Office receives allegations of imminent risk to health and safety of employees related to COVID-19

The impact of the COVID-19 pandemic was unprecedented for the people of Alberta. As the government implemented public health orders to protect Albertans, concerns regarding how public entities executed the restrictions came to the forefront.

In one case, the office received a complaint that individuals within a public entity were not complying with public health orders issued by Dr. Deena Hinshaw, Alberta’s Chief Medical Officer of Health.

We contacted the Chief Officer of the public entity to inform them we had received a complaint made about activities that may not be compliant with an order issued by the Chief Medical Officer of Health. Further, the Commissioner notified the Chief Medical Officer of Health as persons gathering in recreational facilities may constitute an imminent health risk given the public health emergency at the time.

The Chief Officer of the public entity responded and quickly took steps to ensure compliance with the orders.

In another instance, our office received a complaint from a public sector employee who alleged their division was continuing to host an educational program in their facility. The complainant alleged this did not comply with public health restrictions and created a potential health risk for all involved.

Our investigator contacted the public entity to discuss the details of the complaint and received a response the following day. The public entity was already aware of the issue as the complainant had also previously contacted them about the matter. The public entity subsequently advised they would take the concern to the appropriateparty and also committed to getting back to the complainant with a response.

The complainant subsequently contacted our investigator and advised the program would no longer be hosting on-site classes. The complainant was appreciative of our office’s response and thanked him for looking into the matter.

These cases serve as good examples of how, when it is appropriate, we can resolve significant and serious matters expeditiously and informally.

Unfounded reprisal still results in positive change

A complaint of reprisal proved unfounded, but the Commissioner’s investigation resulted in improvements to a public entity’s whistleblower policy and a change in its severance agreements.

A complainant contacted our office within a week of having their employment terminated by an Alberta public entity. The complaint of reprisal alleged the organization terminated the complainant’s position without cause after they disclosed multiple allegations of wrongdoing under the Public Interest Disclosure (Whistleblower Protection) Act (the Act) through the organization’s internal whistleblower complaints process.

Our investigation revealed no reprisal as the public entity could document other reasons for terminating employment. However, our investigator observed two areas of concern related to the organization’s responsibilities under the Act.

Firstly, the complainant signed a severance agreement that required them to report if they had made any disclosures under the Act and to forego initiating any future disclosures. While it might seem prudent to forestall any further involvement with a former employee, such requests are not compatible with the aims of whistleblower legislation. Severance agreements cannot be used to impede an Albertan’s legislated right to report wrongdoing. In other words, whistleblowers being released from employment should not have to out themselves, nor should they be prevented from speaking out against a wrongdoing or reprisal that may have occurred during their employment in order to conclude a severance agreement.

Secondly, the investigator noted a conflation of the entity’s internal complaint review process and its duties under the Act. The Commissioner observed the organization could have mitigated this confusion with better communication about the Act to its employees.

The designated officer acknowledged the opportunity and detailed the steps already underway to enhance employee awareness of the organization’s newly revised whistleblower protection policy. Further, with removal of the reference to the Public Interest Disclosure (Whistleblower Protection) Act from future severance agreements, the organization has taken a step in the right direction to foster an environment where employees are confident in reporting wrongdoing without fear or adverse financial consequences.

Significant change stems from non-jurisdictional complaint

The owner of a private company was frustrated when their attempts to be considered as a vendor with a public entity were turned down. The complainant submitted a complaint of wrongdoing to the Public Interest Commissioner alleging that a public entity failed to offer a fair and open competition for contracted work. The allegations claimed that up until this point, the public entity had been utilizing the services of a single vendor for many years. Despite becoming aware of the second vendor who offered the same goods and services, the public entity’s practice of sole sourcing continued.

In Alberta, government ministries administer contract opportunities for goods, services and construction according to the expected average spend of the project. Procurement laws provide public entities a legal framework to shape their policies and ensure Alberta businesses are treated fairly in the procurement process.

While the analysis of the complaint found the alleged wrongdoings did not meet the required threshold for wilful acts of gross mismanagement as defined by the Public Interest Disclosure (Whistleblower Protection) Act (the Act), it did reveal several irregularities. We found that contrary to the public entity’s own internal policies, it did not enter into a formal contract with the sole-sourced vendor until 2018. Additionally, the dollar amount these services cost combined with the fact that another vendor had now become known to them, a competitive procurement process for services should have occurred. The findings from the analysis were important and in working collaboratively with the public entity, it was agreed that a procurement process was required at the expiration of the current contract. The case also assisted the public entity in identifying a gap in its procurement processes.

While not all cases meet the threshold for wrongdoing, cases like this one provide an opportunity to encourage public entities to embrace the Act as a means to swiftly resolve issues. This in turn helps maintain and promote public confidence in the administration of public services.

Collaborative approach resolves IT threats

A whistleblower exposed serious IT vulnerability that if left unaddressed could place an Alberta public entity at serious risk. Smart phones, laptops, desktops, networks, servers… all form a complex information technology (IT) system essential to individuals as well as the private and public sector organizations. When any part of the system goes down, the impact on administration and operations is significant.

An individual disclosed to our office that a large and significant entity under the jurisdiction of the Public Interest Commissioner, had failed to address serious IT security vulnerabilities. According to the whistleblower over 120 specific vulnerabilities created a substantial risk not only to the security of the information controlled by the entity but also to the IT network itself. A systems failure or compromise could have a devastating impact on the operations of the entity.

The overarching goal of the Public Interest Disclosure (Whistleblower Protection) Act (the Act) is to promote confidence in the administration of government. The Act authorizes the Commissioner to take any steps she considers appropriate to resolve the matter. Further, she has the ability to choose how to conduct an investigation. Sometimes an informal approach is best.

Through an independent expert analysis, the Commissioner’s investigators confirmed that the vulnerabilities alleged by the whistleblower were legitimate and presented a significant risk. They then engaged with the person responsible for information security within the organization. A collaborative relationship developed as the investigators worked with members of the entity to resolve the issues identified by the whistleblower.

Resource issues played a role in the organization’s ability to address all vulnerabilities. Therefore, the organization took the approach to act on vulnerabilities it considered a priority based on their internal assessments of risk exposure. Where possible, the organization had applied temporary mitigation controls. To build on this approach, the organization then formed a specialized group that focused their efforts on addressing the vulnerabilities. The Commissioner’s investigators were routinely updated as progress on each issue was tracked.

Ultimately, the public entity addressed the security vulnerabilities identified by the whistleblower and made significant process changes and resource commitments to ensure it would identify and expeditiously resolve potential future vulnerabilities. Moreover, the public entity expressed appreciation that the whistleblower came forward to bring to their attention the IT vulnerabilities that may have otherwise gone unresolved.