Wildrose vows to end secrecy around NorQuest College privacy breach, alleged frauds

The Opposition Wildrose says it will try to force NorQuest College to appear before the legislature's public accounts committee to explain its handling of a massive privacy breach and two alleged frauds.

And it will also pressure the NDP government to close a loophole in the province's privacy act that effectively allowed NorQuest to not report the breach, even though the confidential information of all 600 of its employees had been accessed.

"If you are receiving a significant sum of taxpayers' dollars, there is some accountability that needs to go along with that," Wildrose finance critic Derek Fildebrandt said.

Fildebrandt, the public accounts committee chair, said he will introduce a motion to call NorQuest during the committee's next meeting. To pass, the motion would need majority approval of the NDP-dominated committee.

On Sunday, CBC News first reported details from a civil court case that revealed a massive privacy breach at NorQuest involving Clarence Orleski, the college's former information technology (IT) manager.

In March 2013, NorQuest obtained a rare court order that allowed it to seize Orleski's home computer because it suspected he had improperly accessed the college's IT network.

Privacy breach

In a court affidavit, the college claimed it discovered Orleski's computer contained the confidential salary information of every NorQuest employee. It also alleged it found copies of disciplinary letters, transcribed interview notes from internal investigations, and other information of an "intensely personal and private nature including emails between employees and their spouses about finance and personal matters."

For nearly a week, the college has refused to answer basic questions from CBC News, including why it did not notify all of its employees, why it did not report the breach to the privacy commissioner, and what action the college took to determine how, if at all, its employees' confidential information had been used.

A statement posted on NorQuest's website, which the college did not distribute to the media, claimed NorQuest took "swift steps to inform and protect the people directly impacted, recover college information and assets, and pursue legal action."

But the president of NorQuest's faculty association confirmed to CBC News his members were never notified about the breach of their personal information.

The court documents detailing the privacy breach are part of a lawsuit NorQuest filed against Orleski. The college alleged Orleski and several others were part of two separate "kickback" schemes that, taken together, cost NorQuest nearly $2 million over five years.

Orleski and the defendants who filed statements of defence denied the allegations and none were proven in court. The college dropped its lawsuit in January 2016. Through his lawyer, Orleski declined an interview request, saying the terms of the agreement are confidential.

No disclosure at public accounts committee

NorQuest president Jodi Abbott appeared before the legislature's public accounts committee on April 24, 2013. Abbott fielded questions about two scathing reports from Alberta's auditor general that variously found NorQuest's finance department had no oversight over the college's contracts and was susceptible to fraud, and that the college needed to improve security controls for its IT system.

Abbott never disclosed the privacy breach or the alleged frauds to the committee. In a statement emailed to CBC News, a NorQuest spokesperson did not address the issue of why Abbott never told the committee about the privacy breach, which included her own confidential employment contract that was found on Orleski's home computer.

But the spokesperson said that, at the time Abbott appeared before the committee, "NorQuest was not aware of any alleged fraud or financial impropriety."

The college seized Orleski's home computer on March 2, 2013, nearly two months before Abbott's appearance at the committee. A NorQuest affidavit also said the college began searching the computer's hard drive in April 2013, although it did not specify an exact date. In another statement, NorQuest said they continued to review the computer's files through the summer and fall of 2013.

NorQuest told both the auditor general and the Advanced Education ministry about the breach and the alleged frauds the day before it filed its statement of claim against Orleski and his alleged co-conspirators in late 2013.

Kim Nishikaze, a spokesperson for Auditor General Merwan Saher, said he never publicly disclosed the privacy breach or alleged frauds because it "was an internal investigation" by NorQuest and "we did not get involved in it.

"We did our due diligence in terms of their financial environment," Nishikaze said, adding later that it was not Saher's job to make this information public.

Advanced Education Minister Marlin Schmidt also did not publicly reveal the problems at NorQuest. His press secretary, in an emailed statement, said Schmidt was only made aware of the problem through a briefing by department officials within the last week.

Privacy breach loophole

A spokesperson for Alberta privacy commissioner Jill Clayton said that while private organizations are required by law to report certain breaches to the commissioner, public institutions like NorQuest don't have the same obligations.

"The commissioner has repeatedly recommended that breach reporting and notification provisions be included in the (Freedom of Information and Protection of Privacy) Act," Scott Sibbald said in an email, which included several examples dating back to 2013.

"The current situation at NorQuest highlights why breach reporting and notification requirements are important," Sibbald said. "People should have the right to know when their personal information has been exposed if they are at risk of harm.

"If anyone feels they have been affected by this incident, now that they have become aware through the media, they may submit a privacy complaint to our office."

Service Alberta is responsible for the province's privacy act. The department's minister, Stephanie McLean, did not respond to a query from CBC News about when, if at all, she intended to respond to the privacy commissioner's recommendation.

Wildrose advanced education critic Wes Taylor said the fact that CBC News had to disclose the serious issues at NorQuest College reveals the ingrained culture of secrecy that continues to exist in this province.

"We have a public college which appears to have been defrauded of large amounts of public money because they were mismanaged, and this was hidden from the public; that is wrong," he said.

"We have a massive privacy breach of the personal information of all NorQuest employees that was hidden from them because of a loophole in the law, a loophole that the NDP haven't fixed yet, even though they knew about it. And that's wrong," Taylor said.

"We have the NDP's advanced education minister not doing anything about this at all. And that's wrong," Taylor said, adding he is disappointed the auditor general's office also didn't make the information public.

"We need to have more accountability."

@jennierussell_
@charlesrusnell

If you have any information about this story, or information for another story, contact us in confidence at cbcinvestigates@cbc.ca