Help is just a call away! Talk to an HR expert now. +1 866-606-0149

Case Study: A Lesson in Clarity: How Vague Emails Led Govt. of Nunavut’s HR Department to a Privacy Breach

Oct 3, 2025 | Employment Law, HR Case Study, HR Compliance, Leaves, Termination

Vague Emails Led Nunavut HR Department to a Privacy Breach

When we think about privacy breaches, we often imagine data hacks or files left on a subway. But sometimes, the issue is much simpler — in this case, an email that wasn’t written with enough care. That’s what happened with the Government of Nunavut’s HR department.

Background

This case started in September 2025, when Nunavut’s Information and Privacy Commissioner released a decision about how the Government of Nunavut’s HR department handled an employee’s personal information.

Here’s what happened: an HR staff member emailed a former employee who was on extended unpaid leave and already in a tense dispute with the government. The email asked:

  • Are you working for another employer?
  • If so, what’s the employer’s name and your start date?

The reason given? Just “updating your file.”

Sounds harmless, right? Not quite.

Through an access to information request, the employee later discovered HR’s actual reason for the question; they wanted to determine whether to terminate them on medical vs. non-medical grounds — a decision that had big consequences for severance pay and benefits. The employee filed a privacy complaint.

Which law is at play here?

The case turned on Part 2 of Nunavut’s Access to Information and Protection of Privacy Act (ATIPPA). This law sets rules for when and how public bodies can collect, use, and disclose personal information.

Two key sections applied:

  • Section 40 – Personal information can only be collected if it’s necessary for a program or activity.
  • Section 41(2) – When collecting information directly, you must tell the individual:
    • The purpose of the collection
    • The legal authority for it
    • Who they can contact with questions

Failure to meet these requirements amounts to a breach of privacy law, even if the information itself is legitimately sought.

The Issues

The Commissioner considered two main questions:

  1. Did the HR department have the legal authority to request information about the employee’s other employment?
  2. Did the HR department meet the transparency requirements of section 41(2) when making the request?

Findings and Analysis

  1. Authority to Collect Information
    • Yes — the HR department was on solid ground under s.40(c)(i). Knowing whether the employee was working elsewhere mattered for managing employment status and possible termination. The asking itself wasn’t the problem.
  2. Failure to Explain Purpose (s.41(2))
    • The real purpose was tied to whether termination should be classified as medical or non-medical.
    • Instead, the HR staff member used the vague phrase “updating your file”.
    • The Commissioner ruled this was essentially meaningless and did not satisfy the duty of transparency.
    • The HR team member also failed to cite the legal authority or provide a contact person, as required.
  3. Context and Tone
    • Internal records showed the HR department was intentionally using “neutral” wording to avoid escalating conflict with the employee. The Commissioner acknowledged the motive but was clear: good intentions don’t override the law.
  4. Organizational Uncertainty
    • Internal emails showed the HR staff member was unsure of their legal footing:
      • Could they even ask the question?
      • Was the employee obliged to answer?
      • What if the employee refused?
    • This uncertainty contributed to a non-compliant communication strategy.

Outcome

  • The Commissioner found:
    1. The HR representative was authorized to request the information.
    2. However, the HR department breached section 41(2) by failing to clearly explain the purpose of the question, authority under which the question was asked, and provide contact details.
  • Recommendations:
    1. HR departments should review policies and procedures to ensure compliance with s.41(2) – or with the privacy law in their jurisdiction.
    2. HR departments should circulate a memo to staff and managers reminding them of transparency obligations when collecting personal information, in accordance with their policies on the collection of personal information.

Lessons Learned

  1. Check the applicable privacy legislation for your place of work since transparency may be mandatory. You can’t swap it out for vague, “softer” wording.
  2. Intent doesn’t matter. Even well-meaning emails can breach privacy law if they’re unclear.
  3. Internal records tell the real story. The HR team’s own notes revealed their actual motive, undermining the “file update” explanation.
  4. Training is key. HR staff must understand not only what they can ask, but how they must ask it.
  5. Labour and privacy disputes overlap. The Commissioner noted that ATIPPA is increasingly used as a “proxy battleground” in employment disputes. Organizations must be careful not to let labour strategy lead to privacy missteps.

 

Practical Takeaways for Employers & HR Professionals

  • When requesting personal information:
    • State the specific purpose (e.g., “to assess eligibility for medical vs. non-medical termination”).
    • Cite the legal authority (e.g., ATIPPA s.40(c)(i)).
    • Provide a contact person for questions.
  • Avoid vague phrases like “updating your file”, which offer no real transparency.
  • Train HR staff on privacy requirements under ATIPPA (or equivalent legislation in other jurisdictions).

The bottom line: A single email cost the Nunavut HR department its compliance standing. The lesson is simple: clarity isn’t optional — it’s the law.

 

Citation: 2025 NUIPC 13 (CanLII) | Department of Human Resources (Re) | CanLII