UBC statement re: FOI privacy breach

On January 25, 2016, UBC responded to numerous FOI requests related to the resignation of Dr. Arvind Gupta from his post as UBC’s President in August 2015. Due to the large number of requests, and the large number of responsive pages, UBC chose to consolidate these requests and posted a package of 861 responsive pages on its website in PDF format. UBC sent all of the requesters a link to these records. UBC had redacted information from the package in accordance with the Freedom of Information and Protection of Privacy Act (“FIPPA”). Much of the redacted information constituted Dr. Gupta’s personal information.

On January 27, UBC became aware that some of the redacted information had somehow been accessed from the package and immediately removed the package from UBC’s website. Upon investigation, UBC was able to determine that the release of this information occurred in the following manner. UBC utilizes a software package called Redax, which is the industry standard software for redacting documents in electronic format and producing PDF disclosure packages. Where documents consisting of emails with attachments are converted into a PDF file, hidden copies of any unredacted attachments are embedded in the resulting PDF file. While these attachments are hidden, they can be accessed by a knowledgeable user by clicking on links that are embedded in the PDF file. Therefore, it is necessary to take the additional step of “sanitizing” the PDF file to remove the hidden copies of the unredacted attachments. This “sanitization” step is part of UBC’s standard practice, but was inadvertently omitted in this case.

As a result, a number of files that had been attached to emails were hidden within the package and could be accessed by clicking on links within the records package. Some of these attachments contained information that had been redacted, including personal information of Dr. Gupta. This vulnerability affected only these attachments and did not affect the overwhelming majority of the package.

UBC has prepared a replacement package that does not include any of these hidden attachments. To download it, please click here.

UBC deeply regrets the error that led to this privacy breach. UBC has already notified the Office of the Information and Privacy Commissioner of this breach, and will fully cooperate with any investigation it may undertake. UBC takes its obligations under the FIPPA seriously, both to protect privacy and to respond to access requests in an effective, efficient and secure manner. To that end, UBC has retained an external expert to review its disclosure practices and provide recommendations on any steps that need to be taken to prevent a recurrence.

Hubert Lai, Q.C., University Counsel

Contact

Matthew Ramsey
UBC Public Affairs
Tel: 604.827.0781
Cell: 604.518.5835
matthew.ramsey@ubc.ca