Ed Ring found the RNC had some administrative, technical and physical safeguards in place to protect personal information from unauthorized access, but procedures and policies aren’t being followed.
“However, it is clear from these recent incidents that these mechanisms have not been fully absorbed, implemented and understood by RNC staff,” said Ring in his report, which urged the RNC to go further in protecting information.
The employees involved in the three different instances were a constable, communications technician and a clerk typist.
Ring found there is a prevailing attitude that accessing, disclosing, using or destroying personal information outside official duties is acceptable as long as it’s for a family member or friend, with or without their consent.
Two of the employees said it was common practice.
“This prevailing attitude represents the thin edge of the wedge. Tolerating this behaviour suggests to employees that the access to information and protection of privacy policies and procedures are flexible and there will be no worry or hesitation based on repercussions,” Ring said.
Furthermore, a privacy training presentation submitted to Ring by the RNC “clearly implies” to employees the information and privacy office’s interpretation of regulations protecting personal information “are of no consequence and do not need to be followed,” Ring noted in the report.
The investigation was in response to a May complaint under the Access to Information and Protection of Privacy Act as well as two other incidents of inappropriate access by employees which came to light at Ring’s office this year.
In the May complaint, an RNC officer used the Motor Vehicle Registration records to obtain a VIN number and owner’s name, possibly disclosing it to a family member in the purchase of a vehicle. The officer accessed motor vehicle records for this purpose on four separate occasions, and admitted to it, but denies disclosing all the information.
A second complaint was made in June that an RNC employee had accessed and disclosed the personal information from a police database of other individuals known or related to the employee. Over a period of four years, the employee accessed the information of about a dozen people 37 times — for a total of 474 separate incidents. Some 439 of those were not valid, the employee admitted. The employee had also destroyed personal information on one occasion, as well as disclosing information outside the RNC three times. The employee claimed she was just curious, rather than being malicious.
The third complaint was in July, regarding another civilian employee who accessed Motor Vehicle Registration information inappropriately some 39 times between 2011-2015. The information was disclosed, but how many times is not known.
Ring, who said it was concerning to receive notice of the similar breaches over a short time frame, made several recommendations to the RNC to prevent such situations in the future. The recommendations include more training, as well as taking additional steps to regulate and monitor employees’ access to information systems and to perform ongoing “robust, random” auditing.
He also said the RNC doesn’t seem to have sufficient preventative measures to protect personal information from its premises.