Editorial: Multiple 2021 privacy breaches linked to Isitt's council email access, city confirms
CFAX 1070 has learned that on three different occasions in 2021, internal investigations conducted by the City of Victoria determined that Councillor Ben Isitt’s use of information from emails collected using his position as a councillor contravened provisions of British Columbia’s Freedom of Information and Privacy Protection Act.
In March, Isitt was found by the City to have caused a privacy breach during a social media dispute in January with what he later described as the “inadvertent” publication of personal information in correspondence involving a multiple sclerosis advocate who criticized his “white male privilege.”
In November, Isitt was found by the City to have breached the privacy of one or more constituents again after he used email addresses collected through his position on council to encourage participation in the City’s 2022 budget consultation process.
In December, Isitt was found by the City to have breached the privacy of one or more constituents for a third time after he again used email addresses improperly collected through his position on council to distribute a photo essay entitled “A decade of service – and options for the future.”
Isitt acknowledged the first incident, but said he had not yet been made aware of the results from the latter two investigations when reached for comment by CFAX 1070 Friday Jan 7, 2022. “I have been advised that the city’s FOI officer is looking into complaints, but I have not been informed that the investigation is concluded, that any conclusions have been reached, or of any recommendations arising,” Isitt said at the time.
Beacon Hill Park incident involving Red Cedar Café Community Care Kiosk
On January 28, 2021, CFAX 1070 revealed that Isitt was attending a meeting of a committee of Victoria council remotely while at the same time doing work for Red Cedar Café (a non-profit recipient of both a City of Victoria emergency social services grant and CRD administered Reaching Home grant funding that the councillor had founded earlier in the pandemic) with his camera deactivated and microphone muted in Beacon Hill Park.
A CFAX 1070 listener spotted Isitt at the side of the road in the 100 Block of Cook Street in the 10am hour January 28 and inquired with CFAX as to whether Isitt was participating in the council meeting that was taking place at the same time at City Hall. It soon became clear Isitt was attending to both tasks simultaneously while using a mobile device.
The revelation led to criticism of Isitt by Councillor Stephen Andrew later that meeting. “I find it quite offensive really to our citizens and the voters who have put us here that they are now calling-in to radio talk shows and sharing photographs of councillors that are meant to be at this table – in this meeting – and yet are wandering around in the Cook Street neighborhood,” Andrew said while addressing colleagues.
In a response to Andrew’s remarks, Isitt revealed he had been working at what he called a “volunteer position” with Red Cedar Café during various meetings of council over the preceding months, using a mobile device to participate with his attention divided. Isitt later tweeted that before being spotted by a CFAX listener January 28 he had “avoided public association with Red Cedar Café to avoid politicizing these important services.” Isitt apologized to council and the public February 4, 2021. “Maybe I should have started a radio station, but I’m not convinced that a radio station would have helped the community the same way as a pay what you can meal program for people in need,” Isitt said at the time
Among many citizens critical of Isitt’s conduct following the January 28 meeting was Susan Simmons, a multiple sclerosis advocate who lives near Beacon Hill Park and had been critical of the negative impacts of council’s sheltering policies during the pandemic. Simmons took to twitter after the Jan 28 meeting to opine about Isitt’s “#WhiteMalePrivilage.”
The next morning in what appeared to be a rebuttal, Isitt without warning published to twitter copies of email correspondence between himself and Simmons dated years earlier.
‘When you wrote to me in 2016 asking for help advocating against the closure of the Victoria MS Centre, and I responded with the attached letter to the MS Society of Canada, you did not complain about me using my white male privilege and being a leader in the community,” Isitt tweeted, attaching two pieces of correspondence as images which were clearly legible when clicked on by twitter users.
Simmons was initially unaware of the scale of what Isitt had just caused to occur, initially not knowing a privacy breach had taken place.
However, a City of Victoria privacy analyst told CFAX 1070 during the subsequent investigation that “The email that Susan Simmons sent to Councillor Isitt on December 4, 2016 contains her personal information as well as two other individuals.” Isitt had not sought the consent of Simmons or any of those involved immediately before publishing the correspondence to twitter. CFAX 1070 is protecting the identities of the other individuals as well as the substance of their personal information Isitt published in the email.
Isitt quickly deleted the tweet, claiming the publication of the correspondence was “inadvertent” and apologized privately to Simmons for the non-consensual disclosure. The City of Victoria determined in the subsequent investigation “From the information obtained, the post was publicly available for less than an hour.” City of Victoria Head of Engagement Bill Eisenhauer confirmed to CFAX 1070 at the time that a privacy breach had occurred during the exchange and that “actions to prevent future breaches have been conveyed to Councillor Isitt to implement.”
Future Breaches Not Prevented: City of Victoria 2022 Budget Virtual Town Hall
“On November 17, 2021, the City received complaints from three individuals regarding the use of their personal email addresses without their permission. As a public body under the Freedom of Information and Protection of Privacy Act, the City opened a privacy breach investigation file to determine whether the complaints were a breach of FOIPPA’s collection, use and disclosure privacy provisions,” City of Victoria Head of Engagement Bill Eisenhauer says.
While the City did not confirm specific details of the November investigation other than the finding that a privacy breach had occurred, correspondence obtained by CFAX 1070 indicates the complaint involved Isitt’s use of email to encourage participation in the City of Victoria’s 2022 online budget consultations.
Results of the City’s 2022 budget survey were contained in a report received by council December 9, 2021. During that meeting of Committee of the Whole, Isitt asked “…when organized stakeholder groups mobilize in relation to these engagement exercises, should there be a correction factor? Is it just something council takes into consideration?”
Isitt then suggested the existence of a “public safety lobby that’s underway, it involves Victoria city police union, a number of members of the media, and clearly that’s had an impact in this survey…”
“I wasn’t aware of any other organized interest groups mobilizing to encourage participation in the survey so that’s why that’s the only one I’ve referenced,” Isitt added, not mentioning his own use of improperly obtained email addresses to encourage participation in the survey which would later be found to have caused a privacy breach.
Answering Isitt’s question at that time, staff advised council that there was evidence of one or more groups mobilizing. Council heard “secondly, you’ll see in the written correspondence as well, there were about 23 or so percent of the correspondence seemed to be generated from a kind of a form letter.” Staff added there seemed to be “… about six different points of view they were pushing. Another one was particularly around VicPD and reducing the funding to VicPD…”
The City later determined Isitt’s collection of some personal email addresses was not authorized by FOIPPA (Freedom of Information and Privacy Protection Act) and, as a result, the use and disclosure were also not authorized. This resulted in a privacy breach being found to have occurred.
Future Breaches Not Prevented: A Decade of Service
While the City of Victoria was already in the process of completing the report into the November 17, 2021 privacy breach investigation involving Isitt’s improper collection and use of constituent email addresses, additional complaints were received regarding yet another electronic mailing that took place December 14, 2021.
This time, the additional complaints involved email addresses used to distribute a “photo essay” entitled “A decade of service – and options for the future.”
The email, which contained more than a dozen captioned pictures, advised recipients that “During my decade of service as a city councillor and regional director, I have aimed to contribute in a modest way toward actions for a more inclusive and sustainable city and region.”
The email included an invitation for recipients to contact Isitt via his personal website email address. “In the New Year, I will be sharing a questionnaire to learn more about your priorities.”
In the final days of December 2021, a City privacy analyst wrote to one of the complainants to advise an investigation had found that Isitt obtains “individual email addresses either from email he receives via the mayor and council email address or to his councillor email address. The privacy breach occurs when he collects, uses and discloses these email addresses without first obtaining the necessary written consent that complies with the Freedom of Information and Protection of Privacy Act,” according to documents obtained by CFAX 1070.
While claiming he had not yet been made aware of the findings of the latter two investigations, Isitt told CFAX “The other matters relate to an error with management of my email list from 2016. I have been working to resolve the issue and do not anticipate further problems going forward.”
When asked how many privacy breach investigations occurred at the City of Victoria across all departments in 2021, City spokesperson Bill Eisenhauer told CFAX 1070 “Three privacy breaches occurred last year. There was the Susan Simmons breach in March and the Councillor Isitt breaches in November and December. In addition, there were four privacy complaints, one of which was not substantiated and the other three were quickly resolved.”
It is not clear what recommendations will be made following the finding of the third privacy breach of 2021 involving Isitt, but the City did advise a complainant in December that the latest recommendations will “go much further than previous recommendations.”