Editorial: Red Cedar Cafe Association Confirms Privacy Breach Linked to “Former Board Member” Isitt
CFAX 1070 has learned that a December 14, 2021 email sent by Victoria Councillor Ben Isitt entitled “A decade of service – and options for the future” breached the privacy of an unknown number of persons whose email addresses and personal information were improperly collected from files under the control of Red Cedar Café Association.
Confirmation of the latest breach of one or more provisions of BC’s Freedom of Information and Protection of Privacy Act involving Isitt is contained in a notice distributed by the newly appointed board of directors of Red Cedar Cafe Association on February 27, 2022 and obtained by CFAX 1070.
“In January 2022 the Red Cedar Cafe Association (RCCA) Board discovered that in December 2021, personal information (names and email addresses) held in RCC files were accessed inappropriately by a former Board member. This personal information was used to distribute an email message not related to Red Cedar Cafe, that individuals had not given their consent to receive. This is a privacy breach under BC law, and we (the current RCC Board of Directors) are taking the steps required to respond to the breach,” the notice reads.
Red Cedar Cafe Association board representative Kendra Strauss confirmed to CFAX 1070 in a written statement “Yes, the December privacy breach involved Ben Isitt's December 14th email.”
Isitt has not responded to multiple requests for comment.
New Direction for Red Cedar
The February 27, 2022 notice also indicates Red Cedar is under new direction. Once a non-profit society founded by Ben Isitt and others in 2020, records now indicate Red Cedar Café Association was registered as a charitable organization on October 13, 2021.
“For your information, RCC has a new Board of Directors,” the notice reads. “The appointment of the new Board in January 2022 followed the establishment of an interim operating committee (IOC) that was created in November 2021. The IOC worked closely with the Board and staff to improve and streamline operational issues, and its work is ongoing. The Board is managing issues related to governance - including data management - and financial stability.”
Red Cedar Café was the recipient of a number of grants to provide outreach and supports to persons sheltering in City of Victoria parks early in the covid-19 pandemic. In addition to a $10,000 grant awarded by the City of Victoria in summer of 2020, and a $6,500 grant approved in December 2020 for the Beacon Hill Park community care kiosk in the 100 Block of Cook Street, records indicate Red Cedar was awarded $372,996 from the Government of Canada’s Reaching Home program, administered by the Capital Regional District (click for link).
Victoria city council voted April 15, 2021 to end the practice of sheltering in Victoria’s parks in coordination with the Province of British Columbia undertaking an effort to ensure every person sheltering in the parks would be offered a housing space. The vote to end sheltering in the parks and give the city manager the discretion to engage the city solicitor to bring legal proceedings required to enforce the no-sheltering provision of the parks regulation bylaw passed five-to-four, with Councillors Isitt, Potts, Dubow, and Loveday opposed.
As well as "ongoing" work managing unspecified issues regarding “financial stability,” the new board of directors of Red Cedar Café Association is reviewing the organization’s practices involving the collection, storage, and use of personal information.
“We are in the process of reviewing how people's personal contact information is stored at Red Cedar to make sure it is appropriately protected, and to ensure that it is used only with consent and for the purposes for which it was originally provided. We will also be providing training for all staff, and any volunteers who may need access to names and contact info (e.g., for delivery of frozen meals), on privacy and consent issues,” the February 27, 2022 notice states.
Not the first privacy breach involving Isitt
In January 2022, CFAX 1070 revealed the existence of a series of privacy breaches involving Isitt and the improper collection and use of personal information Isitt obtained via his access to City of Victoria email resources. City of Victoria internal investigations determined that Isitt had caused privacy breaches in May 2020, January 2021, November 2021, and December 2021.
Isitt claimed “an administrative error” caused the improper collection of email addresses during a City of Victoria budget consultation process in 2016. He claimed the continued use of the list containing these improperly collected email addresses years later was inadvertent.
“Due to an administrative error several years ago, I inadvertently added some email addresses to my mailing list without securing the recipients' approval. My sincere apologies for this error. To correct this error, I am contacting you today,” Isitt wrote in an email to persons impacted January 31, 2022.
The newest privacy breach is said to involve addresses that Isitt improperly obtained from Red Cedar Cafe Association files only months ago, not years ago. Isitt has not responded to inquiries by CFAX 1070 to explain how this could have taken place.
The December 14, 2021 privacy breach is also not the first breach linked to Isitt’s activities with Red Cedar Café. Two breaches (May 2020 and January 2021) involved Isitt’s activities with what he told council colleagues was his volunteer role at the then non-profit society he had founded with others in April 2020. In May 2020, Isitt used personal information collected through his access to City of Victoria email resources to solicit donations for Red Cedar. In January 2021, Isitt published correspondence to Twitter involving a multiple sclerosis advocate after she criticized his “white male privilege,” after she learned Isitt was overseeing the delivery of a structure to Red Cedar’s community care kiosk in Beacon Hill Park at the same time he was virtually attending Victoria City Council’s Committee of the Whole January 28, 2021.
Isitt later apologized for his conduct in relation to both matters.
The Red Cedar Café Association board says steps have been taken to prevent future breaches.
“On January 26th, 2022, the Board sent the individual responsible for the breach a letter identifying that he accessed and used personal information held in RCC files in ways that constituted a breach of privacy. We conveyed that he is forbidden from using information about any individuals from Red Cedar's files for anything other than Red Cedar's official business, and must immediately destroy locally-held information and ensure he does not use it again in future. The person responsible confirmed that he has destroyed his copies of contact information from RCC files,” the February 27, 2022 notice states.
The board says any person impacted by the latest privacy breach involving their personal information may contact them or the Office of the Information and Privacy Commissioner for British Columbia to address any questions or concerns.
“Please feel free to get in touch with us any time if you have any questions or concerns. You also have the right to contact the BC Office of the Information and Privacy Commissioner (OIPC); contact information can be found here: https://www.oipc.bc.ca/about/contact-us/. If you want to make a complaint through the OIPC, the information on how to do this is also on their website: https://www.oipc.bc.ca/for-the-public/how-do-i-make-a-complaint/”