Data theft from Meals on Wheels reveals gap in provincial privacy legislation, expert says
Hard drive containing clients’ personal information stolen from charity’s Edmonton office
The theft of a charity's entire database containing the personal information of more than 27,000 clients, donors, volunteers and employees reveals a major gap in Alberta's privacy legislation, an expert says.
In a letter sent to those affected in early June, Meals on Wheels said it called Edmonton police on Jan. 7 after realizing a back-up hard drive containing all its data had been stolen from its office.
"Specifically, your name and one or more of the following: home address, email address, telephone number, place of birth, gender, marital status, date of birth, and individualized delivery instructions were identified," said the letter, a copy of which has been obtained by CBC News.
Investigations by police and the charity failed to identify the thief or what had happened to the stolen information, which was not encrypted.
The charity also notified the office of Alberta's privacy commissioner about the breach in early June, although it is not necessarily required to do so under the province's privacy legislation.
Travis Walker, the charity's lawyer, said the charity made the decision to notify everybody "as opposed to picking and choosing and going down to the strict legal analysis of it and what might be required, what might not be."
A spokesperson for Alberta privacy commissioner Jill Clayton said the office is conducting a review to determine if it has jurisdiction over this case. Non-profit organizations in Alberta are only subject to privacy law in certain circumstances, such as when they are involved in a commercial activity.
Sharon Polsky, president of the Privacy and Access Council of Canada, said this privacy breach highlights the need for privacy legislation to be updated across the country.
"Whether it is in Alberta or any major centre or any jurisdiction, non-profits typically deal with the most vulnerable segments of our society," Polsky said.
"Yet the organizations that are there to help them have no legal obligation to secure and protect their personal information," she said. "That is outrageous."
Notification five months after theft
Walker said Meals on Wheels took five months to notify those affected because it required "a substantial amount of resources" from the charity's small team to determine whose privacy had been breached, pull their information to notify them, and set up a call centre to answer questions.
"We didn't want to put out a general notice saying this has happened and alarm people, and then not have any resources available for answers," he said.
He said Meals on Wheels initially believed the data was encrypted, but then discovered it was not. The charity has since enhanced its cybersecurity and restricted access to its server, Walker said.
"We are not aware of any harm having befallen any of the potentially affected individuals," through identity theft or phishing scams, he said.
The letter sent to clients and others suggests they place a fraud warning on their credit file and warns them to be vigilant for any suspicious emails, calls, or letters requesting their personal information.
Polsky said non-profit organizations must understand they have an ethical duty to safeguard personal information, but Alberta also needs to revise its law to make reporting privacy breaches mandatory.
"The bottom line is the legislation is sadly out of date and it needs to be updated to include non-profits," she said.