The Information and Privacy Commissioner (IPC) is investigating a data breach by the COVID-19 Secretariat where the identities of residents self-isolating were disclosed. The email addresses — and in some cases names — were revealed in an email sent out to travellers who were self-isolating.
CKLB has obtained a copy of the letter issued on Thursday to those who had their unauthorized personal information revealed.
The letter says on April 19, an employee working for the COVID Secretariat issued an email to travellers currently self-isolating in Yellowknife, notifying them of the positive COVID-19 traces in the wastewater.
The distribution list “was mistakenly made visible to all recipients,” the letter says.
“This resulted in a breach of your personal information,” the letter reads.
The letter says the incident is the result of human error and the employee recognized the mistake — immediately attempting to recall the email. However, the recall “was not successful in most cases.”
The letter says the COVID Secretariat is reviewing current practices to “mitigate privacy breaches like this one.”
It adds, anyone who had their information disclosed without authorization has the right to request a review by the IPC.
Dawn Ostrem, a spokesperson for the COVID Secretariat, said in an email the department will be updating its Standard Operating Procedures, requiring all mass emails be reviewed by the director, supervisor or manager before being sent.
“The COVID Secretariat will also ensure that operational staff are directed to review the procedures for emailing personal information and privacy best practices,” Ostrem writes.
The IPC told CKLB in an email it couldn’t provide any additional details on the active investigation.