Provincial government computers hold lots of personal information about citizens, but CBC Investigates has found that data can end up in the wrong hands.

In fact, 177 separate privacy breaches were reported by different government departments and agencies to the Office of Public Engagement over a recent period of nearly four years.

CBC Investigates obtained incident reports for each of those breaches using provincial access-to-information laws.

Many of the breaches could be chalked up to carelessness or simple mistakes.

For example, test results for the Janeway’s hydrotherapy pool were sent in error to the Super 8 Motel, which also has a pool. A birth registration form was instead sent to a local garage. A wage subsidy claim was forwarded to a government employee with the same name but working in the wrong department.

But other cases were more serious:

In 2012, the Department of Advanced Education and Skills received a complaint from an income support client that an employee had accessed her file without a business reason. The employee was fired, but an arbitrator later reinstated her and imposed a two-month suspension without pay or benefits.

In late 2011, the College of the North Atlantic campus in Qatar (CNA-Q) discovered two serious privacy breaches in the span of two weeks , including one that saw the birthdates and salary information of 600 employees inadvertently revealed.

, including one that saw the birthdates and salary information of 600 employees inadvertently revealed. In January 2015, the police were called after an employee inappropriately accessed personal information at the Motor Registration Division in Mount Pearl. Officials ultimately determined that 28 people were affected.

at the Motor Registration Division in Mount Pearl. Officials ultimately determined that 28 people were affected. In 2011, one government worker used the Motor Registration system to look up information on dozens of people over a 10-month period. Nearly half that employee’s 328 total searches were not work-related. The incident report says many of the people he looked up were women, and warned "there could be possible safety risks for these individuals.”

Breaches at Motor Registration Division

In fact, the Motor Registration Division is one of the most likely sources of incidents where people will have their information seen by those who shouldn’t.

The division accounted for nearly a third of all privacy breach incident reports sent to the province between 2011 and early 2015.

Service NL Minister Dan Crummell says the Motor Registration Division handles 1.5 million inquiries a year. (CBC) A large number of those breaches are minor, according to documents reviewed by CBC Investigates — driving records faxed to a company in Alberta by mistake, an accident report sent to the wrong law firm, one incorrect letter inputted by a clerk resulting in the wrong tax receipt provided over the counter to a client.

Service NL Minister Dan Crummell says the high proportion of incidents is linked to the number of transactions. The system, he notes, is accessed more than 4,000 times a day.

“We have about 1.5 million inquiries a year,” Crummell noted. “The majority, the vast majority, of the breaches would occur by accident.”

After a serious breach in 2011, Service NL started auditing what employees are looking up.

But to date, those audits have only found two problems, both of which were minor in nature.

Stronger penalties pending

The minister in charge of access to information and privacy says stronger penalties are coming for those who break the rules, as recommended by the recent review chaired by former premier and judge Clyde Wells.

Public Engagement Minister Steve Kent says tougher measures are coming for those who break privacy rules. (CBC) “It increases the fine, it increases the types of incidents that can be pursued, that could result in charges, and could result in fines and other penalties, so it strengthens our ability to deal with those kinds of circumstances,” Public Engagement Minister Steve Kent said.

One change from the Wells report has already been implemented.

Before, the information and privacy commissioner was only notified in a handful of privacy breaches.

But now, any and all privacy breaches will be reported directly to the watchdog’s office.