Why ATIPP, IT, and Cybersecurity Now Go Hand in Hand
Community governments across the Northwest Territories are being asked to navigate a rapidly changing digital and regulatory landscape. Privacy obligations under the Access to Information and Protection of Privacy Act (ATIPP) are expanding, cybersecurity risks are increasing, and everyday IT practices are under more scrutiny than ever before.
For organizations like LGANT (Local Government Administrators of the Northwest Territories) and NWTAC (Northwest Territories Association of Communities), these challenges are not theoretical. They show up daily in how councils and staff use email, manage accounts, and collect personal information for community programs.
The reality is simple:
good intentions are no longer enough. Governance matters.
ATIPP Applies to Information, Not Technology
One of the most common misconceptions we encounter in NWT communities is that ATIPP compliance is about software choices.
It is not.
ATIPP follows personal information, regardless of where that information lives. Whether data is stored in Microsoft 365, Gmail, spreadsheets, social media messages, or on a shared laptop, the same privacy obligations apply.
If personal information is collected to support community business, ATIPP likely governs how that information is:
- collected
- used
- stored
- disclosed
- retained
This applies equally to council correspondence, staff operations, and community programs.
Why IT and Cybersecurity Are Now Governance Issues
ATIPP establishes expectations around privacy, but IT systems and cybersecurity practices determine whether those expectations can realistically be met.
Without basic IT controls, even well-meaning communities struggle to:
- limit access to personal information
- demonstrate accountability
- respond properly to access-to-information requests
- prevent unauthorized disclosure
Cybersecurity is not just about protecting systems from hackers. It is about controlling access, identity, and accountability, all of which are essential for privacy compliance.
In practical terms, this means:
- knowing who has access to what
- removing access when roles change
- ensuring accounts belong to the community, not the individual
Staff and Council Email Accounts: A Common Risk Area
Across the Northwest Territories, we regularly see challenges related to email and account management, particularly in smaller communities.
Common practices include:
- staff using personal email accounts for work
- shared or generic inboxes
- accounts being passed from one staff member to another
- council members using personal email for official business
- former staff or councillors retaining access after leaving
These practices are understandable, especially where resources are limited and turnover is high. However, they introduce significant privacy, cybersecurity, and governance risk.
From an ATIPP perspective, shared or reassigned accounts make it difficult to:
- limit access appropriately
- protect personal information
- demonstrate who accessed records and when
From a cybersecurity perspective, they increase the likelihood of account compromise and unauthorized access.
Account Migration and “Continuity” Risks
Many communities attempt to preserve continuity by reassigning existing email accounts when staff or council members change.
While the goal is understandable, this approach creates hidden risk.
When an account is migrated from one individual to another:
- personal information belonging to the former user may be disclosed
- audit trails are disrupted
- passwords and authentication may remain tied to former users
- cybersecurity vulnerabilities can persist unnoticed
A more defensible approach is to:
- disable departing user accounts
- archive email and records appropriately
- provision new accounts for new staff or councillors
- grant access to shared resources rather than personal inboxes
This preserves institutional knowledge without inheriting unnecessary liability.
Community Programs and Informal Data Collection
Some of the highest-risk personal information in community governments is not stored in formal systems at all.
It often lives in:
- bingo and raffle sign-up sheets
- housing and wellness program lists
- volunteer rosters
- email distribution lists
- spreadsheets stored on personal devices
- social media messages copied into documents
These informal processes are essential to community life, but they are rarely designed with privacy or cybersecurity in mind.
ATIPP still applies.
Communities must consider:
- why personal information is collected
- how long it is kept
- who can access it
- how it is protected
Ignoring these questions increases exposure to privacy breaches and erodes community trust.
Cybersecurity Does Not Have to Be Complicated
A common concern we hear from LGANT and NWTAC members is that cybersecurity feels overwhelming or unaffordable.
In reality, the most effective cybersecurity practices are often the simplest:
- individual user accounts
- strong authentication
- role-based access
- clear offboarding procedures
- basic data backups
These controls support both privacy compliance and operational resilience.
Good cybersecurity is not flashy.
It is quiet, consistent, and defensible.
The Question Every Community Should Be Able to Answer
Here is the simplest test of digital governance:
If you were asked tomorrow who has access to personal information in your community, could you answer confidently?
If the answer is no, the issue is not technology.
It is governance.
Supporting Communities Across the Northwest Territories
CasCom works with communities across the Northwest Territories to help bridge the gap between ATIPP obligations, IT reality, and cybersecurity best practices.
Our focus is practical, scalable guidance that reflects how community governments actually operate, not one-size-fits-all solutions designed for large organizations.
As LGANT, NWTAC, and community governments continue to navigate evolving privacy and cybersecurity expectations, the goal is not perfection. It is reasonable, defensible practice that protects residents, staff, and elected officials alike.
Further reading: Access to Information and Protection of Privacy :: Justice
Ready to make your community’s IT and privacy practices more defensible?
CasCom works with Northwest Territories communities to translate ATIPP obligations into practical, scalable IT and cybersecurity practices. If you’d like to explore how this applies to your council, staff, or community programs, we’re happy to start with a conversation.
👉 Contact CasCom to learn more
About CasCom
CasCom is a Northwest Territories–based managed technology service provider specializing in cybersecurity, connectivity, and IT governance for communities operating in remote and challenging environments.
