I got a call yesterday from Lindsay Jones of the Halifax Daily News (Canada's top journalist) to discuss an interesting sitution that has popped up here in Nova Scotia. It appears that an e-mail was sent out to hundreds of defaulted student loan recipients to advise that their case officer was changing. Whoever hit the send button didn't notice that everyone was on the "TO:" line, so each receipient also got a list of all the other defaulted debtors. Not good form.

Of course, the e-mail was forwarded to the Halifax Daily News and the rest is history... (I understand that a journalist from another publication was on the list.)

I've been saying for years that security and safeguards are probably the most important principles in any privacy plan. You won't be on the front page of the newspaper for having a confusing privacy policy or for using opt-out consent instead of opt-in. But if you have a security breach like this, the odds are that you're in for a rough ride.

(Also interesting: part of the response is a hotline for personal apologies.)

Here's Lindsay's article:

Halifax, The Daily News: News Names of student-loan defaulters sent in mass e-mail

Last updated at 7:32 AM on 22/06/07

LINDSAY JONES

The Daily News

An embarrassing breach of personal privacy has led to policy changes at the provincial government department that deals with student loans.

Full names, and in many cases workplaces, were inadvertently disclosed in a mass e-mail sent by a Service Nova Scotia and Municipal Relations collection officer.

The subject line of the June 8 e-mail said "Defaulted Nova Scotia government guaranteed student loans - new contact name."

The e-mail was to inform the employee's clients that she had been reassigned.

Ian Daye, whose name appeared on the list, is annoyed at the lack of discretion.

"It's just: 'You have student loan problems. And here's a list so you can see who else has student loan problems.' This really isn't right, as far as I'm concerned," said the 33-year-old, who works for Research In Motion.

"It's something that should've been done in confidence," Daye added. "It's not really very professional of her to put everyone's addresses out there."

Some of the e-mail addresses on the list belonged to people who work in government offices, banks and local businesses.

Canada's top privacy lawyer said the e-mail is a "highly embarrassing" violation of the freedom of information and protection of privacy (FOIPOP) act.

"People's financial information is some of the most sensitive information out there," David Fraser of Halifax said.

"It really needs to be protected with measured safeguards that are appropriate to the sensitivity of the information."

Fraser said people have the right to complain to the provincial FOIPOP office, though there's no legislation for redress.

"The bigger thing is likely the embarrassment for those individuals whose information was released into the wild," he said.

While accidental privacy breaches do sometimes occur, Fraser said it's also embarrassing for the government that an employee allowed this to happen.

A spokeswoman for Service Nova Scotia and Municipal Relations said steps were taken the day after the email went out to ensure no mass communication of this nature would happen again.

"Every employee that deals with clients has received education about the ongoing importance of protecting personal information," Donna Chislett said.

The computer system for student loans is being revamped to prohibit staff from sending such mass e-mails, she added.

About one third of the e-mails were returned as undeliverable mail.

"It was certainly done inadvertently and it was an oversight. We do apologize for that," Chislett said.

Staff are providing personal apologies and explanations of the privacy breach to anyone with concerns; call 494-4961 for details.

ljones@hfxnews.ca

Labels: privacy, public sector