Last month I got a tip.
Someone emailed me to point out an intriguing revelation posted on the website of Canada’s pipeline regulator, the National Energy Board (NEB).
Every month, the energy regulator, just like other federal organizations, posts an updated list of files it has released to a member of the public through Canada’s access to information legislation. Each entry includes a summary of what was released.
In this case, my source had directed me to a file that was released in July, related to a topic that I had been following closely.
For more than year, I have known that senior management at the NEB gave instructions to their information technology staff in August 2015 to delete an embarrassing email from the inbox of its head of security, and to scrub it from its servers.
I received records in January 2016 confirming that a vice-president had instructed staff to delete the email, and I wrote about it in March 2016. At that time, senior managers at the regulator were evasive and declined to answer all of my questions about what happened.
But more than a year after that, in July 2017, the regulator released a new batch of files about this mysterious issue in response to someone else’s access to information request (ATIP). That individual — whose name is protected by access to information legislation — sought files related to anything and everything the NEB had discussed when I sent my own requests in 2015.
In the ATIP package released to the anonymous person in July, the NEB censored portions of the records consisting of behind-the-scenes discussions about the deletion of the email. It also censored the draft version of a letter that they would later send me as part of their response to my requests for access to information.
This letter offered an explanation about the deleted email and how the regulator was unable to retrieve this missing record.
And although the regulator was careful to censor portions of the records about its internal deliberations that it didn't want the public to see, an NEB employee admits that it was careless about how it handled my own personal information in that same package.
On four different pages of its response, the NEB included a copy of a $50-cheque I had sent to pay for my access to information requests. (Under Canada's federal access to information legislation, people must pay a $5-fee for each request). But NEB officials failed to censor my bank account information, which can be used by someone to gain access to my personal account.
How did they let it slip?
So let's think about that for a moment. The NEB is heavy-handed when it comes to censoring a plethora of information that could cause it public embarrassment. Its staff pores over documents, prior to release, and searches for excuses to censor information that should be made public, rather than being transparent.
So how did this battalion of employees, including lawyers and senior executives, slip up when it came to releasing information that could cause harm to someone else?
In this file, the records were extremely sensitive since they involved matters that are under investigation by the information commissioner, which is looking into a complaint filed by National Observer about the deletion of a record. How serious is such an investigation? If it turns out that there's evidence that someone was deliberately trying to delete a record to avoid providing access to information, that person could be charged with an indictable offence and face up to two years in prison.
But regardless of how many people were involved in processing the release of this sensitive file, a senior ATIP officer was initially the only one to take responsibility and apologize for the mistake.
"The banking information at the bottom of the cheques contained on the pages you listed was indeed disclosed by mistake.
“I am solely responsible for this omission. Please note that the package, containing said banking information, was only released to one individual with no known affiliations.”
“While it’s unlikely that the personal information disclosed could be used to identify you or to access your banking account, given there are standard additional safety measures put in place by the majority of the banking industry to prevent such things, it may be advisable that you close said banking account to ensure your own peace of mind.
“Again I apologize for my mistake and for any inconvenience this may have caused.”
A second apology from the NEB
After this apology, I asked the employee’s supervisor for an explanation.
Sylvain Bédard was appointed as the executive vice-president of “transparency and strategic engagement” at the NEB in September 2016, and he took over the responsibility for overseeing responses to access to information requests at that time.
As I have previously reported, one of Bédard first actions in his new job to promote “transparency” was to hire a private security firm to investigate staff and find out which ones had been speaking to me about questionable management decisions and behaviour at the NEB.
The NEB awarded a $24,150 sole-sourced contract to an Ottawa firm to conduct this investigation. It searched email and phone records of all employees, it cross-referenced a few different reports I had done to find out which employees would have been potential sources, but ultimately, it didn’t find anything other than speculation about how I got my scoops.
I asked Mr. Bédard whether he had signed off on the release of my personal information in this latest file.
And then he also offered an apology. And this time he took responsibility for the error and said he and others would undergo some refresher "training" to help prevent something like this from happening again.
The NEB also appears to have launched an internal investigation on the matter.
"With regards to file, A-2017-48, your email sent at 2:55pm on September 13, 2017 marked the point where the NEB became aware personal information had been mistakenly released. This email triggered our internal investigation process on these matters. The first step of which is verifying the information in question has been contained.
"At this point we have received verbal confirmation that your personal information was not shared beyond the one individual who made the initial request. This individual has also committed to bring in their copy of the ATIP package where it will be exchanged for an appropriately redacted version.
In line with our process, an initial report of this occurrence has been provided to both the Treasury Board Secretariat and the Office of the Privacy Commissioner. Following the conclusion of our internal investigation, a more fulsome report will be provided to both.
"As ATIP Coordinator I signed off on, A-2017-48, not realizing it contained personal information that should have been redacted. For this I personally apologize to you and thank you for bringing it to my attention. Given this situation, I, along with any other individuals involved in the release of this file, will be refreshing our ATIP training with the aim of eliminating instances such as this in the future."
- Sylvain Bédard, NEB executive vice-president of transparency and strategic engagement
This is the second apology that the National Energy Board has sent to the National Observer over the past two years. The last one, which may have been what triggered some increased scrutiny of our publication by the regulator, came after a communications director apologized for providing false and misleading statements about the circumstances surrounding a private meeting, attended by NEB president chief executive Peter Watson and other high-ranking officials with a TransCanada Pipelines consultant, former Quebec premier Jean Charest.
You remember how that all turned out, right?
The other strange issue that this saga raises is that the NEB continues to use 20th century practices to process formal access to information requests at a time when it says it has been implementing a so-called "modernization" plan. Many other federal departments and agencies allow members of the public to make their formal access to information requests and payments online.
It is strange to see a "modern" regulator that still uses an antiquated process that involves snail mail and cheques. Curiously, one of dozens of other federal institutions that is also using regular mail and cheques to process access to information requests just happens to be the Privy Council Office, the central department in the public service and an administrative arm to the prime minister's office.
Is the PCO setting the shining example that the NEB is following?
I'm also alarmed to think about what might have happened if I hadn't received a tip to request this file. Once a file is released through access to information legislation in Canada, any member of the public can also request access and receive a copy of their own.
Fortunately, in this case, the NEB said it only released the package to one individual.
But if I hadn't requested a copy and caught the mistake, would the NEB have released my bank account information to others?
I don't know if the release of my banking information is due to bureaucratic disorganization, or whether it was a deliberate and malicious attack on a free press.
But I'm certain that there is a lot more that the NEB can do to modernize its operations, improve transparency and earn the public trust.