Someone went to the RCMP with an allegation of sexual assault — only to see their most closely-guarded private information being leaked.
The force is now apologizing after the wrong label was applied to an outgoing package containing three operational files dealing with sexual assaults.
Those files included a complainant’s name, date of birth, address, medical test information, health insurance number and the sexual assault allegation statement itself, according to a copy of a report detailing the summer 2017 privacy breach.
Luckily, the RCMP were able to contact the unintended recipient and recover the leaked information.
“The RCMP manages a large volume of requests and processes thousands of pages for release every year. Occasionally, errors do occur, such as packages being misdirected to the wrong requester,” said RCMP spokesperson Cpl. Caroline Duval in an email to CBC.
“The RCMP apologizes to any individuals affected by a breach.”
According to the report, management spoke to the employee responsible for the breach about the “importance of verifying outgoing parcels.”
After the breach, the RCMP’s Access to Information section also implemented weekly training sessions focusing on best practices and started sending alerts to employees about instances of non-compliance with the access rules.
2nd case involved medical information
In February of 2018, a briefing note to the RCMP commissioner containing an employee’s personal medical information was accidentally shared by email with about 140 people who “did not have a specific need-to-know,” according to another privacy breach report.
The leaked note included the employee’s name, the circumstances of an incident, medications taken and duty status, and also discussed the assistance the employee’s spouse was providing.
Unlike the case of the previous leak, in this instance the RCMP didn’t alert the affected party.
“The RCMP, following its assessment of this breach, determined given the nature of the briefing note and the status of the employee at that time, it was not appropriate to notify the concerned individual,” said Duval.
“This incident was reported to the Office of the Privacy Commissioner and the RCMP is continuing to collaborate with their office on this matter.”
After the leak, the RCMP Access to Information branch talked to the division involved in the breach about what kind of personal information it should be sharing, and referred to the situation as “outside the normal protocol.”
Federal institutions are required to notify the Office of the Privacy Commissioner of Canada and the Treasury Board when there’s been a privacy breach.
A spokesperson for Privacy Commissioner Daniel Therrien said the office can’t comment on specific cases but added the commissioner’s office has long been calling for a number of reforms to the Privacy Act — including the power to go public with government privacy issues.
Last fiscal year, Therrien’s office received 286 public sector breach reports — but spokesperson Corey Larocque said the office believes “this is the tip of the iceberg.”
That suspicion spurred an investigation which found that thousands of breaches happen every year across government institutions.
“The review found that thousands of breaches occur annually, and while some go unreported, others likely go entirely unnoticed at many institutions,” said Larocque.
“Information technology safeguards for new systems are not always sufficient and frontline workers, in particular, don’t fully grasp what constitutes personal information or their obligations.”