All Things Newz
Law \ Legal

To BCC Or Not To BCC? That Is The Question – Privacy Protection

To print this article, all you need is to be registered or login on

Sending an email to a group of people without using the blind
carbon copy (BCC) field might not seem like a big deal – but
it’s important to remember that email addresses are personal

In Saskatchewan, The Local Authority Freedom of
Information and Protection of Privacy Act
(LA FOIP) requires
municipalities and hamlets to have administrative, technical and
physical safeguards in place to protect personal information -
including the personal email addresses of ratepayers.

Earlier this year, the Office of the Saskatchewan Information
and Privacy Commissioner (IPC) released a report following an
investigation into an organized hamlet that emailed hundreds of
ratepayers without BCCing the recipients. The report offers a
valuable reminder of the steps municipalities must take to protect
the personal information under their control.

Email Was Sent to Hundreds of Ratepayers

In this case, the hamlet chair emailed a notice to more than 200
ratepayers without using the BCC field for the recipients’
email addresses, which meant the addresses were viewable to
everyone included on the email. Shortly after the email was sent,
the hamlet chair sent another email apologizing for the mistake and
asking ratepayers to delete the previous email.

One of the ratepayers filed a complaint with the rural
municipality that is home to the hamlet in question. After the
municipality advised the ratepayer that the privacy breach had been
dealt with appropriately, the ratepayer filed a complaint with the
IPC, which went on to investigate the matter.

Investigation Uncovered Numerous Shortcomings

Once a privacy breach occurs, the IPC recommends government
institutions and local authorities – including municipalities and
hamlets – take the following steps:

  • Contain the privacy breach

  • Notify affected individuals

  • Investigate the breach

  • Prevent future breaches

While the municipality in this case claimed that the hamlet had
followed each of those steps, the IPC’s investigation uncovered
numerous shortcomings.

For instance, the hamlet chair requested that ratepayers delete
the first email, but he did not request confirmation that the email
had been deleted – making it unclear if the breach had, in fact,
been contained. Nor did he attempt to recall the first email.

The IPC also found that while the hamlet did notify ratepayers
of the breach, the notification was missing certain details the IPC
recommends including, such as the steps taken and planned to
prevent future breaches and informing individuals that they have a
right to complain to the IPC.

In considering whether the municipality had taken steps to
investigate the breach and prevent future breaches, the IPC
discovered the municipality did not have a privacy policy and that
its staff had not received any privacy training.

“The only safeguard that was in place was a communication
policy that did not address the [municipality’s] privacy
obligations when using electronic communications,” read the
IPC report.

Recommendations Include Implementing a Privacy Policy

To prevent and address future breaches, the IPC recommended that
the municipality:

  • develop a policy for responding to privacy breaches that
    includes measures for containing a breach and notifying affected

  • develop a privacy policy addressing the collection, use and
    disclosure of personal information in compliance with LA FOIP;

  • have all staff sign a confidentiality agreement;

  • have annual privacy training for all staff; and

  • address the use of BCC fields in its communications

Are You Meeting Your Privacy Law Obligations?

This case serves as important reminder to municipalities to have
proper safeguards in place for protecting ratepayers’ personal
information. Municipalities may face more serious consequences
including reputational impacts for failing to protect personal

MLT Aikins has extensive experience advising municipalities on
their privacy law obligations. We have helped municipalities
develop privacy policies, confidentiality agreements, breach
response policies and privacy training for staff. Contact our Municipal or Privacy, Data Protection & Cybersecurity
group to learn more.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada

Seven Life Lessons From Tim Hortons


What are you giving up when you allow an app to track your location? Where we go and when we go there – can be used to infer what we do and who we see.

Source link

Related posts

The Last Word On Franchising With Michael Einbinder – Franchising

Inflation Reduction Act: Faustian Bargain Could Jeopardize Offshore Wind, Renewable Energy On Federal Lands – Renewables

TRIPS waiver decision on COVID-19 patents – Patent