioner has determined that the Department of Finance improperly disclosed an individual’s personal information in a recent procurement review.
The commissioner’s report concluded that Finance violated the Access to Information and Protection of Privacy Act by sharing personal information about a contractor, identified as A.B., without proper authorization.
The case stems from Finance’s evaluation of proposals submitted for a government contract in late 2023. During the review, Finance officials recognized A.B. from media coverage linking him to a union grievance and a human rights complaint. This led the department to seek legal advice from the Department of Justice on whether A.B. had a conflict of interest. Justice disclosed that A.B. was indeed involved in both matters, which it suggested could constitute a conflict. Finance then disqualified A.B.’s bid based on this determination.
The complaint from A.B. triggered the commissioner’s review of whether his privacy rights had been breached. The commissioner’s report highlights the various points of privacy law involved and whether Finance acted within its legal authority.
Collection and use of personal information
In the report, the commissioner acknowledged that Justice provided Finance with minimal details, simply confirming the existence of A.B.’s union grievance and human rights complaint. However, these details still constituted personal information under the Act, which defines such information as including details about an individual’s employment history or complaints filed. The commissioner also underscored that legal advice given to Finance, identifying A.B. as potentially conflicted, was itself considered personal information.
Under the Act, public bodies can only disclose personal information for specific purposes. Justice argued that their disclosure was lawful under section 48(l) of the Act, which allows sharing when “for use in the provision of legal services to the Government of the Northwest Territories or a public body.” The commissioner concurred, finding that Justice disclosed the information to Finance as part of providing legal counsel on a potential conflict of interest.
Nonetheless, the commissioner took issue with how Finance subsequently used this information. Finance employed the information to disqualify A.B., which was consistent with section 43 of the Act, as the commissioner acknowledged. This section allows for the use of personal information if it is aligned with the purpose for which it was initially gathered or for a related purpose.
Unauthorized disclosure to other public bodies
The commissioner’s main concern centred on how Finance shared A.B.’s information with other members of the Evaluation Committee, which included another government department. According to the report, such disclosures between public bodies are permitted only if there is a written agreement or authorization in place, as required by section 7.1 of the Access to Information and Protection of Privacy Regulations. Finance had no such agreement.
Without this authorization, the disclosure violated privacy regulations, the commissioner found. He noted that while this may have been an oversight, the regulatory requirements have been in effect since 2021, and compliance should be expected. The report explicitly states, “Had Finance complied with section 7.1 of the Regulations, the disclosure would have been authorized.”
Recommendations and disposition
The commissioner directed Finance to stop any future disclosures of personal information to other public bodies without first obtaining the necessary authorization. He emphasized the need for adherence to section 7.1 in all instances where personal data is shared for integrated services, such as procurement. The commissioner’s report did not suggest further penalties or actions against the department but provided clear instructions for preventing future breaches.
The report also highlighted the importance of transparency in procurement processes. It suggested that Finance consider adding more detailed language about conflicts of interest in their Request for Proposal (RFP) documents, which could include disclosing that they may consult with legal counsel on such matters.
A.B.’s complaint also raised broader issues about how personal information is handled in government contracting. The commissioner’s findings suggest that A.B. might have been unaware that his personal history could be subject to such scrutiny in the contracting process, underscoring the need for clear communication around conflict of interest assessments.
In response to the commissioner’s findings, the Department of Finance may need to adjust its procedures to ensure compliance with the privacy regulations moving forward.
For more information, see Department of Finance (Re), 2024 NTIPC 70 (CanLII).
