Privacy expert slams NorQuest College for not notifying employees of major privacy breach

An Alberta privacy expert says Edmonton's NorQuest College had a professional and moral obligation to tell its 600 employees there had been a serious breach of their confidential information.

College alleged former IT manager had 'overwhelming' amount of confidential information on home computer

Linda McKay-Panos says NorQuest College had an obligation to tell its employees of a serious breach of their confidential information. (Alberta Civil Liberties Research Centre)

An Alberta privacy expert says Edmonton's NorQuest College had a professional and moral obligation to tell its 600 employees there had been a serious breach of their confidential information.

"It seems to me that they were more interested in their own interests and not really in the interests of their employees," said Linda McKay-Panos, executive director of the Alberta Civil Liberties Research Centre. "And if I were an employee, I would feel that they don't really care what is in my best interest."

On Sunday, CBC News first reported details from a civil court case that revealed a massive privacy breach at NorQuest involving Clarence Orleski, the college's former information technology (IT) manager.

NorQuest never publicly disclosed the breach, which was discovered in 2013. It also did not report it to Alberta's privacy commissioner, although a spokesman for the commissioner said disclosure is not required by law.

McKay-Panos said NorQuest should have reported the breach immediately "because obviously the privacy commissioner has great knowledge about the impact of these things and maybe could even make some suggestions about how to manage it."

Orleski was fired in December 2012. In March 2013, NorQuest obtained a rare court order that allowed it to seize his home computer because it suspected he had improperly accessed the college's IT network.

Confidential employee information found

A search of Orleski's computer revealed "a vast quantity of confidential NorQuest information," an affidavit from a college executive alleged, including salary information for all 600 NorQuest employees, the employment contract of the college's president, copies of disciplinary letters, and transcribed interview notes from internal investigations.
Court documents filed by NorQuest College alleged two “kickback” schemes orchestrated by its former IT manager cost the college nearly $2 million. (CBC News)

The college claimed Orleski also had "harvested" information of an "intensely personal and private nature including emails between employees and their spouses about finance and personal matters."

The president of NorQuest's faculty association first learned of the privacy breach from a CBC News reporter on Thursday.

"This has kind of taken me by surprise," Leslie Sayer said.

"You would hope that there is a good reason why the college is keeping certain things confidential..

"But at the same time, when it affects faculty members, which is particularly important for me, it is concerning and I am hoping the college will speak to me about it, and then find a way that we can parse out the information to our faculty membership."

Employee relationship potentially undermined

NorQuest did not respond to repeated interview requests from CBC News last week. Instead, the college issued a brief statement that said it is "confident" there are strong controls in place to protect public assets and confidential information.

On Sunday, the college posted a longer statement on its website, which it did not distribute to the media. The statement claimed NorQuest took "swift steps to inform and protect the people directly impacted, recover college information and assets, and pursue legal action."

But the statement is contradicted by the college's own court affidavit, which stated the confidential salary information of every NorQuest employee was found on Orleski's computer. The college's faculty association president confirmed his members were never notified of the breach of their confidential information.

In an email, a former college instructor told CBC News he worked at NorQuest until August 2015 and "received no information whatsoever concerning what appears to be potential, unauthorized access to my personal and financial information."

The NorQuest statement said, in part: "We take these matters very seriously and want to assure our employees, students, and community partners that our stewardship of personal information and public funds are secure."

The court documents detailing the privacy breach are part of a lawsuit NorQuest filed against Orleski. The college alleged Orleski and several others were part of two separate "kickback" schemes that, taken together, cost NorQuest nearly $2 million over five years.

Orleski and the defendants who filed statements of defence denied the allegations and none were proven in court. The college dropped its lawsuit in January 2016. Through his lawyer, Orleski declined an interview request, saying the terms of the agreement are confidential.

McKay-Panos said it was telling that the college considered the privacy breach serious enough to include in its statement of claim against Orleski, but apparently not sufficiently significant to tell its employees before the story was reported.

McKay-Panos said the college's failure to disclose the breach could undermine its relationship with its employees.

"You want loyalty from your employees and I think you need to engender that by being honest with them with this has happened and not trying to hide it or just by omission not telling anybody," she said.


If you have any information about this story, or information for another story, contact us in confidence at cbcinvestigates@cbc.ca