Without debate Hamilton Council this week received a staff report that described a possible privacy breach of the personal information of the 154,000 Hamilton Water customers. The City pays Alectra Utilities $5.6 Million a year handle its water billing. According to the staff report and subsequent questioning, Alectra farms out the billing to a contractor based in Canada, who in turn contracts out the work to a firm in India. To make this billing possible, the City gives Alectra information including customer names, addresses and mailing addresses. The staff report reads: “In April 2019, City Information Technology staff observed that one of Alectra’s subcontractors located in India had access to Alectra’s servers located in Ontario which house customer names and addresses (i.e. Personal Information). The City had not consented to the sharing of Personal Information with any third parties or to disclosure outside Ontario. Staff subsequently communicated with Alectra regarding the breach in its contractual obligations to the City. Staff also expressed concerns that Personal Information provided by the City to Alectra is being shared with third parties without appropriate restrictions, consents or authorizations.”
Staff advised council about the situation in an in-camera meeting last December, and council directed staff to “formally request a prompt and comprehensive explanation from Alectra Utilities and to report to council.” Prompt or not, that report came this week, seven months later. Essentially the report says staff have toughened up the language in its agreement with Alectra. The report continues: “(Alectra) shall take all reasonable steps and shall exercise due diligence to satisfy itself that data breaches are unlikely. Beyond this base level reasonableness requirement, Alectra is to ensure appropriate security and other measures are in place to minimize the possibility that any water customer information will be used or disclosed otherwise than in accordance with the requirements of MFIPPA…As part of each RFP or contract negotiation involving access to water customer information, each prospective proponent is required to complete and deliver to Alectra a Risk Assessment Questionnaire. In turn, Alectra shall only award any contracts involving water customer data belonging to the City where responses have been to the satisfaction of Alectra.”
The Bay Observer has been trying to find out the exact sequence of events—who sees the information, how does a water bill get generated etc. We were referred to Alectra who provided the following answer; “Alectra employs top tier companies with extensive experience and an excellent reputation in safeguarding customer information. In this case, the domestic company operates globally with experts located in various parts of the world and provides Alectra with software application support, but is not involved in day to day billing operations. All companies that Alectra employs are required to comply with Alectra’s policy, including that customer data cannot be copied or reside on any server that is not an Alectra server housed in Alectra data centers in Ontario.” As of press time we are trying to get more detail, including the key question—who gets to see the personal data and aside from contract language, how can the security of the information be assured?
Acting on a complaint from Hamilton staff, which is still active despite the contract renewal, the Privacy Commissioner has opened a file and is seeking further information from Alectra. The Bay Observer has contacted the Privacy Commissioner’s office to see if they can provide further details.