Latest News

Report: Former employee wrongly shared staff information numerous times

By Joel Wittnebel/The Oshawa Express

It appears a former city employee was sharing information they shouldn’t have been.

The city has released a report laying out its latest privacy breach, detailing how the employee, searching for help with their work, incidentally shared the personal information of hundreds of current and former cityemployees.

While it is stated the breach occurred in the Community Services Department, the name of the employee is not provided and the nature of their departure from the city is not shared.

Coming to the attention of city staff in July, employees were performing a routine sweep of the former employee’s email account for any information that would need to be saved in city records when they came across emails shared with an outside company containing the sensitive information.

According to the investigation report, the former employee was seeking assistance with performing functions in Microsoft Excel, a spreadsheet program, and was looking for the assistance of a former colleague. In the process, through three separate incidents in April, May and June, the information of nearly 400 employees was shared, including in some cases addresses, postal codes, telephone numbers, and even wages.

“Rather than seeking assistance from staff within their immediate workgroup or elsewhere within the organization, it appears that the city’s employee sent the information to an individual with whom they had previously worked and had the necessary knowledge to resolve the issues,” the report reads.

That person has since been contacted by the city and the information shared has been contained, the report says, adding that those affected were notified either through mail or information sessions held in July.

Similar to all city employees, the former worker received privacy training surrounding employee obligations, including one session on June 2, only a day before sending out one of the breaching emails.

As part of the report, it is suggested that privacy training materials be included as part of the process when a new employee is hired, along with having staff review the existing training materials. Staff are also looking to investigate the possibility of acquiring pattern matching software to make it easier to detect these types of breaches earlier.

Councillor Bob Chapman, chair of the community services committee, says the training process is an ongoing practice with city employees and that perhaps some kind of audit after training occurs could be implemented to ensure employees understand what they have learned.

“They do the best they can and it’s hard. It’s about what sticks in people’s minds and how they do it,” Chapman says, adding it is difficult to stay on top of thousands of workers on a daily basis.

The latest breach follows an incident earlier this year involving a councillor accidentally sharing the personal information of a former employee.

There were also a pair of incidents in 2015. The first occurred in the city’s recreation and cultural services branch in June of that year, when more than 1,000 email addresses were shared accidentally, as a result of the department’s email list being shared in the CC field – which is visible in any email – instead of the BCC field – which is hidden. The second was due to a faulty piece of machinery in the city’s print shop that double stuffed preauthorized payment notices (PAP) for people’s taxes.