Snooping on personal staff data, including SIN numbers, salaries and spouse names, led to a SaskPower employee being fired in January.
According to a report released in June by the Saskatchewan Information and Privacy Commissioner, Ron Kruzeniski, the employee inappropriately accessed 4,382 human resources files from current and former employees at the Crown-owned company.
The report said the information included names, addresses, social insurance numbers, salaries and life insurance coverage and beneficiaries.
The employee also put the files onto portable storage devices.
SaskPower concluded that the breach was due to the employee searching network drives. The report says the employee then previewed and saved to the files to his corporate workstation without a business purpose.
The employee also put the files onto portable storage devices. However, the report adds that SaskPower’s internal investigation indicated there was no evidence the files were shared or used for fraudulent activity.
On Dec. 18, 2015, SaskPower contacted the Saskatchewan Information and Privacy Commissioner’s office to report the incident. During the investigation, the employee volunteered his cellphone, USB drives and hard drives.
He was initially suspended with pay and then terminated on January 8 when the internal investigation was finished.
Due to the number of records the employee accessed, Kruzeniski suggests SaskPower forward the final investigation report to the Ministry of Justice to allow prosecutors to consider if charges need to be laid.
The commissioner recommended SaskPower contact the Association of Professional Engineers and Geoscientists of Saskatchewan (APEGS), as the former employee “may be a member” of APEGS.
To avoid similar breaches, the commissioner also recommends SaskPower amend its code of conduct and training programs to address employee snooping.
SaskPower has improved systems security including locking affected network folders so they can only be accessed by authorized users, the report says.
Comments