Alberta Privacy Commissioner Finds Real Risk of Significant Harm from Accidental Email

Published on

June 27, 2019

Jun 2019 Charity & NFP Law Update

On February 14, 2019, the Information and Privacy Commissioner of Alberta (“IPC”) released her decision in YWCA Calgary, Re Decision No. (P2019-ND-013) requiring a not-for-profit incorporated by special act to notify an affected individual of a breach pursuant to Alberta’s Personal Information Protection Act (“PIPA”). The breach occurred on March 25, 2018, when a practicum student of the YWCA Calgary (“YWCA”) accidentally forwarded an email to a client instead of a co-worker with the same name. The information accidentally sent consisted of a name, email address and possible dates and times for intake. The student became aware of the error on the same day and several steps were taken in response: the student attempted to recall the email; the YWCA contacted its privacy counsel, asked the unintended recipient to delete the email, and sent an internal email instructing its workers on how to remove autocomplete contacts in emails. However, the YWCA did not receive confirmation from the recipient that the email had been deleted and not copied or distributed to others. The YWCA notified the affected individual by letter sent on March 28, 2018.

In the decision, the IPC wrote:

The Organization reported that “The likelihood that harm could result is very low. There was only one person who the information was sent to via the misdirected email. The information was not highly sensitive and no vulnerable individuals were involved.”

In my view, although the unauthorized disclosure was caused by human error and the email was accidently sent to a known unintended recipient, the likelihood of harm resulting from this incident is increased because the Organization did not receive confirmation from the unintended recipient that the email was deleted and not copied, forwarded or otherwise distributed.

The IPC decided that there was a real risk of significant harm to the affected individual and that the YWCA was required to notify the affected individual pursuant to section 19.1 of the Personal Information Protection Act Regulation. As the YWCA had already notified the affected individual before it received the IPC decision, the IPC stated that the YWCA would not be required to notify the affected individual again.

The IPC in this case took a liberal approach to the determination of what constitutes “real risk of significant harm” under Alberta PIPA. Although the Alberta PIPA does not apply to organizations that operate outside of that province, this case may be illustrative of how the “real risk of significant harm” analysis could potentially be applied under PIPEDA’s new mandatory breach reporting provisions, which uses the same test. This case also underscores the importance of all charities and not-for-profits having a privacy breach protocol in place, the need to carefully safeguard all personal information (whether sensitive or not), especially when sending emails, as well as the need to ensure that all staff and volunteers verify the names and email addresses of all recipients before pressing “send.”


Read the June 2019 Charity & NFP Law Update