Data theft from Meals on Wheels reveals gap in provincial privacy legislation, expert says

The theft of a charity’s entire database containing the personal information of more than 27,000 people reveals a major gap in Alberta’s privacy legislation, an expert says.

Hard drive containing clients’ personal information stolen from charity’s Edmonton office

Privacy expert Sharon Polsky says the theft of personal information of thousands of Meals on Wheels clients, donors, volunteers, and employees reveals a loophole in Alberta's privacy law. (CBC)

The theft of a charity's entire database containing the personal information of more than 27,000 clients, donors, volunteers and employees reveals a major gap in Alberta's privacy legislation, an expert says.

In a letter sent to those affected in early June, Meals on Wheels said it called Edmonton police on Jan. 7 after realizing a back-up hard drive containing all its data had been stolen from its office. 

"Specifically, your name and one or more of the following: home address, email address, telephone number, place of birth, gender, marital status, date of birth, and individualized delivery instructions were identified," said the letter, a copy of which has been obtained by CBC News.

Investigations by police and the charity failed to identify the thief or what had happened to the stolen information, which was not encrypted.

The charity also notified the office of Alberta's privacy commissioner about the breach in early June, although it is not necessarily required to do so under the province's privacy legislation. 

Travis Walker, the charity's lawyer, said the charity made the decision to notify everybody "as opposed to picking and choosing and going down to the strict legal analysis of it and what might be required, what might not be." 

A spokesperson for Alberta privacy commissioner Jill Clayton said the office is conducting a review to determine if it has jurisdiction over this case. Non-profit organizations in Alberta are only subject to privacy law in certain circumstances, such as when they are involved in a commercial activity. 

Sharon Polsky, president of the Privacy and Access Council of Canada, said this privacy breach highlights the need for privacy legislation to be updated across the country. 

"Whether it is in Alberta or any major centre or any jurisdiction, non-profits typically deal with the most vulnerable segments of our society," Polsky said. 

"Yet the organizations that are there to help them have no legal obligation to secure and protect their personal information," she said. "That is outrageous." 

Notification five months after theft

Walker said Meals on Wheels took five months to notify those affected because it required "a substantial amount of resources" from the charity's small team to determine whose privacy had been breached, pull their information to notify them, and set up a call centre to answer questions.

"We didn't want to put out a general notice saying this has happened and alarm people, and then not have any resources available for answers," he said.

He said Meals on Wheels initially believed the data was encrypted, but then discovered it was not. The charity has since enhanced its cybersecurity and restricted access to its server, Walker said.

"We are not aware of any harm having befallen any of the potentially affected individuals," through identity theft or phishing scams, he said. 

The letter sent to clients and others suggests they place a fraud warning on their credit file and warns them to be vigilant for any suspicious emails, calls, or letters requesting their personal information.

Polsky said non-profit organizations must understand they have an ethical duty to safeguard personal information, but Alberta also needs to revise its law to make reporting privacy breaches mandatory.

"The bottom line is the legislation is sadly out of date and it needs to be updated to include non-profits," she said.


Charles Rusnell, Jennie Russell

Former investigative reporters

Jennie Russell and Charles Rusnell were reporters with CBC Investigates, the investigative unit of CBC Edmonton. They left CBC in 2021. Their journalism in the public interest is widely credited with forcing accountability, transparency and democratic change in Alberta.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?