SPS reported the breaches to the commissioner after learning that nine people’s personal information had been inappropriately accessed.
When a member of the Saskatoon Police Service logs into their internal database, a message pops up, stating: “Access for personal reasons is prohibited.”
Last month, the commissioner determined that a privacy breach had occurred when the members “snooped on personal information stored within its records management system (RMS) for personal, non-business-related reasons.”
The Saskatoon Police Service (SPS) flagged the issue in October 2023 after requesting an internal audit to determine whether anyone had used the system to inappropriately access a certain investigation file.
It found that one member — referred to as “Sworn Member A” — had accessed personal information on five different people, searched addresses linked to four of them, and used another member’s log-in credentials to conduct more searches and print pages from a file, the report outlined.
The SPS Professional Standards Committee then looked into whether the member’s searches were for a “non-business purpose.” In the course of that investigation, the committee discovered that two other members — “Sworn Members B and C” — had also accessed a person’s information inappropriately.
Sworn Member B specifically looked up a licence plate number to identify the vehicle’s owner.
“A second investigation, this one pursuant to The Police Act 1990, identified that information accessed during the breach was narrow in scope and related to specific events,” police said through an emailed statement.
SPS reported the suspected breaches to the privacy commissioner in February, and notified seven of the nine people whose information was accessed. The force said it didn’t have updated contact information for two of the affected people.
Provincial privacy commissioner Ronald Kruzeniski launched an investigation in April. He found that all three members committed a privacy breach by disregarding policy and the pop-up message that appeared when they logged into the system.
The privacy report didn’t outline the specific nature of the searches, the file to which they related, the members’ roles within SPS or what personal interest they had in the file. The force said the personal information that was accessed included people’s names, birthdates, addresses, phone numbers, criminal history and details about police investigations that involved them.
The force told Kruzeniski that its auditing system automatically flags searches as suspicious when a member searches an employee’s name, or someone with the same last name as theirs.
“Based on the identities of the individuals snooped upon, it is evident to my office that Sworn Members A, B and C accessed the personal information for personal reasons and not work-related reasons,” the report found.
It went on to state that SPS made a “reasonable effort” to notify the people affected by the breach, and is taking “reasonable steps” to prevent similar breaches from happening by requiring staff to re-take their training each year under the The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), by looking into an automatic log-off feature for computers and by developing procedures for its automated auditing system.
According to SPS, it continues to audit all three members’ access to the system on a monthly basis. Sworn Members B and C hadn’t made any other inappropriate searches before and haven’t since; their access to the database continues to be monitored.
The force indicated that Sworn Member A’s access was initially limited, monitored and eventually revoked when it was no longer required for their duties. Police stated that the member said they destroyed the records they printed and hadn’t shared the information with anyone else.
Kruzeniski found that while the SPS took “reasonable steps” to contain Member B and C’s breaches, it still needs to definitively determine what happened to the personal information Member A printed out — who destroyed it, when it was destroyed, and how.
He also recommended that all three members provide written confirmation, within 30 days of his findings being issued, that they didn’t share any of the personal information they accessed.
Kruzeniski said employees need to be reminded to log off the database when leaving their computers.
When asked if the members had been disciplined, SPS said the “matter is still ongoing,” the report noted.
“Though isolated, the matter remains under administrative review. Our service takes the protection of private information seriously and conducts annual training and periodic audits to ensure compliance,” the SPS said in response.
“We recognize there is still work to be done and we are committed to honouring the recommendations made by the Commissioner.”
The Saskatoon Star Phoenix has created an Afternoon Headlines newsletter that can be delivered daily to your inbox so you are up to date with the most vital news of the day. Click here to subscribe.
With some online platforms blocking access to the journalism upon which you depend, our website is your destination for up-to-the-minute news, so make sure to bookmark thestarphoenix.com and sign up for our newsletters so we can keep you informed. Click here to subscribe.