This is the sixth post in our series about the Gabriola Fire Protection Improvement meeting that took place on December 3rd, 2025.
The first post about the 2025-12-03 meeting provides an introduction, links, and useful background information. Our transcription of the meeting itself begins in the second post of this series and is completed in this, the sixth and final post.
TABLE OF CONTENTS
BUSINESS ARISING continued
- Question 1 - privacy breach
- Question 2 - meeting decorum
- Question 3 - communications policy, whistleblower policy
- Question 4 - privacy breach
BUSINESS ARISING cont.
Privacy Breach Update
(VIDEO 4:52:10)
CHAIR: Anyway, look, okay, fine, let’s stop this and move on to the ahh, to this. Okay, this is going to be, I think people are aware. I maybe had something prepared four hours ago, but I'm going to wing it anyway.
So here's what is my understanding of what has happened here. We had a computer tower that was used in the office by Paula Mallinson back in the day, and it was taken out of service and stored in the file room. We don't know exactly the date, and we don't even know, I can't tell you what year it was. We are told through various people mumbling, that about three years ago it was removed from the storage, that was considered storage along with all the files. This is back the days when people trusted each other a little bit more. In any case—
TRUSTEE MERCIER: An incorrect report, Chair.
CHAIR: Huh?
TRUSTEE MERCIER: That's incorrect. That’s not what we’ve been told.
CHAIR: I’m sorry, what?
TRUSTEE MERCIER: That's not what we've been told, Chair.
TRUSTEE CHORNEYKO: What happened before?
CHAIR: That is what I've been told.
TRUSTEE MERCIER: Well I had written, I was the person to whom the device was returned—
CHAIR: Well, that is good of you to own up to that. Thank you.
TRUSTEE MERCIER: Yes, and in the written briefing that I submitted to the board, I related what I was told from the person who returned the device to the improvement district.
CHAIR: Uh-huh
TRUSTEE MERCIER: That person told me that the device was placed in the kitchen, accessible to the firefighters, and that they were told that it was, along with a bunch of other material, up for grabs. That's what I was told. You may be have been told something different, but that's what I reported to police, and that's what the person who returned the device to me reported to the police.
CHAIR: Well, that's interesting, because the person that took it, that ah, that took the device is the person telling you when they got it and how they got it. Okay, that doesn't, that doesn't hold any, any water with me.
TRUSTEE MERCIER: I'm not saying that that's correct. I'm saying that's what we've been told.
CHAIR: Yeah, well, I was told something different, okay, a little, a little bit like yours, but, but, but somewhat, somewhat different. And I was told—
TRUSTEE CHORNEYKO: who told you this?
CHAIR: Hm?
TRUSTEE CHORNEYKO: Based on who?
CHAIR: We’re getting into, you know, who knows what, about who. Okay, just a minute. I'll say, I’m not at liberty to say right now. Here's the deal. I mean, the person, the person, apparently—and I think David has spoken to that person and knows who that person is, but we, they want anonymity on this, they want to return. They returned the unit somewhat, I'm thinking, three years after it was taken away from here. And I'm not saying it's a theft, but it disappeared without anybody that I've talked to here saying that they authorized it. So take, take from that what you want. Okay, so it came back three years ago, and what day did you get it?
TRUSTEE MERCIER: I received the device on, I think it was October 10th. It was the Friday immediately proceeding the Thanksgiving long weekend.
CHAIR: It was a rainy day.
TRUSTEE MERCIER: Could have been.
CHAIR: Okay, so you got it on October 10, that's right?
TRUSTEE MERCIER: That’s correct. Right.
CHAIR: And you did, I’m not [unclear].
TRUSTEE MERCIER: I examined the contents of the device—
CHAIR: But you took the device home.
TRUSTEE MERCIER: It was returned to me at my home, delivered to me at my home.
CHAIR: Okay? Somebody dropped it off at your house for your perusal.
TRUSTEE MERCIER: Someone dropped it off at my house to return it to the District.
CHAIR: Alright, so when did you return it to the District?
TRUSTEE MERCIER: I returned it to, I notified the Office of the Information and Privacy Commissioner that I was in possession of the device on the evening of the Thanksgiving Monday, which I believe, which I believe to have been October 13. I notified the remainder of the Board, through the Corporate Officer, on Tuesday, I believe October 14, with a Briefing Document that I requested the Corporate Officer distribute to the Trustees. You and Trustee Moher were present on that occasion and received the Briefing Document at the same time as I disclosed the breach. I requested that the Corporate Officer establish secure storage for the device so that I could turn it over to them, because, to the best of my knowledge, there is not any secure storage in the building that is not accessible to various staff people. The Corporate Officer made various suggestions. I deferred to those suggestions, didn't hear anything back, and on the date October 22, immediately after my resignation as Chair, I went home, retrieved the device, brought it into this room, and turned it over to the Board [unclear].
CHAIR: And there it sits. So basically, what we got is a situation, we're talking about a data breach here.
[phone goes off, comments]
CHAIR: But anyway, okay, so in terms of data breach here, we don't know for sure what that computer did. And just just to lay it out for you, the computer was the computer that was used in here, so it, by by nature, contained, I think you can read this [unclear], I think that was part of your—
TRUSTEE MERCIER: I discovered approximately three dozen, maybe a little higher than three dozen, records of social insurance numbers of island residents.
CHAIR: So you saw those numbers.
TRUSTEE MERCIER: I did see those numbers.
CHAIR: Okay, so we're talking probably, I think, the entire membership at that time. Somewhere between—
TRUSTEE MERCIER: Respectfully, there was social insurance numbers of people that I do not believe to have been firefighters. I'm not sure why the numbers were there. If I may, there was other information. Would you like me to enumerate some of that also?
CHAIR: Go ahead, sure.
TRUSTEE MERCIER: in addition to, let me call up my briefing document, oh wonderful. So a cursory, I quote here from the document that I submitted to the board on October, I believe 13th or 14th, the Tuesday after the Thanksgiving weekend,
“A cursory evaluation of the machine revealed the presence of names and social insurance number information of several dozen people, many still present on the island and active in the community. A scanned driver's license image from a Gabriola Volunteer Fire Department employee, a draft will for a previous Gabriola fire protection improvement district employee, banking and tax information, a tax roll long out of date but complete, and employment information relating to several former and current Gabriola Volunteer Fire Department members, including disciplinary letters and evaluations. The computer also included SAGE [ED: accounting software] and related data concerning payrolls and finances. I did not access this material, and there were a large number of personal photographs and documents that were also present that I didn’t look at.”
CHAIR: So ah, who gave you the computer?
TRUSTEE MERCIER: A member of the community. A member of the community and former member—
CHAIR: A member of the community and former firefighter?
TRUSTEE MERCIER: I'm sure you can understand the that person returned the device to me in my capacity as Chair.
CHAIR: But not to the Hall, but to you, at your house.
TRUSTEE MERCIER: That's right.
DISCUSSION OF OPTIONS FOR REMEDIATION
(VIDEO 5:02:00)
CHAIR: Okay, so anyway, if there's a data breach, the important thing I think, around here is not so much—I mean, I've given up. I’ve pretty well given up trying to find out who took the computer. What we're trying to determine here is, is our exposure in terms of the data breach. I would like to think that there wasn't much of a data breach. That's what I'd like to think. I don't have any indication that they'll go before a court of law of anything other than the story that I have been told so far.
I, so, but we do know that the computer left, and there's a possibility there was a data breach. And because there's a possibility, because there was a possibility of a data breach, we had contacted the, I did too, I phoned it into FOI, as I'm supposed to do. I also, because it's a requirement under our insurance, and just under, in general, I called the RCMP and have them investigate this. Didn't have any choice.
I, when we have a data breach, one of the things that we may, we may still have to do, is hire a forensic computer auditor to go through this computer and see what's on it. I think we know what's on it. I think, I think actually, it's mirrored in the computer that's in the room over there to this day, but this is one thing we have to find out. The computer auditor, computer forensic auditor that I talked to, Mosaic, informed me that they were prepared to do that work for us. I'm looking for prices on that, and they quoted me $12,000 to $15,000, for this data breach, to check out this data breach. They work for the government, they work for the RCMP, they’re fully accredited up the yin yang. It's an ex lawyer that does it. In any case, the first thing that he said to me is, he said, “Do not touch that computer. I will come over and get it. Do not crack it open. Do not access the information.” And I had to tell them that it already been breached. So that's off the table right there.
So where we're hanging right now is that we're trying to trying to decide the extent to the, of the breach, and we're trying to persuade FOI—FOIPPA are the people that have, that we have to talk to about data breaches, okay? And I've been in contact with with that person about this issue. I have tried, and this person, the lady in charge there has asked me to do as best I can to find out what our level of data breach might be, or if it's non-existent. I would love to think it's not non-existent. I would love to hear the story that it was in somebody's closet for two years and they took it out and they looked at it and they said, “Oh, this has, this has important data on it,” and put it back in the closet and waited a year to bring it to Wayne. Now, you wanna say something?
TRUSTEE MERCIER: I do. Respectfully, Chair, the fact that the computer left our care and control, while it contains protected personal information, itself constitutes the data breach. I have in this piece of correspondence from the investigator assigned by the OIPC, which has been circulated to the Board, they say “You have indicated to me that social insurance numbers, as well as information about employment history, termination letters, discipline letters, are included in the personal information. I will note that these types of information are sensitive information as contemplated by Section 22 Freedom of Information and Protection of Privacy Act. I would classify this type of information as something that could cause significant harm depending on the circumstances, and the public body should contemplate notification here.” So my question is, has any action been taken to notify the people affected by the privacy breach, and if not, why not?
CHAIR: Well, we haven't done that yet, because we don't know who it is. We have been to—
TRUSTEE MERCIER: There are approximately 36 to 40 people—
CHAIR: Absolutely.
TRUSTEE MERCIER: We know who they are. We know who the former employees whose disciplinary letters are present on the computer are. We know whose will it was, and whose drivers license. Have you notified those people?
CHAIR: Well, you can share that with me, and I'll contact the people. Please understand this, that that computer is sitting right now in a locked situation, away from little grubby hands, in the thought that we we may have to hire a forensic computer auditor to come in here, and you can't touch the thing until they [unclear].
TRUSTEE MERCIER: Respectfully Chair, what instructions have you received in that contemplates that being a necessary next step before we notify the people affected?
CHAIR: Talking to FOI.
TRUSTEE MERCIER: So do you have written instructions from them that that's necessary? Because in my conversation with them, the recommended course of action was that the head of the public body with a small group of trustees assess the information and notify the people affected.
CHAIR: Well, I got the same, I got the same email as you did, because the lady you were talking to shared it with me, because I was the FOI point—
TRUSTEE MERCIER: I didn’t get that. The only email I got was from the 22nd of, pardon me, was from the 21st October, which was meeting before our in camera meeting, and it states that the device is contained, that's good. But the risk assessment is the next step, and that notification is something that the body should consider. So I am going, I would like to go on record as expressing grave concern that no action appears to have been taken to notify the people who are affected by the data breach.
CHAIR: Amazing. You were the chair when this came in, and you didn't notify the people on the list that you saw. You saw the SIN numbers, and I would imagine that there was a name beside them. And you, when you were chair and were possession of this, did not contact them. And you want to throw it at me that I haven’t contacted them.
TRUSTEE MERCIER: On the 21st of November, I received this document here from the investigator, which made clear that notification was, in fact, something that we should do. And then the next day, I resigned, because when I went to take steps to investigate this privacy breach by initiating an audit, as had been decided by the Board, I received strong push back that the steps I wanted to take, which were to audit and access the various devices owned by the Board, because we lost a device—
CHAIR: I don’t have anything on record.
TRUSTEE MERCIER: —I received strong objection, and[?] you were actually physically present when that meeting took place.
AUDIENCE MEMBER: Was that the screaming and yelling one?
TRUSTEE MERCIER: There was no screaming and yelling, though.
CHAIR: Excuse me, one second, there’s going to be a question and answer, so.
AUDIENCE MEMBER JACQUI BRAID: Sorry. I think I may be one of those people.
CHAIR: You may well be.
BRAID: I very may well be. I was employed as training officer, and I have real concerns, and I think that you need to notify, because when there's a data breach, I need to, I need to protect myself, and if—this has now been over, like three weeks, and so you need to let the concerned people know. You need to take that step.
CHAIR: Yeah, well what will be required to do that is either have the person that's been into the computer and knows who those names are, okay, address the SIN numbers—
BRAID: No, you as a board need to—
TRUSTEE MERCIER: I isolated and identified the files that contain the protected personal information in a file on the desktop. This is reflected in briefing information that I gave to the board.
CHAIR: And you have the names?
TRUSTEE MERCIER: I do not have the names. I made a file on the desktop of the computer containing the files that contains the names. It's readily accessible, and that, the fact that I did that, is reflected in the documentation that I provided to the Board.
MOTION TO AUDIT COMPUTER
(VIDEO 5:10:40)
TRUSTEE CHORNEYKO: So I’d like to put a motion on the table that we authorize some people to look into that computer and collate the data. We need to know who is affected and how. So I think that’s where this motion will end, and we need to authorize some people to look into that computer and collate the data. We need to know who is affected and how. So yeah, I think that’s [unclear].
TRUSTEE MERCIER: Respectfully, Trustee Chorneyko, I agree with you, but the responsibility for addressing the privacy breach rests with the head of the public body, not the Board as a whole. The head of the public body is Chair Johnson. So if chair Johnson wants to—
CHAIR: I’ll take on a course of action.
TRUSTEE MERCIER: —to work with trustees, and perhaps the corporate officer, to assess that information, that would be appropriate, but it's decision by the head of the public body, not a decision by the Board.
CHAIR: Just so you know, if I may say this, in my conversations with the RCMP, I was told that as far as they were able to get with their investigation is, they felt that there wasn't much chance that there was a data breach, that where somebody was using your SIN numbers. But you don't know, I totally, Jacqui, I completely agree. Okay, I completely agree. Just, but the fact that fact remains that we've got two things that we have to do. We have to satisfy the membership who may or may not have had—well, this is a data breach. That that information was used in any particular way, what the police told me is that if they hadn't used it by now to set up a phony account or something like that, it wasn't, it wasn't necessarily going to happen, and they had talked to that person, and were convinced that person had not done it to make money or use the SIN numbers.
TRUSTEE MOHER: John had his hand up.
CHAIR: Go ahead.
TRUSTEE MOELLER: So I think there's kind of two separate issues, if I’m understanding [unclear]. First one is that, like, we've got this idea of what's on the computer, but then you've talked to a data expert, and they're saying, don't touch the computer until it’s been analyzed. So the two separate issues are, the first one is, we don't know whether the data that's been found on there is the complete picture, right? So it's just used, this [unclear]—
TRUSTEE MERCIER: I didn't exhaustively go through all the emails. I didn't exhaustively go through all the files. I looked at file names and saw that one was called SIN, and I was like, that looks dubious.
TRUSTEE MOELLER: Okay, so it’s not exhaustive. So that's the first issue, is that, according to this data expert, we shouldn't really be accessing the computer, and we're not sure that all the information on there has been found. So then the first issue we need to decide on is whether we're going to spend this kind of money to get this thing analyzed by a professional, or if we're going to appoint a committee of people and try and do it ourselves. That's the first step. Once you got the full picture of the data, then you've got people's names or whatever, SIN numbers. I don't know how you're going to figure out the contact information of those people, but that's a problem for another day. So first issue is we've got to decide what we're going to do in terms of discovering the fulsome account of data on the device.
CHAIR: Yeah, I would say at this point, I would like to say, I don't know how we’re going to do this publicly, but I think it needs to be done, if you were on fire department between the years of 1996 and 2015, that data has been breached. Okay, just know that. Okay. We don't know what was done with it. We are hoping and praying that nothing was done with it, that it was just a silly mistake on somebody's part. They didn't mean to do it, and it was just a shiny object. Go ahead.
TRUSTEE MOELLER: So I like Dave's motion. I like Dave's motion to form a committee, and I don't really understand why he can't make that motion, but if he can't, then I will.
TRUSTEE MERCIER: The reason we can't make that motion is because the board can't bind the head of the public body to do a thing that is his duty as head of the public body, not chair. So if the head of the public body decides that that's the best way forward, then the head of the public body can suggest that to the board, and then the board can respond to that suggestion, but the suggestion can't come from the board, because it's not the responsibility of the board. It's the responsibility of the head.
CHAIR: It now rests with me, can I— [points at Trustee Moher]
TRUSTEE MOHER: Yeah, no, I like the idea, and then we add to it. But I also want us to make sure that if we're going to have it assessed by somebody, like, even with your skills, the idea of assessing the risk is, if it's been sitting and nobody has accessed it since it left here from the time it stopped being used, and then the next time it was opened up was when Wayne opened it up and went through it, then there's been no breach. So if that can be confirmed, then we can tell people, “Your information was in there, but nobody did anything with it, until Trustee Mercier opened it up and went through it all.”
CHAIR: uh-huh
TRUSTEE MOHER: So that will be a declaration that you can give to FOIPPA, so…
[multiple voices]
TRUSTEE CHORNEYKO: So this computer was the ex-corporate officer’ computer—
CHAIR: Right.
TRUSTEE CHORNEYKO: —so the data that's on this computer is nothing that the corporate officer is not privy to.
CHAIR: Right.
TRUSTEE MERCIER: Respectfully, that’s not correct.
TRUSTEE CHORNEYKO: Well, it's outdated.
TRUSTEE MERCIER: That’s—
TRUSTEE CHORNEYKO: We normally provide the corporate officer access to this information, so—
[multiple voices, Trustee Moher and Corporate Officer, unclear]
TRUSTEE MERCIER: You have access to all the SIN numbers of all the firefighters?
CORPORATE OFFICER: All the current ones.
TRUSTEE MERCIER: Right.
[multiple voices, unclear]
TRUSTEE CHORNEYKO: This is the level, the level of access you have.
TRUSTEE MERCIER: However, you are formally bound by [unclear]
TRUSTEE CHORNEYKO: We trust you with this information anyway.
(VIDEO 5:17:20)
CHAIR: If I can make, and this is to your point here, you're proposing that we put people together, one, two, three, whatever it takes as a team, to go through this. May I suggest that it be Paula Mallinson, who was the sole person, as far as we can determine, that inputted that information into that computer. That was her computer. Okay, so that would be one person, because she's got the password for stuff that we don't have a password for.
TRUSTEE MERCIER: I don’t think that’s—
CHAIR: With me there. I'm going to say this. Okay, with me there. I will take responsibility for that. But I'm not a computer scientist. I don't mind turning it on and trying to find what the SIN numbers are. I don't—
TRUSTEE MOHER: Paula can find all that for you.
[multiple voices, unclear]
TRUSTEE MERCIER: Truly, it’s not to find stuff—
CHAIR: We need to find stuff—
TRUSTEE MOHER: She's still bound by confidentiality—
JACQUI BRAID: But is she? She is no longer an employee and so I think that that's wrong.
[multiple voices, unclear]
CHAIR: —would not be an employee of ours either. We would have to contract with them on confidentiality. She’s already seen the numbers, she inputted, she put them in there.
TRUSTEE MOHER: My confidentiality, after working at the school, goes into perpetuity, I would assume—
TRUSTEE MERCIER: [to Chair] Is this a course of action that you wish to pursue in general? Because if it is, then we can advance the motions. It would be a select committee to analyze the device and report back. But if this is not a course of action that you want to pursue, then the board can’t do that. So is that something you want to do?
CHAIR: Yeah, well, forgive me, it's late, and the course of action that I'd like to pursue is to get as much information off that computer as soon as I can, and let, let—if we have numbers with names attached to those numbers, and there must be, they don’t just [unclear]
TRUSTEE MERCIER: There are certainly names, yes, absolutely.
CHAIR: Would you, could you save me at least that trouble of trying to look that up—
[multiple voices, unclear]
TRUSTEE MERCIER: I haven’t got the names in my head, I—
CHAIR: I'm sure you have.
TRUSTEE MERCIER: So what, I don't have any [unclear]. Everything I have [unclear]. So what I'm—if having a select committee examine the device is your wish as head of the public body, then I have a motion.
CHAIR: I'm going to say that, yes, I'm going to be the point person among this. Of course I am. It's in the law. You know that.
(VIDEO 5:20:00)
FORMER TRUSTEE WELLS: Wayne, you said you didn't have any written copies of it. Do you have any copies of what was on that computer?
TRUSTEE MERCIER: No.
FORMER TRUSTEE WELLS: Okay, fine, I wanted to clarify that. [multiple voices, unclear] The way you said it, you sort of [multiple voices, unclear] oh no, I don’t have any of those copies—
TRUSTEE MERCIER: No. So—I mean, I retained in my mind, having seen a name and in the next column a nine digit number. I don't retain any of those nine digit numbers. I smoke a lot of pot. My memory is not that great. But some of the people are my friends and neighbors, and so I retained the names. All of the—I kept no written records other than the briefing documents that I submitted and circulated to the board. So the board is aware of everything that I'm aware of, except that they don't have, you know, like—
FORMER TRUSTEE WELLS: So you didn’t copy anything off of it. [overlapping voices, unclear]
TRUSTEE MERCIER: That’s correct. The only copies of information that I made were I copied information from sub folders and I made a copy on the desktop for ease of finding. No information was copied off the device at any time or in any way, whether by handwriting or anything.
TRUSTEE CHORNEYKO Give us your motion.
CHAIR: Well, one second, [unclear] to be question and answer... [acknowledging audience member]
PENELOPE BAHR: My question was, when that computer was retired, wasn't the information on it put on to the existing computers? Did you not change—?
[multiple voices, unclear]
CHAIR: We understand—
CORPORATE OFFICER: We don't know 100%.
CHAIR: We don’t know 100%.
PENELOPE BAHR: Okay. Then my other question is, why wasn't it wiped?
CHAIR: Good question.
PENELOPE BAHR: Because that, you need a policy for that. You need a policy on how to to get rid of your old computers and your old equipment.
CHAIR: We’re going to get to that.
[multiple voices, unclear]
TRUSTEE MERCIER: In any case—part of the required response to a privacy breach is setting out what steps will be taken to ensure that such a breach doesn't take place going forward. There are four steps in the response, and we haven’t got to step four yet.
PENELOPE BAHR: Thank you.
CHAIR: But we will, and—
TRUSTEE MERCIER: Yes.
CHAIR: We're getting tumbled up here, a little bit over our skis, but just let me say that when I was talking to the RCMP officer Jacob here on the island, he wasn't the actual guy that did the investigation, but he knew about it. And his suggestion at the end of it is that we look at a system that they use—because data breaches happen all the time—that we investigate a system by which there's a key card system, so that you can't get into the file room unless you put in your personal key card, that would probably be just the Corporate Officer, and I don't know, one other person, maybe? And they go in and it's recorded digitally when they went in and when they left. And he said the way they do it, they've got a way to write down why you were in there. You have to have a reason. It doesn't matter if you’re the corporate officer, doesn’t matter if you’re anybody, you have to specify why you were in there. And this is what the RCMP do, and a lot of government agencies, because everybody thinks there's, there's spy versus spy all the time. So that's how we can safeguard that. I mean, I don't know whether, for the purposes of—
[Trustee Moeller leaves]
TRUSTEE CHORNEYKO: Let's move this along.
PENELOPE BAHR: Yes, I derailed it, I’m sorry.
CHAIR: I’m not finished.
PENELOPE BAHR: Yes, I derailed it, you had a motion on the floor.
TRUSTEE MERCIER: The motion I'm proposing is
THAT the Gabriola Fire Protection Improvement District strike a select the committee consisting of Trustees Johnson, Mercier, Moher, and the corporate officer, for the purpose of examining the device involved in the privacy breach reported in October 2025, compiling a register of affected persons, reporting to the board, and composing notifications which meet the requirements of the Freedom of Information and Protection of Privacy Act. The committee to report in January 2026.
CHAIR: I like it.
TRUSTEE CHORNEYKO: I’ll second it.
TRUSTEE MERCIER: and I have a tiny amendment,
and that the chair of the committee be Chair Johnson as head of the public body.
CHAIR: Sure. [pause] The FOI’s kind of weird about that, aren’t they.
TRUSTEE MERCIER: so that's been made and seconded. [pause, gestures to Chair] You're the Chair.
CHAIR: I’m waiting for him to come back. [meaning Trustee Moeller]
[Multiple voices explain that Trustee Moeller has left the meeting]
CHAIR: A vote in the affirmative, put your hand up, please. So that carries. Just for your information, now I got, I have a life, and, we all have lives. Okay?
TRUSTEE MERCIER: Speak for yourself, sir.
CHAIR: Just, I spent an awful lot of time on this nonsense to begin with, and that's what this is, to a large extent, as far as I'm concerned. But, and I had planned to do something tomorrow with my wife, if anybody minds that at all, and it [unclear] but I will get on it on Friday, if that's okay with everybody, that I will, I will do my level headed best to find out—There's two things. It's not just the SIN numbers. I think there's medical records too.
TRUSTEE MERCIER: I did not encounter any medical records.
CHAIR: Oh good, all right, good
TRUSTEE MERCIER: There is, however, a tax roll, outdated. And we are, I think—pretty strongly—obligated to report that to the Ministry of Finance. I was instructed by the investigator that the Ministry of Finance is unlikely to do anything but require it to be deleted, because it's so far out of date, but that information is shared with us under an information sharing agreement, which requires that it be destroyed later.
CHAIR: Just so you know, and Trustee Mercier knows this too, um, the extent to which we can get rid of this whole thing, the extent to which we can put this to bed and [unclear] satisfy possibly the people whose SIN numbers are on that computer that left the building, is really completely up to, if you want to call her the investigator, it’s not really an investigator,
TRUSTEE MERCIER: That's her title.
CHAIR: Okay, okay, but that's entirely up to FOIPPA as to what the next steps are.
MOTION RE IDENTITY PROTECTION PROGRAM
(VIDEO 5:27:00)
TRUSTEE CHORNEYKO: So, I'd like to make a motion, that we supply the affected people who've lost, who we've lost control of the SIN numbers, that we supply them an appropriate identity monitoring product.
TRUSTEE MERCIER: May I, before that is formally made? This is something that I discussed with the investigator, and it is a component—a component of the response is a recommendation by the public body about what, if any, protection should be provided, and at whose cost.
TRUSTEE CHORNEYKO: Yes.
TRUSTEE MERCIER: And so while I like your motion, of course, I'm just going to suggest that we maybe hold off until we've assessed the information.
TRUSTEE MOHER: Yes.
TRUSTEE CHORNEYKO: I want to do this now. Like, has anybody looked into the cost of this?
CHAIR: Yeah.
TRUSTEE CHORNEYKO: How much?
CHAIR: $3,000 per person over a 3 year period?
CORPORATE OFFICER: And I got, it was hard to buy in bulk.
CHAIR: Yeah.
TRUSTEE CHORNEYKO: I got a hold of Equifax, and I got 500 bucks, and then 10 bucks a head. So if it's 40 people—
CHAIR: You sure about that?
TRUSTEE CHORNEYKO: Yeah, I got the product sheet, the price list right here.
CHAIR: Well, if it's that—
TRUSTEE CHORNEYKO: It's like, 1000 bucks. And so they have Equifax as a data exposure response and remediation package. And like I say, it's 10 bucks a head, so I think we should just do this, in order to assure people that their privacy is okay.
TRUSTEE MERCIER: I have, I mean, I was a victim of some kind of corporate privacy breach a number of years ago, and they provided me with identity protection stuff through a different provider. So I would like to suggest in a friendly way, that rather than settling on a particular provider, that you, that your motion consist of an authorization for an expenditure of some amount for that purpose.
TRUSTEE CHORNEYKO: Sure, let's say $2,000, it'll be well under that.
CHAIR: Well, for the whole package.
TRUSTEE CHORNEYKO: Yes.
CHAIR: For everybody.
TRUSTEE CHORNEYKO: Yeah. So here's, here's the—
CHAIR: Can I just say something, real quick? Jacqui—
TRUSTEE CHORNEYKO: This is for one year?
CHAIR: I’m speaking here. Jacqui, let me ask you this, you were one of the people that may be affected. I don't know who else was. [to someone else] You were. You were at the fire department during that period?
[multiple voices, sometimes unclear, indicate that they could have been affected]
CHAIR: 2015 was the cut off period.
TRUSTEE CHORNEYKO: I am one of the people, I might be one of the people.
CHAIR: So you're one of them?
TRUSTEE MERCIER: Just for timelines for clarity, because I [unclear], so the information on the computer begins some, I think, in 98, and carries through to, if I recall correctly, 2010. And I think that was from a previous computer—that information was transferred to this device, which remained in use until I believe 2015.
UNKNOWN AUDIENCE MEMBER: Then that’s not me.
CHAIR: Not you? We’re just, I'm just trying to assess this a little bit here.
TRUSTEE MERCIER: Within a year or two either side.
CHAIR: Would you, those folks that are affected by this and would be looking at an Equifax deal? Does this sound reasonable to you? I mean, is this something that would help you, you think?
JACQUI BRAID: I think it would, it would go a long way to assuring us that you guys are taking it seriously, and that you're going to put in steps to not make this happen again. And, yeah, something, it would be a gesture. I mean, what's happened has happened, and it would be a gesture of good faith.
TRUSTEE CHORNEYKO: So I just have something I'd like to say, and that is, up until now this organization has not actively managed people's personal information. This is problematic and results in privacy breaches such as this. Two months ago, October 1st, this Board approved the creation of a privacy management program. I still don't— yeah, I'll skip that— what this means is that we've committed to actively managing people's personal information. And actively managing means that we only collect personal information for a purpose, and with appropriate consent; we have policies and procedures around this, which we have to write; and personal information is stored, retained, and disposed of appropriately. And again, we have, we have to write policy and procedure around this. This is all required by BC law and provincial orders. This is what it means to actively manage people's personal information, and this organization is nowhere near—
TRUSTEE MOHER: [speaking with corporate officer]
JACQUI BRAID: I’m sorry, Diana, he's speaking.
TRUSTEE MOHER: Umm, he's reading to you.
TRUSTEE CHORNEYKO: This needs to be—
JACQUI BRAID: A trustee is speaking, so…
TRUSTEE CHORNEYKO: The other thing I would like to bring up too, is we as an organization need to take responsibility for this breach. I would like to see the fire chief write something up for the Sounder explaining to the community how this will never happen again, because this organization will be actively managing people's personal information going forward. I would like to see that happen.
CHAIR: I know you would, but what's going to happen is it's going to be me doing that. All right?
TRUSTEE CHORNEYKO: Yep.
TRUSTEE MERCIER: Because there's a motion—I think Trustee Chorneyko was making, had made a motion, and I want to make sure that I've got it all right ‘cause [unclear] second it, and then [unclear]. So my understanding of your motion is
THAT the Board approve the sum of $2,000 for purchase of for purchase of Identity Protection Program coverage for persons affected by the privacy breach.
TRUSTEE CHORNEYKO: Ah, can we change that to appropriate identity monitoring product?
TRUSTEE MERCIER: Purchase of an appropriate identity monitoring product.
TRUSTEE CHORNEYKO: Yes
CHAIR: Equifax is one, there are three of them.
DIMITRI TZOTZOS: TransUnion is the other big one in Canada .
CHAIR: You would know that, what is it again?
DIMITRI TZOTZOS: TransUnion.
CHAIR: TransUnion?
DIMITRI TZOTZOS: Equifax is the most common one.
CHAIR: Thank you.
TRUSTEE MERCIER: Okay, I'm gonna second that motion. So it's on the floor…
CHAIR: Discussions? Raise your hand in the affirmative. Carried.
FURTHER DISCUSSIONS
(VIDEO 5:34:00)
TRUSTEE MERCIER: I had a motion prepared saying that I wanted privacy brief updates to be written submissions. But as we struck the select committee, that's not necessary.
CHAIR: We'll get on, look, what we'll do it as best we can. I gotta tell you that—I gotta tell you that I have tried through David to, to get the person who took the tower to tell us, to give us a declaration that I can give to FOI, that they did not share that computer with anyone, and it was not accessed by anybody but the person that took it. And you know, you gotta trust Wayne, I mean, you gotta trust Wayne, but I don't know who this person is, so asking me to trust them in a situation like this is kind of ridiculous.
TRUSTEE CHORNEYKO: Just because we've lost care, custody, and control of these SIN numbers we can't trust people. We need to provide an appropriate product to people in order to assure the public that they're okay. Ex-members. This is support of ex-members is what this is.
CHAIR: I totally agree. [to audience member] Go ahead.
DIMITRI TZOTZOS: So you said earlier that the computer is now locked up in a room—
CHAIR: Yes.
DIMITRI TZOTZOS: So essentially the same people that gave it away have custody of it again. Are you guys—
[multiple voices, unclear]
CHAIR: Nobody gave away. Nobody gave it away.
DIMITRI TZOTZOS: Someone gave it away.
CHAIR: Well, no—
UNKNOWN: Somebody took it.
DIMITRI TZOTZOS: Is there a policy developed so that devices like this, so that they are dealt with at the end of their life, before they are discarded?
CHAIR: But you have personal knowledge that somebody took that, or what day it was.
DIMITRI TZOTZOS: I don't know what day it was—
CHAIR: But you do have, you do have knowledge of this?
DIMITRI TZOTZOS: I know the person that had it.
CHAIR: all right
[background voices]
DIMITRI TZOTZOS: And he told me what happened. I trust him.
CHAIR: Okay.
TRUSTEE MERCIER: Respectfully Trustee Moher, there is wide knowledge in the community.
TRUSTEE MOHER: Yes, no I’m not surprised, yeah.
CHAIR: Yeah, I mean, that’s the thing. I hear it’s an ex-firefighter. That's what I heard. I mean, you gotta trust an ex-firefighter, right?
FRANK MOHER: No.
CHAIR: You gotta, right? So this is the good thing, that it wasn't just Joe Blow, but anyway—Frank?
FRANK MOHER: Have we entered the public question period?
TRUSTEE MERCIER: We have not.
CHAIR: Have we what?
FRANK MOHER: Have we entered the public question period?
CORPORATE OFFICER: No, we have not.
FRANK MOHER: When we do I have a question.
CORPORATE OFFICER: Ok, what’s the motion on the floor?
TRUSTEE MERCIER: There's no motion on the floor right now.
CORPORATE OFFICER: Okay.
Bylaw 97
(VIDEO 5:37:00)
TRUSTEE MOHER: I move that we adjourn because it is now—
CHAIR: Can we just get Frank—
TRUSTEE MOHER: Then we can move into question period.
CHAIR: Okay, we're trying— [unclear, multiple voices]
TRUSTEE MERCIER: You need to vote to adjourn, and Bylaw 97 remains on the agenda.
TRUSTEE MOHER: Bylaw 97 was dealt with earlier.
TRUSTEE MERCIER: It most certainly was not.
TRUSTEE MOHER: Yes it was.
CHAIR: I motion to adjourn.
TRUSTEE MOHER: I did, I put a motion …
AUDIENCE MEMBER: Usually your question period happens before adjournment?
TRUSTEE MERCIER: Adjournment ends the meeting. So you're correct.
TRUSTEE MOHER: Sorry.
CHAIR: I was misinformed.
TRUSTEE MOHER: Sorry, I thought we talked after.
CHAIR: Okay, well, I'm good with, I said we were—
[unclear, multiple voices]
TRUSTEE MERCIER: Are we going to address Bylaw 97? It's on the agenda. No change has been made to the agenda.
TRUSTEE MOHER: And I move that we postpone talking about 97 because it's already been discussed under policy standing [unclear] committee.
CHAIR: What I would like is for us to blow through this whole thing. There's questions, a question on the floor right now, and there may be other questions from other people, and I'm sure that Derek [ED: from Sounder News] wants to hear feedback from the folks in this room.
TRUSTEE MERCIER: Okay, but Bylaw 97 remains on the agenda.
TRUSTEE MOHER: I move that we postpone discussion about Bylaw 97 as we had already indicated it would be discussed at the Select Committee Policy review.
CHAIR: I will second that.
TRUSTEE BUSSLER: Just for discussion … I don't know why, why it's here. So will it be struck then off of the next agenda as a new business, or an old business item?
TRUSTEE MERCIER: I have a motion relating to the presence of Bylaw 97 on the agenda, and that work has already been done on Bylaw 97 and circulated to the Board. So I don't think it's appropriate that we just pretend that didn't happen, and the work that has already been done and circulated to the Board, we pretend that it was addressed earlier, when it totally was not.
CHAIR: Okay .. Well, we were on question, question and answer ...
CORPORATE OFFICER: No, we’re not. I have a Point of Order, I’m already at thirteen hours—
TRUSTEE MERCIER: Respectfully, you are not in a position to make a Point of Order.
CORPORATE OFFICER. Okay. Okay. [multiple voices] —thirteen hours, so— [continues to speak]
CHAIR: I’m the chair; you're not the chair anymore, so.
[multiple voices, unclear]
CORPORATE OFFICER: I’m at thirteen hours of work right now, maximum is twelve.
TRUSTEE MERCIER: So I—
CORPORATE OFFICER: So are we going to speed this up? And I have to lock the doors because the Chief was called away [unclear] emergency.
CHAIR: Can you just please put it off till—
TRUSTEE MERCIER: No! No, I cannot. I will not.
TRUSTEE MOHER: Through the Chair, I don't believe that, what's being heard here is that the responsibility of the hall is now coming down on the corporate officer, and out of respect, if we want to finish off so she can leave and lock up after us, I would respectfully request that my motion that I put out, and seconded, there is now a motion on the floor to have that set aside for now, that it be voted on. And that we can move on to question period, so we can have people go home, because we're coming up to now 10 o'clock, and I realize that that's offensive, because it means that I don't want to put time in, but I—
TRUSTEE MERCIER: So I wish to speak on the motion to adjourn.
CHAIR: [unclear] …Hands up!
TRUSTEE MERCIER: No, there’s no—we can't vote. I want to speak to it. It's open for debate.
CHAIR: What's that?
TRUSTEE MERCIER: I want to speak to the motion on the floor.
CHAIR: You want to speak to the motion on the floor.
CORPORATE OFFICER: [to Chair] He gets his five minutes.
TRUSTEE MERCIER: So I believe it to be inappropriate to put the issue of Bylaw 97 off, since a draft of Bylaw 97 has been compiled and circulated to the trustees, and it appears on the agenda. So, work has already been done, consideration has already happened, and that draft was circulated to the trustees without … like, any background or whatever. So I think, setting aside consideration of that because people are tired and the board is inefficient …
[multiple voices objecting]
CHAIR: Oh just stop that—
TRUSTEE MERCIER: I’m not saying that I’m any more efficient than anybody else. We've been here for many hours. We're clearly not efficient. I don’t think that’s [unclear].
[multiple voices]
CHAIR: Jeez, man. So how many motions have you made tonight that weren’t even on the list—
TRUSTEE MERCIER: This is the motion you didn't want to put on the list because the corporate officer was too busy. But now, Bylaw 27 (ED: error, he meant 97) is on the agenda, and so this motion is germane to something that's on the agenda. We can’t just pretend it's not there. We approved the agenda.
TRUSTEE MOHER: We’re not pretending—
CHAIR: Excuse me for one second here. As the Chair, I don't understand why the hell we're doing this right now. We haven’t finished with these, these lovely people yet. [referring to audience] They have questions. You can see how it's laid out, we’re not going up on 97 until we finish with this, all right?
TRUSTEE MERCIER: We need to vote.
CORPORATE OFFICER: [unclear]
CHAIR: [to audience] So we'll get to you. Unfortunately—
TRUSTEE MERCIER: No, you can't just, like—
CHAIR: [unclear] I’m butting in, buddy. That’s what you did, so… Frank? [addressing audience member; the Chair seems to have decided to move to Question period]
TRUSTEE MERCIER: We’re not going to address this business? Point of Order.
CHAIR: This, is, this is—
TRUSTEE MERCIER: This is on the agenda.
CHAIR: So is—
TRUSTEE MERCIER: There’s a motion on the floor.
CORPORATE OFFICER: There's a motion on the floor, so [unclear].
TRUSTEE MOHER: —to table it. There's a motion on the floor to basically table that motion.
CHAIR: Okay.
TRUSTEE MERCIER: What is the motion on the floor? Please provide me with the wording of the motion on the floor.
TRUSTEE MOHER: Okay. To make it easier, I would like to put a motion forward to table Bylaw 97 to the January meeting.
TRUSTEE MERCIER: So all consideration of Bylaw 97?
TRUSTEE MOHER: At this point, at this time? Yes.
TRUSTEE MERCIER: So, I'm going to object to the consideration—
TRUSTEE MOHER: We have a motion on the floor, is there a seconder?
TRUSTEE MERCIER: No, my motion to object to the consideration of your motion preempts your motion. I think that—
TRUSTEE MOHER: [to audience] I would suggest you guys all head home, because I don't think we’re going to get out of here [unclear].
TRUSTEE MERCIER: It's astonishing to me how hard everyone is working to avoid this simple piece of business. You don't even know what motion I want to put forward. You don't know what I want to say about Bylaw 97. You're just, what, tired? and don't want to go through with the democratic process?
TRUSTEE MOHER: In consideration of the people still—
TRUSTEE MERCIER: The people can leave if they want to leave. [Trustee Moher attempts to interrupt] We have business in front of us, that was put on the agenda. There's a motion on the floor.
CHAIR: [rebuking] Bup bup bup. [unclear] my friend, [unclear]
TRUSTEE MERCIER: So are we going to vote on the motion?
CHAIR: Do what you're going to do, but just lower your voice.
TRUSTEE MERCIER: You're the chair, dude, preside.
CHAIR: Please lower your voice. Not going to say it again.
TRUSTEE MERCIER: [lowering voice] You’re the Chair, dude. Preside.
CHAIR: I certainly am.
[Side conversation between Trustee Moher and Corporate Officer about process, unclear]
CHAIR: So, so the motion on the floor is to table that, and—
TRUSTEE MERCIER: The motion on the floor is
to not consider a motion to table consideration of Bylaw 97, because it's injurious to the democratic process of the board.
CORPORATE OFFICER: Okay, vote.
CHAIR: Okay, show of hands in favor.
CHAIR: Okay, I don't think it made the motion, the—
TRUSTEE MERCIER: Okay, so now we consider the motion to table.
CORPORATE OFFICER: Okay.
CHAIR: Consider the motion, the motion to table that to a more appropriate time—
[?]: January meeting.
TRUSTEE MOHER: January meeting.
CHAIR: January meeting, please. Thank you. Second? [looks to Trustee Moher]
TRUSTEE MOHER: It’s my motion—
CHAIR: Oh, it’s your motion. I’ll second it. Discussion? Hands in the air. Passes.
TRUSTEE MERCIER: Okay, my motion doesn't actually consider Bylaw 97, so I’m going to make it anyway.
CHAIR: Please make it quick.
TRUSTEE MERCIER: Sure. my motion is
THAT the draft revision of Bylaw 97 distributed to the trustees on Monday November 17, 2025 be published with the minutes of this meeting. And that the corporate officer provide all trustees the full background materials, including board directions, committee minutes, drafts, correspondence and working documents related to the draft revision of Bylaw 97 distributed to the trustees on Monday November 7, 2025, and that this material be distributed by December 12, 2025.
It's a simple motion for background information. It didn't need to be so contentious.
[Unclear but it sounds like it was seconded.]
CHAIR: What’s your timeframe on that?
TRUSTEE MERCIER: December 12. If there's no background information exists, then it's not appropriate for us to consider a bylaw. How did the draft come to be?
TRUSTEE MOHER: Matt did it. [ED: referring to previous Corporate Officer]
TRUSTEE MERCIER: Then there should … Okay? Well, it's not mentioned. So the new version of Bylaw 97, which, like— there's no mention of it in any public minutes; there's no mention of it in any in-camera minutes; there's no mention of it in the correspondence of the previous chair, dating back to 2023; there's no evidence in any record that has been provided, or shown, or put in evidence, that Bylaw 97 was ever considered. And all of a sudden we got this full provision that was distributed. So, if it was made by the previous corporate officer, who on the board, by what board act was he instructed to compile, to do that work? Where are the records?
TRUSTEE MOHER: It started, it started—
CHAIR: That's a good question, because that was the corporate officer. We had this discussion before about that. And, I mean, it's a deja vu. We already went through this. The corporate officer took the minutes of the meeting, and I was at that meeting. We assumed that the corporate officer put them in the appropriate place. If we don't have them—you can say, as you have said before, that we should chase, chase that particular person into their office and make sure they filed it in the proper place. But that did not happen.
TRUSTEE MERCIER: I mean, there's no evidence of any work on this revision of Bylaw 97; there's just this revision floating there, there’s no—
CHAIR: I put my hand in the air. I was there. I mean, we discussed it twice. In fact, you were at that, one of those meetings.
TRUSTEE MERCIER: I was not at any meeting where Bylaw 97 was discussed for revision.
CHAIR: Okay.
TRUSTEE MERCIER: Like, I have gone through all the publicly available meeting minutes.
CHAIR: Okay.
TRUSTEE MERCIER: It's not there. Now, it’s also the fact that the board doesn't have any hard copy records of any of its meetings, in camera, any of its in camera meetings, or decisions, or instructions—ever—predating this year. So I really want to know how this revision came to be; like, who decided? The corporate officer doesn't just take it on themselves to revise a bylaw because they’re bored. They need instructions from the trustees.
TRUSTEE MOHER: [unclear]
CHAIR: No, you got that—Sorry, this is where—
[unclear, side conversation]
CHAIR: You know, without bad mouthing anybody, I’m not going to do that, without …
TRUSTEE MOHER: No, we can’t go down this road, sorry [unclear].
CHAIR: You know, the corporate officer, took a number of things onto their plate in terms of creating bylaws and policies and other things, and they were not asked to do that. Okay?
TRUSTEE MERCIER: Sure.
CHAIR: I think that, I won't go, I can't say anything. So this gets so weird, but I cannot talk about that particular aspect of it, other than to say that the corporate officer rightly or wrongly decided that they could offer a bylaw.
TRUSTEE MERCIER: If that's the case, then the board should not consider that revision which was made and taken up inappropriately. And if that's the case, then, why was it circulated to the board for something for us to consider? If it was prepared without authorization, we shouldn't consider it. If there was authorization, there needs to be a record. If there's no record, we must presume it to have been composed without authorization. The board only exists through its records.
CHAIR: [unclear] I think, therefore I am. Okay, what’s your fix on this? Let’s get down to the nitty gritty.
TRUSTEE MERCIER: My point …The resolution is the resolution. If it's the case that the corporate officer can't provide background materials because they don't exist, then a letter from the corporate officer saying such background materials don't exist and this confirms that, that will satisfy this motion.
TRUSTEE CHORNEYKO: Let’s vote on it.
CHAIR: [to Corporate Officer] Are you good with that?
TRUSTEE MERCIER: Like, the corporate officer is the person who's legally responsible for the state of the records report. So this motion asks for a report from that person on the state of the records report. That's all. It's not a big deal, like, this should be trivial information to provide, and if it's not trivial information to provide, we should be ashamed.
CHAIR: Okay, so we're going to lay on this, this corporate officer, and this corporate officer is going to come up with the information that you need.
TRUSTEE MERCIER: That's the motion.
CHAIR: By the …why is it December 12th?
TRUSTEE MERCIER: Because that's like nine days from now. This should be easy.
CHAIR: You don't know what people are doing. They got Christmas parties [unclear].
TRUSTEE MERCIER: Well, if it’s not easy, then we shouldn’t consider hiring a part-time corporate officer, we should hire a full-time corporate officer so they have more time to do the corporate support.
CHAIR: There you have it, there you have it. I understand where you’re going with that.
TRUSTEE MOHER: Could we just move on.
[multiple voices]
CHAIR: Okay, let's just say, just say for shits and giggles, that it is the 12th of December.
TRUSTEE MERCIER: That's what the motion says. The motion is
THAT the draft revision of Bylaw 97 distributed to the trustees on Monday November 17, 2025 be published with the minutes of this meeting, and that the corporate officer provide all trustees the full background materials, including board directions, committee minutes, drafts, correspondence and working documents related to the draft revision of Bylaw 97 distributed to the trustees on Monday, November 17, 2025 and that this material be distributed by December 12, 2025.
CHAIR: To the extent that the corporate officer is able to find any of that.
TRUSTEE MERCIER: … if the corporate—then that [unclear, multiple voices interrupt]
TRUSTEE MOHER: Let’s vote on it. I’m trying to find it [unclear]
CHAIR: Have we got a second on this?
TRUSTEE MERCIER: Yes, Trustee Bussler seconded.
CHAIR: All right then. Any more discussion on that? Hands in the air, in the affirmative. All right then. Anything more?
TRUSTEE MERCIER: No. I mean, we have New Business on the Agenda.
[multiple voices]
NEW BUSINESS
Records and Information Management Bylaw
(VIDEO 5:51:30)
TRUSTEE MERCIER:The next item on the agenda is the Records and Information Management Bylaw. I mean, okay. So I move that we adjourn this meeting till next Wednesday, at which point we reconvene with the consideration of new business and in camera matters.
CHAIR: Is that going to be a public meeting or in camera?
TRUSTEE MERCIER: It will be public until the end of the meeting, when we move in camera, just like normal. Presumably there's in camera stuff that we should discuss today that we haven't got to so we would just move all that stuff to—
TRUSTEE MOHER: There’s no in-camera.
CORPORATE OFFICER: [unclear] in camera.
TRUSTEE MERCIER: Well as there’s, the in camera agenda is not circulated in advance to the trustees, there's no way for anybody to know what might or might not be considered.
TRUSTEE MOHER: It would be on the bottom of the paper.
TRUSTEE MERCIER: It never has been before, except for the time [interrupted, unclear]
[multiple voices]
TRUSTEE MERCIER: It never has been before, except for the time that you attempted to censure me for including it.
TRUSTEE MOHER, CORPORATE OFFICER: [multiple voices, possibly side conversation]
CHAIR: No fighting, kids.
TRUSTEE MERCIER: So I'm correct that there is, it’s correct that there is no in camera stuff for us ...
CORPORATE OFFICER: Not that I can tell.
TRUSTEE CHORNEYKO: Let's, let's do this new business stuff, if we can get through it in a minute [unclear].
[multiple voices]
TRUSTEE CHORNEYKO: So, I recommend a motion
THAT the Corporate Officer develop a Records and Information Management Bylaw, similar to the one in Appendix A of the Records and Information Management Manual for Local Government Organizations, which was published by the Local Government Management Association of BC.
CHAIR: Which is the book that you bought.
TRUSTEE CHORNEYKO: Yes, which is the book that we bought, we all bought.
CORPORATE OFFICER: Yes, [unclear]
TRUSTEE MERCIER: We all bought. Everybody. Thank you.
CHAIR: But I didn't, I didn't choose that book. That was David. I think it was a good purchase on David’s part.
[side conversation]
TRUSTEE CHORNEYKO: I'll speak to it. I won't take long. Basically, this organization doesn't have a records management system. Records are managed in an ad hoc way. And because of this, things get lost. I think it's a pretty big mess, and it's not that hard to do it right. So the Records and Information Management Manual for Local Government spells out how to implement a records and information management system, and this starts with direction from trustees to staff through a bylaw like I'm proposing. So I'm saying that we do this.
CHAIR: Do you want a committee on this, or do you want to just vote on it?
TRUSTEE CHORNEYKO: No, I think the corporate officer should develop this bylaw; it's basically cut and paste out of the manual.
CORPORATE OFFICER: Okay. It'll probably be like February, March.
TRUSTEE CHORNEYKO: Yeah, I'm good with that.
CHAIR: Are you good with that?
TRUSTEE BUSSLER: Does it have a time frame on it?
TRUSTEE CHORNEYKO: Doesn’t have a time frame on it but—
CHAIR: You have a second on that, then?
TRUSTEE CHORNEYKO: Yeah. [gestures at Trustee Bussler]
CHAIR: All right—
TRUSTEE CHORNEYKO: Let's have a time frame of March.
CHAIR: Anybody got anything to say? Hands in the air, in the affirmative? Done. [unanimous]
[side conversation]
TRUSTEE CHORNEYKO: Apparently.
CHAIR: Please tell me there’s not more.
TRUSTEE CHORNEYKO: No, that’s it.
CHAIR: We done?
TRUSTEE CHORNEYKO: I think we’re done.
TRUSTEE MOHER: Except for … (she gestures towards the public)
QUESTION PERIOD
CHAIR: Can we move on to … I don't know how the, on to, I apologize, the 97 didn't come in that order. So question … Oh, where’s Frank…
TRUSTEE MOHER: He’s in the back.
CHAIR: Don't fall asleep on us now, man.
QUESTION 1
(VIDEO 5:54:45)
FRANK MOHER: Are we in the question period?
CHAIR: We’re question period.
F. MOHER: Trustee Mercier, what is the name of the person who returned the computer?
TRUSTEE MERCIER: I'm not going to tell you.
CHAIR: Could we do this? I mean, you have—
F. MOHER: My question is to Trustee Mercier, what is the name of the person who returned the computer?
TRUSTEE MERCIER: That was disclosed to me in my capacity as chair of the board and head of the public body, and I will retain the confidentiality of that information. I disclosed it to the police.
F. MOHER: Why are you concealing it?
TRUSTEE MERCIER: I'm not concealing it. I'm not divulging it. Those aren't the same things,
F. MOHER: Sure. Trustee Chorneyko, I understand you also know the individual, the name of the individual?
TRUSTEE CHORNEYKO: I may or may not.
F. MOHER: What is the name of the person who returned the computer?
TRUSTEE CHORNEYKO: Same answer as Wayne.
F. MOHER: You are concealing that.
TRUSTEE MERCIER: That's false, sir.
F. MOHER: So I would regard taking property from the fire hall without authority, which is as good as your story—
[multiple voices]
TRUSTEE MERCIER: You are now making an unsupported assertion about—
F. MOHER: Which is as good as your story.
TRUSTEE MERCIER: That's not true. You are—I caution you, sir—
F. MOHER: Sir, will you confirm—
TRUSTEE MERCIER: —that your speech is moving, moves into territory, which I am likely to consider defamatory. I'm just saying that. I take this seriously. I'm not going to screw around. You ask the questions you want to ask, that's okay. But I'm not playing here.
F. MOHER: May I continue?
CHAIR: Are you done?
TRUSTEE MERCIER: For now.
CHAIR: Go ahead, Frank.
F. MOHER: So you confirm that you will not reveal the name.
CHAIR: Who are you talking to?
F. MOHER: Trustee Chorneyko.
TRUSTEE CHORNEYKO: I'm not answering that.
F. MOHER: Okay, you confirm that you will not provide the name.
CHAIR[?]: That's correct.
F. MOHER: Okay. Well, I hope the editor of the Sounder is still here, will look into this. Sounds like a good story, good grounds for journalistic investigation, including the manner in which the receipt of it was handled. And I suggest the GFPID Chronicles could look into it too, but only if they reveal who they are.
TRUSTEE MERCIER: As your journalistic integrity is very well known, sir.
F. MOHER: Thank you. I note the way the public is treated.
QUESTION 2
(VIDEO 5:57:10)
JACQUI BRAID: I just want to, I've sat here for almost six hours now, and I've noticed over 20 times conversations between the corporate officer and Trustee Moher, and while other trustees are speaking, making motions. And I just think that it's a [lack of] decorum. You have an obligation to listen when other trustees are speaking and not—there was over 20 times, and it'll be on the recording. And so if you could please give your fellow trustees the, the, you know, just be respectful. You know, it's really disrespectful, these side conversations, and you're obviously not listening to what they're saying. So I would just like to point that out.
TRUSTEE MOHER: Thank you for your opinion on that. There are times that she's asking me questions that's pertinent to what's going on. So I will try on next meetings to not answer anything that she might be asking. Thank you for that.
BRAID: Well, and perhaps—
TRUSTEE MOHER: I appreciate your comment.
BRAID: —the corporate officer could not interrupt when the trustees are debating. It's just a decorum—
CHAIR: Well, can I just say this, sometimes the corporate officer’s gotta whisper in my ear. You might have noticed that, because I have made a faux pas, or there's another thing that I need to know as chair. So—
BRAID: That's fine. I'm talking about whole conversations that were going on when a trustee, another trustee was making a motion or saying something, and it's disrespectful to the fellow trustees. A little side comment I have no problem with, but whole conversations and over 20 times, I just [unclear].
TRUSTEE MOHER: I’ll be better [unclear]
CHAIR: What’s that?
TRUSTEE MOHER: Nothing.
QUESTION 3
(VIDEO 5:59:15)
NOLA JOHNSTON: I'll try and make this quick. I have comments about the communications or correspondence policy. When I looked at it closely today—[to another audience member] you're still here. I agree with what he said about summaries. I would not be happy to see my letter summarized, I think there's too much room for things shifting meaning just slightly, and misrepresenting or leaving things out. So I do have objections to that as well.
I also think that you need to look at the policy closely, because when I read it, there were things that I found quite ambiguous. So for example, correspondence won't be published unless specifically addressed for discussion at the meeting. Does this mean that the writer must ask for it to be put on the agenda? Or must it be a topic already on the agenda? This isn't clear. It can be interpreted in different ways. And then “the chair directs that the correspondence be included in full” is the other way in which material gets published in full. What are the criteria? Who makes those decisions? I think that needs to be included in there as well.
And while I was looking at this, because I was thinking about the mechanisms by which communications happen, another related, not directly related, question is: where is your whistleblower policy? Do you have one?
[?]: Nope.
JOHNSTON: You should.
CHAIR: Are you...?
JOHNSTON: Yep.
CHAIR: Thank you very much for that. If I could ask the audience to, and I appreciate what you said, if I could ask the audience to just—we're talking about the data breach.
CORPORATE OFFICER: [unclear]
CHAIR: Hm?
CORPORATE OFFICER: We’re talking about anything now.
[?]: It's just—question period.
CORPORATE OFFICER: Question period.
[multiple voices]: Question period.
CHAIR: Well, I know, but question period involving the data breach. If, I would like that to be the case. …No?
CORPORATE OFFICER: No.
QUESTION 4
(VIDEO 6:01:30)
PENELOPE BAHR: My big concern is how anybody had access to that computer in the first place, and that's the thing that bothers me the most, is that the computer was left unguarded or unsupervised or whatever, and that it wasn't wiped. Why were you keeping all that data in a place that was not secure? That's just, I think you should look into that. How did that happen?
CHAIR: We are trying, we are trying to do that.
BAHR: Well, that’s it, I don’t want an inference that it was was theft, unless you have proof. I don't want it—any kind of supposition made, whether it was theft, or whether it was given away, or anything. No suppositions. Try to find out why and how, and don't let it happen again, please.
CHAIR: Let me, let me be kind of clear with this. I have tried my best so far…
BAHR: I’m not accusing you, I’m saying that—
CHAIR: I know that, but, and that would be the case that anybody here that was tasked with finding out this information. How did it leave? Why did it leave? Who had access to it? You know, all these questions. Until, honestly, until we have witnesses that are willing to stand up to the testimony they're going to give. We can't go on supposition. We can't go on rumour, like you, like you're saying, there's all kinds of stories involved in here, that, it'll curdle your milk. I mean, it's just, but we don't have fact.
TRUSTEE CHORNEYKO: The RCMP has done an investigation.
CHAIR: Who's done an investigation?
TRUSTEE CHORNEYKO: The RCMP.
CHAIR: The RCMP have done an investigation to the point—here's the thing with the RCMP. This is theft, as far as they’re concerned, this is theft under a thousand.
AUDIENCE MEMBER: What?
[multiple voices]
CHAIR: Yeah.
TRUSTEE MERCIER: Do we have some written, something saying there is theft?
CHAIR: I talked to Jacob, I talked to Cameron, and then I talked to Jacob. So let me just finish here. This is my, this is my story. I talked to, to Jacob, he has a long name, I can’t pronounce it.
PENELOPE BAHR: Why would he presume it was theft?
CHAIR: What’s that?
PENELOPE BAHR: Why would he presume it was theft?
CHAIR: Because for the purposes of an insurance policy, we have to, we have to say that it was removed without our permission.
TRUSTEE CHORNEYKO: Is this an insurance claim?
CHAIR: It may be, if we have to pay… Honestly, here's where it goes. Like you may say, you may say that there's no insurance claim here because of return, you know, wipe your hands of it and it's gone. But this is not the case, because if we were in a situation because of this, that we had to pay out $15,000 to to a forensic computer auditor, then we would, I think we’d have to get with the insurance company and tell them what's up—
AUDIENCE MEMBER: What, make a story up?
DIMITRI TZOTZOS: So you're saying, if you have to make an insurance claim, you're going to call the person who had the computer a thief, simply to be able to make the insurance claim?
CHAIR: No, there may be a determination—
TRUSTEE CHORNEYKO: We won’t do that.
[multiple voices]
TRUSTEE CHORNEYKO: Clearly we won’t do that. The Chair might, but we won’t.
[multiple voices]
TRUSTEE MERCIER: Have we notified—if this is something we're looking at, have we notified the insurance company?
CHAIR: No. I should do that. The reason that we scheduled it for today, well it hasn't happened anyway, is so I can get some, make people understand what we're up against, what the path forward is. And I will, and I don't want to, but I will let the insurance company know tomorrow what has happened.
TRUSTEE CHORNEYKO: Are you going to claim it’s a theft?
AUDIENCE MEMBER: Why are we—
CHAIR: I'm not claiming—
TRUSTEE CHORNEYKO: I’m absolutely against that.
[multiple voices]
CHAIR: Well you don’t have to make that choice, do ya?
PENELOPE BAHR: Why is an insurance company getting involved? I don't understand—
[multiple voices]
CHAIR: Just to be clear, if you take something from here without permission, it's theft.
PENELOPE BAHR: You're making a supposition!
G. BUSSLER: How do you know it was taken without permission? And you say this—
CHAIR: Because [unclear]
G.BUSSLER: I'm still asking a question. The question is, when was this computer removed from the fire hall?
TRUSTEE CHORNEYKO: Three years ago.
[multiple voices]
GLENYS BUSSLER: Three years ago? At about the time, at about the time I was a firefighter, there was a big cleanup of the file room, and there was a huge free table sitting on the, in the kitchen out there that had, God knows what, keyboards, cords, old books, probably this. I don't know. I'm not going to say it was—
CHAIR: Were you there?
G. BUSSLER: —but the question I have for you is, if this happened three years ago, why are you only discovering it gone now? Why is this suddenly a theft?
CHAIR: I'll tell you why.
G.BUSSLER: It’s ridiculous.
CHAIR: Because, until quite recently, none of us have ever been in that file room. There’s no reason for us to go in the file room.
TRUSTEE MERCIER: That's false.
[unclear, multiple loud voices]
TRUSTEE MOHER: I think it’s time to, there’s no questions now, it’s just moving into—
BUSSLER: I think it was a question, how come you didn’t know for the last three years, I believe that was a question.
CHAIR: Just so you know, here's how this worked out. When I took—I had actually talked to the FOI people before I became chair, okay?
TRUSTEE MERCIER: [unclear] I resigned.
CHAIR: Because I was a point person for that.
TRUSTEE MERCIER: That's not correct.
CHAIR: Well, whatever, I've been talking to her. So I got ahold—
TRUSTEE MERCIER: You were assigned as point person for two matters from which I recused myself.
CHAIR: Well, there you go. There you go. That's what's happened there. So anyway, I talked to, I talked to FOI about the situation, and I talked to two different computer forensic experts that were offering their services to check the computer, okay? And both of them told me my first movement was to call the RCMP. Game over. That has to be you cannot, because it may be a theft, it may not be a theft, okay? And I don't understand why, why me calling the RCMP is an issue. You're either a criminal or you're not, right?
BAHR: We didn’t talk about the RCMP.
CHAIR: It doesn't go on your record. It will go on your record. You know. The cops didn't bring a charge. Go ahead.
TRUSTEE MERCIER: Just a quick note, Ms. Bahr, about your concerns, about why we would potentially contact the insurance. Just, you just, you just made a comment about the insurance. So it's our obligation when we become aware of a potential action, to notify the insurance company as soon as possible. That doesn't mean that an action will take place. It just means we give them a heads up. “Hey, something's going on. We're letting you know, no action required at this time.” So for instance, if trustee Chorneyko wanted to sue me for stealing his Danish that he brought to the meeting, and we received, like I we would have to let them know right away, before hiring lawyers or taking any action or doing anything. So the only reason for informing the insurance company is proactive fulfillment of our obligations.
BAHR: So letting them know that something's gone, but not how or why.
TRUSTEE MERCIER: Yeah, notifying them of a potential action, that we could require their services, but we don't know anything yet. That would be the reason to contact [unclear].
CHAIR: The insurance company issue would be that if we had [unclear], if we had to hire an expensive service to to monitor what's gone on, now, we might be in a position where the insurance company would cover us for those expenses, and the insurance company would require that we at least have an RCMP file number on that.
TRUSTEE CHORNEYKO: I’d just like to clarify something too. When I was a firefighter, I had full access to that file room.
CHAIR: Why did that happen?
DIMITRI TZOTZOS: Me too. I had access to the entire hall.
AUDIENCE MEMBER: Yeah.
CHAIR: Okay.
G. BUSSLER: [unclear] duty officer [unclear].
CHAIR: I didn’t know that. I wasn’t here.
TRUSTEE CHORNEYKO: Maybe it’s changed.
TRUSTEE MERCIER: I was denied access to that same file room—
CHAIR: Me too.
[multiple voices]
TRUSTEE MERCIER: [unclear] and it took a resolution of the board for us to access that file room. And when we accessed that file room, we observed that there are no records of the board activities, there are no hard copies of in camera minutes. There are no copies of contracts. There are no copies of rights of way that were accessible to the board, and myself and several other trustees stood there in that very small room, in wonder and amazement, that for 40 years of an organization, there is so little physical record of the activities of the board. And I've raised this at a couple of meetings but I don't know it I’ve done so with such clarity.
So the condition and state of the records of this organization and how they are held and kept is, makes it very difficult to assess—like to say that there's no reason to access the room in which, presumably the in camera meetings of, minutes of the board are kept. I mean, like, I want to be clear to the public that I do not, as a trustee, have access to in camera minutes of the board prior to the beginning of 2025, because they don't seem to physically exist. Like this is the state of the organization. That's like, simply a fact. And there are four other people sitting at this table who observed the same thing that I observed, and I believe would be willing to corroborate my statements as accurate. So to say that there's no reason for us to access that room is, quite frankly, sir, nonsensical.
CHAIR: Well, there you go again, but anyway. I’ll let that go. I don’t think that— [someone notes that an audience member wants to speak] Go ahead.
SOUNDER NEWS: Two questions. First one, I think is a yes, no, or I don't know. Does the district have insurance? I'm going to set the theft aside. Does the insurance, does the insurance cover either negligence or any other way to look at having a payout on this if people's privacy is breached and used?
CHAIR: I cannot tell you whether that's true. I cannot. [unclear] with the insurance company, Wayne [unclear, multiple voices] for 14 days.
SOUNDER: That that was, that was the “I don't know”. Okay, thanks. The other is, who then would bear the cost of dealing with the breach, if those people's information has to be fixed, if everybody has to get assigned new SIN numbers, if—
CHAIR: If the insurance company doesn't, you know, choose to pay on it, they say, “No way, buddy”, if that's the case, is that what you're asking?
SOUNDER: Yeah.
CHAIR: The estimates that we have so far have, well, the major guy who is, you know, the king of all these things, Mosaic quoted, it's between $12,000 and $15,000 for this little computer in this situation.
SOUNDER: Sorry, I just want to make sure… I didn't ask how much to check if there's a breach. I asked how m—, I asked, “Who pays for people's data to get fixed?” If every person has to get a new SIN number, a new credit card and all their other personal information fixed because of this breach, who pays that bill?
TRUSTEE MERCIER: May I…? [chair acknowledges] So the situation that you're describing is a very extreme potential consequence, and I don't think anyone here has a good answer for the extreme situation that you're proposing. A standard response to a privacy breach, in a general way, where people's protected personal information that could be used for identity theft is used, would be to take the sort of action contemplated by Ttrustee Chorneyko, that we've agreed to with his motion, that identity management, whatever company be engaged, and the cost of that would be borne by the taxpayer. I mean, what we've authorized in that motion is $2,000 in taxpayer money.
TRUSTEE CHORNEYKO: Best guess is $1,000 right now.
TRUSTEE MERCIER: So if that ends up being umpty-billion dollars, I mean, presumably that's also—umpty-billion is not a real number, don't take this— But if that was the case, I mean, we would at that point, be burning up phones to our insurance people, and on our knees, and there would be flagellation in the streets and stuff. But I just want to be clear that the situation that you, the scenario that you proposed, where everybody needs to get all new everything, is like a super extreme.
TRUSTEE CHORNEYKO: It's highly unlikely.
TRUSTEE CHORNEYKO: Yeah, that's like, “Well, what do we do if the room gets flooded and we're all being eaten by piranhas?” level of potential [unclear].
[multiple voices]
CHAIR: May I say something here? When I say $12,000 to $15,000, it freaked me out when I heard that. We have another, we had another outfit, DFI I think, and they’ve given us an hourly, but no limit on it, and they were less money by the hour. But, you know, open, open ended policy. Yeah, so we're not in completion of that. And I don't know. I honestly, and I'm not saying we're not doing it. I'm just saying that in the case of the Royal Bank, Doane Thornton, who had a major breach, the government of British Columbia, London Drugs... Who else?
TRUSTEE MOHER: Blue Cross.
CHAIR: Blue Cross. Blue Cross.
TRUSTEE MOHER: I was affected by that one.
CHAIR: They didn't pay for you to get new SIN numbers or anything like that.
TRUSTEE MERCIER: Just to add to what you're saying about [unclear], when you initially raised that issue, the board authorized $5,000 for that, but so far, nothing has been done with that money, and nothing has been undertaken—
CHAIR: No, because—
TRUSTEE MERCIER: —but that $5,000 was $5,000 of tax money.
CHAIR: You know, Mosaic wants $5,000 up front. So I’m coming back to the board with with a new, new proposal that we, we authorize $12,000 to $15,000. I was reticent to do that.
TRUSTEE BUSSLER: Just coming back a little bit, this is the first I’ve heard of it, I've written down “RCMP theft”. So are we—like, is that, do we have a statement from the RCMP saying that this was a theft—?
CHAIR: No. Here's the way this works, okay. If they can't, if they do not have enough information to bring a charge, okay, that you have to get through the threshold of that, okay, and unless and until they're comfortable with bringing a charge, in this case, it would have been theft. I could have been theft or somebody gave it away, whatever, whatever the story is, okay? So you are not entitled to—we are not entitled to—anything from the officer’s report other than some basic stuff. What I was told was, “They didn't do it on purpose. You know, it's probably not going to be a big data breach. And, no, I'm not telling you who it is because you can't know without an ATIP.” [ED: Access To Information and Privacy request] Now that's the other option that we have, is to file an ATIP, which is which is an FOI in matters like this, but it takes three or four months, or five months, in order to get that answer. There's a good possibility we would—
TRUSTEE CHORNEYKO: What's the advantage of finding out who this person is?
CHAIR: Well, this is what I'm, this is what I'm saying.
TRUSTEE CHORNEYKO: I'm saying that there's, you know, the path forward doesn't matter if we like this person or not.
CHAIR: I just want enough information that I can give—this is putting aside the SIN numbers and that, which is really quite horrible, and I hope I would be pissed if it was me— but putting aside that, what we have to do is we have to satisfy the law, which is FOIPPA. We have, they have rules about this stuff, okay. We have to satisfy—
TRUSTEE CHORNEYKO: [unclear] so many privacy breaches, they never know who it is.
[multiple voices]
CHAIR: I think we're backing up. Well, no matter what we say, it has to go, It's a matter of law, that FOIPPA steps in here, and they will tell us the level to which we have to spend, basically have to spend money to make this, make this go away.
TRUSTEE MERCIER: So I just want to clarify, because we have the press here, and I see they're typing away back there. So the—my understanding, and please confirm, is that the RCMP have not indicated that theft took place.
CHAIR: No.
TRUSTEE MERCIER: But that if there was information that a theft had taken place, the level of charge that would be satisfied is theft under $1,000.
CHAIR: Yep.
TRUSTEE MERCIER: But there's no reason for us to assert or believe that a theft has taken place.
CHAIR: Exactly.
TRUSTEE MERCIER: Okay. [to Sounder:] You got that?
[multiple voices]
CHAIR: But if you take something from somebody’s property, it is theft until—
[unclear, multiple voices].
TRUSTEE CHORNEYKO: Like we don't—they’re—FOIPPA, they may say we have to provide some identity, identity protection, but that's—we can go above and beyond what FOIPPA wants.
TRUSTEE MERCIER: Can I interject?
TRUSTEE CHORNEYKO: Yes.
TRUSTEE MERCIER: So there's no requirement that we provide such protection, but in conversation with the investigator, the investigator might say, “I think this means you should,” and there's no, that's not an upper limit on what we provide.
TRUSTEE CHORNEYKO: That's right.
TRUSTEE MERCIER: But it's, there's, there's discussion about whether that's— Now, I understand we passed a motion, and—
TRUSTEE CHORNEYKO: They can specify a lower limit. Which is—
TRUSTEE MERCIER: [unclear] They can say that it's not necessary—
TRUSTEE CHORNEYKO: And even if they say nothing, we can provide people something, just as, to be an honorable and respected organization in the community.
[multiple voices]
TRUSTEE MERCIER: And there's a format. We're just answering a question. So there's a format for notifying affected individuals, and that format is that we notify them of identity theft, risk of identity theft, which is when things like [reading from computer] “social insurance numbers lost, risks of bodily harm, risks of humiliation, risks of damage to reputation, of relationships, risk of loss of employment, risk of financial loss, risk of negative impact on the credit record, damage to or loss of property”. So those are things that we need to, if any of those risks exist, to satisfy the notification requirements, we have to notify people that they may have been affected in those ways.
And the content of the notification has to include “the name of the public body, the date on which the privacy breach came to the attention of the public body, a description of the privacy breach, including, if known, the date on which or the period which the privacy breach occurred.” You can look this up as a public document [unclear].
“Confirmation that the commissioner has been or will be notified of the privacy breach.” We've done that you all know it, it's on record.
“Contact information for a person who can answer on behalf of the public body questions about the privacy breach.” That's Eric over there.
“A description of steps, if any, that the public body has taken or will take to reduce the risk of harm to the affected individual.” That's where we get into identity protection programs and stuff. If we—So, if we do that, part of the notification would be, “Hey, we've done that. Here's how to take advantage of those protections.”
And finally, “a description of steps, if any, that the effective individual could take to reduce the risk of harm that could result from the privacy breach.” So if we're like, “Here's the steps we've taken. We believe those to be sufficient. Here are other things you can do if you are unsatisfied with that.” And then anyone has, at any time, the opportunity to complain to the […] Office of the Information and Privacy Commissioner that they are a victim of a privacy breach and are unsatisfied with the response, and then that brings further interactions with that law. But that's how the process of notification and response to the breach works, according to the guidance document, which are incidentally called, in case anyone wants to look them up, “Privacy breaches: tools and resources for public bodies.” Type that in and you can get this documention and, like, a bunch of stuff.
CHAIR: We don't bring action as the board. If people feel that their privacy, if they're notified that their privacy is at risk, then it falls to them to basically [unclear].
TRUSTEE MERCIER: Well, we have to take steps, and then they have—
[multiple voices]
CHAIR: We are limited in the number of steps that we have.
TRUSTEE CHORNEYKO: We can go above and beyond.
CHAIR: Well, no, I tot— David, I totally agree. I totally agree. But as far as the law is concerned—
TRUSTEE CHORNEYKO: I think we’re good to adjourn.
CORPORATE OFFICER: Let’s adjourn.
TRUSTEE BUSSLER: Let’s adjourn.
TRUSTEE MOHER: I move to—
CHAIR: Can we roll this up? I mean, you’ve got your jacket on.
TRUSTEE MERCIER: Trustee Moher has moved to adjourn.
TRUSTEE MOHER: I moved to adjourn.
TRUSTEE MERCIER: I will second that motion.
[Chair calls for hands, meeting adjourned.]