The City of Victoria made several recommendations to Coun. Ben Isitt to prevent further privacy breaches following investigations that confirmed he breached privacy rules four times in 2020 and 2021.
The recommendations include using an “opt-in” approach rather than a default “opt-out” method to ask if people want to be on his mailing list, confirming all copies of his email distribution list are deleted and getting confirmation from people to use their email addresses for communication related to the October 2022 municipal election.
The city confirmed a privacy breach occurred in 2020, prior to the three breaches in 2021 previously reported. The breaches involve posting on Twitter a resident’s letter that included personal information of two people he didn’t have consent to share, and sending newsletters to recipients who hadn’t opted in, the result of mishandling his mailing lists in 2016, he said.
The 2020 breach related to a complaint on May 5 of that year about an email sent by Isitt to his mailing list regarding the Red Cedar Café, a non-profit Isitt founded at the start of the pandemic, the city’s head of engagement, Bill Eisenhauer, said in a statement.
Isitt said the 2020 breach also relates to the mishandling of his mailing lists years ago, and because he sends newsletters infrequently, the issue went mostly unnoticed until recently.
“I have now resolved the matter, by removing these email addresses from my email list,” he said.
Jason Woywada, executive director of the B.C. Freedom of Information and Privacy Association, said he suspects privacy breaches involving the mishandling of mailing lists are likely widespread because of a lack of understanding of privacy legislation.
“I know that most politicians try to maintain privacy and they sort of get it, but they’re not privacy professionals and they aren’t data information professionals either. So, privacy considerations and management of data and information are not primary roles of people seeking political office,” he said.
That’s why it’s important that municipal officials receive training on privacy legislation when they’re first elected and at regular intervals during their term to avoid falling into “bad behaviour,” he said.
“Ultimately, I think what we see here is that these would both be considered bad behaviour on his part,” Woywada said.
The severity of a breach depends on the impact to the individual whose privacy has been violated, he said.
It’s also important for the public to understand their rights and how politicians’ use of their email addresses is restricted, he said. “They have to use the information for the reason it was collected,” Woywada said, meaning if a resident emails a councillor about a city issue, they can’t be added to a mailing list without giving consent.
Woywada said he hopes Isitt’s breaches prompt other municipalities to increase their awareness and understanding of privacy requirements.
The Freedom of Information and Protection of Privacy Act is included in the city’s orientation curriculum for new councillors, Eisenhauer said.
John Treleaven, chair of the Grumpy Taxpayer$ of Greater Victoria, said there should be consequences for breaching privacy rules.
“Some form of action by the council is warranted under the circumstances,” he said.
regan-elliott@timescolonist.com
