Complaint
An individual received a mass email from the Authority’s Land Management Branch that revealed their email address, as well as those of the other recipients. They contacted our office because they felt that their privacy and that of the other recipients had been breached.
Investigation
We found that the Land Management Branch sent three emails and inadvertently shared the email addresses with all 1,500 recipients. The emails contained information about an upcoming residential land lottery with links to the Yukon Government website.
Decision
Non-compliant. Email addresses are personal information, and the Public Body correctly identified this incident as a privacy breach and provided our office with their breach report. Our investigator agreed with the Public Body’s conclusion that this breach was a result of human error. It prompted them to implement several security measures and to use this case as an example of how to prevent similar breaches in the future through increased awareness and staff training.
Recommendations
Implemented. The Public Body proposed three recommendations that we feel appropriately addressed the root cause of this breach: restricting the use of email for external communications, implementing communication software for mass notifications, and department-wide communication safeguards. We also suggested that the Public Body help educate the public by adding a notification to its land lottery web page on how to avoid social engineering scams — such as phishing (email), vishing (voice), and smishing (text) — that can result from a privacy breach of this nature.