The City of Edmonton has evidence that a former City employee obtained access to the personal information of City employees that was stored on City-owned computers.
Privacy Breach Summary
In 2021, the City of Edmonton discovered a former employee uploaded documents from City-owned computers to their personal cloud-based account. Some of these documents included confidential and sensitive personal information. Open City and Technology (OCT) reported the incident to the Corporate Access and Privacy (CAP) Office in the Office of the City Clerk in May of 2021. It is the role of the CAP Office to investigate potential privacy breaches or complaints on behalf of the City.
Investigation and Results
As the uploaded information is in the custody of the former employee, the City used a third party service provider to gain access to the personal cloud-based account. After access was obtained, forensic analysis was undertaken to understand what personal information was breached. We note the City is not in a position to delete the records from the personal account.
As part of the City’s investigation into this breach, a sample of affected records were reviewed, however the full extent of the privacy breach is undetermined. The records’ dates range from 2018 to 2020 and the types of records include, but are not limited to:
Employee Discipline Reports;
Hotline Fraud and Misconduct Hotline Investigation Reports;
Alberta Human Rights Complaints;
Union Seniority and Retirees Lists;
Edmonton Transit Service (ETS) Supernumerary List; and
Temporary Layoff Call Back Letters.
The types of personal information in the reviewed records include, but are not limited to: full name, employee number, home address, employment status, start date, retirement date, temporary layoffs, and employee related matters such as leave of absences, employee claims and grievances. There is no evidence that the records include Social Insurance Numbers.
Since the privacy breach was first reported in May of 2021, there has been no evidence of misuse or further disclosure of any of the information involved. There is also no evidence to suggest that specific employees' information was targeted; rather the information appears to have been uploaded based on opportunity.
Since discovering the privacy breach, a number of technical solutions and process controls were established by the City to ensure additional security steps are in place to help prevent future breaches from occurring.
The investigation involving OCT, the CAP Office, Employee Services, and Legal Services is now focused on notification, reviewing existing controls, and implementing its prevention and mitigation strategy to prevent similar breaches in the future.
The City recognizes our responsibility to protect personal information under the Freedom of Information and Protection of Privacy Act (the FOIP Act) and has worked to review a significant amount of affected records to identify affected parties. While there are no notification requirements under the FOIP Act, in addition to individualized notifications being provided to identified employees, notice of this breach is being shared with all City employees, as the City values openness and transparency. In addition to notifying employees, through the Office of the City Clerk, the City has self-reported this privacy breach to the Office of the Information and Privacy Commissioner (OIPC) of Alberta, Alberta’s privacy regulator, and is keeping the OIPC informed.
We can confirm the individual is no longer employed with the City. City of Edmonton employees are required to act in accordance with the FOIP Act, the Employee Code of Conduct and privacy and information security policies and procedures.
Who Can You Contact
We recognize this is a difficult situation that has impacted some City employees. If you are a current City employee, or former employee who worked here between 2018 and May of 2021 and have questions about your privacy with respect to this incident, including whether your personal information was identified, please contact the Office of the City Clerk at 780-496-1551 or by email at firstname.lastname@example.org and a member of the Corporate Access and Privacy Team will be in contact. Please reference the CAP Office file number 2021-PBC-028.
Further, under section 65(3) of the FOIP Act, if you have been affected by this privacy breach, you have the right to file a complaint with the Information and Privacy Commissioner regarding this matter. Additional information regarding the Commissioner’s Office processes are available at www.oipc.ab.ca or by calling 1-888-878-4044.