To print this article, all you need is to be registered or login on Mondaq.com.
Sending an email to a group of people without using the blind
carbon copy (BCC) field might not seem like a big deal – but
it’s important to remember that email addresses are personal
In Saskatchewan, The Local Authority Freedom of
Information and Protection of Privacy Act (LA FOIP) requires
municipalities and hamlets to have administrative, technical and
physical safeguards in place to protect personal information -
including the personal email addresses of ratepayers.
Earlier this year, the Office of the Saskatchewan Information
and Privacy Commissioner (IPC) released a report following an
investigation into an organized hamlet that emailed hundreds of
ratepayers without BCCing the recipients. The report offers a
valuable reminder of the steps municipalities must take to protect
the personal information under their control.
Email Was Sent to Hundreds of Ratepayers
In this case, the hamlet chair emailed a notice to more than 200
ratepayers without using the BCC field for the recipients’
email addresses, which meant the addresses were viewable to
everyone included on the email. Shortly after the email was sent,
the hamlet chair sent another email apologizing for the mistake and
asking ratepayers to delete the previous email.
One of the ratepayers filed a complaint with the rural
municipality that is home to the hamlet in question. After the
municipality advised the ratepayer that the privacy breach had been
dealt with appropriately, the ratepayer filed a complaint with the
IPC, which went on to investigate the matter.
Investigation Uncovered Numerous Shortcomings
Once a privacy breach occurs, the IPC recommends government
institutions and local authorities – including municipalities and
hamlets – take the following steps:
- Contain the privacy breach
- Notify affected individuals
- Investigate the breach
- Prevent future breaches
While the municipality in this case claimed that the hamlet had
followed each of those steps, the IPC’s investigation uncovered
For instance, the hamlet chair requested that ratepayers delete
the first email, but he did not request confirmation that the email
had been deleted – making it unclear if the breach had, in fact,
been contained. Nor did he attempt to recall the first email.
The IPC also found that while the hamlet did notify ratepayers
of the breach, the notification was missing certain details the IPC
recommends including, such as the steps taken and planned to
prevent future breaches and informing individuals that they have a
right to complain to the IPC.
In considering whether the municipality had taken steps to
investigate the breach and prevent future breaches, the IPC
its staff had not received any privacy training.
“The only safeguard that was in place was a communication
policy that did not address the [municipality’s] privacy
obligations when using electronic communications,” read the
To prevent and address future breaches, the IPC recommended that
- develop a policy for responding to privacy breaches that
includes measures for containing a breach and notifying affected
disclosure of personal information in compliance with LA FOIP;
- have all staff sign a confidentiality agreement;
- have annual privacy training for all staff; and
- address the use of BCC fields in its communications
Are You Meeting Your Privacy Law Obligations?
This case serves as important reminder to municipalities to have
proper safeguards in place for protecting ratepayers’ personal
information. Municipalities may face more serious consequences
including reputational impacts for failing to protect personal
MLT Aikins has extensive experience advising municipalities on
their privacy law obligations. We have helped municipalities
develop privacy policies, confidentiality agreements, breach
response policies and privacy training for staff. Contact our Municipal or Privacy, Data Protection & Cybersecurity
group to learn more.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Canada