On Wednesday, Global News learned that the Ontario Secondary School Teachers Federation (OSSTF) had sent letters to current and past members that a cyberattack had impacted their information in May of 2022.
That has left many past members questioning why their information was still on file with the union in the first place.
When she first received a letter earlier this week stating her social insurance number (SIN) and their information had been breached in a cyberattack, Susan Skelton was “shocked and surprised,” since she had only worked as a teacher for one year and left the profession in 1994.
“I opened it up and then read it and was utterly shocked that they still had my social insurance number on file. Frankly, I don’t even know how they got my address because I don’t think I’ve ever updated that, and I’ve moved a few times since then,” Skelton said.
“It was really upset that it had been compromised. I keep my social insurance number in a filing cabinet in the house, and it really bothered me because it’s the keys to the kingdom when somebody has your social insurance number.”
Skelton said she was only on a one-year occasional contract and did not qualify for a pension.
“I don’t have any understanding why they would have that data. They should have cleaned it out, frankly, that it should have been deleted,” Skelton said.
According to the Ontario government’s record-keeping guidelines for the contents and retention of employee records, employers are only required to hold onto personal information for three years.
Furthermore, the Canadian Revenue Agency said, “generally, you must keep all required records and supporting documents for a period of six years from the end of the last tax year they relate to.”
Not unlike Skelton, Elizabeth MacDonald is also surprised she was included in the cyberattack since she last worked as a teacher under OSSTF in 1995.
MacDonald said she was informed in a letter earlier this week that her date of birth and SIN were compromised.
“How can they even have my information somewhere after all this time? What possible use would they have for it? There is no possible use,” she told Global News.
“Why is an organization I have had no association with since 1995 holding on to sensitive, personal information?”
Global News asked OSSTF why they were holding on to past employees’ personal information for an extended period.
“We understand that notification of this incident has been concerning for many of our current and past members. OSSTF collects and retains such information for a variety of reasons, including to represent individuals and manage engagement with former members. As a result of this incident, we are committed to reviewing our data collection and retention policies and ensure our employees are trained on our processes and policies,” an OSSTF spokesperson told Global News.
The union would not answers questions about how many people were impacted by the information breach, but Global News has heard from people who were last connected with the union as far back as 28 years ago.
The Office of the Privacy Commissioner of Canada’s information on the retention and disposal of personal data for public and private sector organizations said there is no set time for which employers should hold onto past employee records.
“If retaining personal information any longer would result in a prejudice for the concerned individual, or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it,” the organization said.
Joanne Black, who last worked as supply support staff from 2007 to 2011, is questioning why the union had her SIN in the first place.
She told Global News although she did have to pay union dues, she never benefited as a full member.
“It makes me feel pretty bad and then scared because you would not have expected that they would have this kind of information on file, especially the union,” she said.
“I’m surprised and concerned that they still have (my SIN), and when are they going to remove it, and do they need to communicate this to us.”
When asked how she felt about the union’s response to how long they hold onto personal information, Black was not happy.
“I think they’ve overlooked the fact that they’ve dropped the ball on their responsibility, and maybe they don’t have the staffing or the controls in place. But there’s absolutely no reason they needed to have that information for as long as they did.”
Those impacted by the hack were given a one-year subscription to a credit monitoring site Equifax, but people who spoke to Global News say one year is not enough. They says more time is needed to monitor their credit in case the effects show up after the first year.
“I should be the one that decides when I don’t think it’s necessary anymore. When I have the peace of mind that this hack will not result in my financial information being targeted, my credit rating being targeted, by someone masquerading as me,” MacDonald said.