Police employee charged with accessing databases for non-police matters

A civilian member of the Calgary Police Service (CPS) has been charged after an internal investigation alleged she intentionally accessed police databases for non-police matters, including information about individuals with whom she had or sought personal relationships.

For HR professionals, the case highlights the risk posed by trusted insiders misusing legitimate access to sensitive information, underlining the need for strong controls, monitoring and clear disciplinary frameworks around data privacy.

According to a statement from the City of Calgary, in December 2025, CPS became aware of allegations that protected information had been inappropriately accessed within its systems. It is believed a member of the Service was using police databases “against policy and authorized use” to obtain information on individuals “she has had, or sought to have, personal relationships with.”

The City of Calgary said the allegations relate to the improper use of work-related access for personal reasons, rather than for operational policing purposes.

A growing amount of sensitive data is going to AI tools as the use of the technology becomes increasingly widespread across organisations, according to a previous report.

Internal investigation and identified victims

Following the initial complaint, the matter was referred to the Calgary Police Service Sensitive Investigations Unit. Investigators concluded that a woman employed by CPS was believed to have leveraged her access to police data and facilities over a six‑month period – between Feb. 1 and Aug. 1, 2025 – to retrieve protected information, the City of Calgary said.

During the course of the investigation, four individuals were identified as having had their information “targeted and intentionally searched.” Police said the affected people have been notified. No details have been released about the nature of the data accessed, or whether any of the four have connections to the employee beyond the alleged personal interest.

On March 4, 2026, police executed a search warrant and seized the woman’s mobile device as part of the inquiry.

On April 7, 2026, Calgary police arrested civilian employee Kayla Jessen in connection with the alleged breach. She was charged with nine counts under Alberta’s Freedom of Information and Protection of Privacy Act.

Jessen faces charges under section 60(1)(a) of the Act for “collecting, using or disclosing information in contravention of Part 1 of the Act,” and under section 60(1)(b) for “gaining or attempting to gain access to personal information in contravention of the Act.”

The City of Calgary said Jessen is a three‑year employee of the Calgary Police Service and is currently on an unrelated leave from the Service pending review.

She was released from custody and is scheduled to appear in court on June 2, 2026. 

‘The foundation of trust’

Calgary Police Service leaders acknowledged the seriousness of the alleged breach and its potential impact on public and internal confidence.

“We recognize that a breach of this nature shakes the foundation of trust that we have built with the public and our members. Allegations such as these are taken very seriously, and we are committed to addressing this matter in a thorough and appropriate manner,” Insp. Dehl Vella of the CPS Professional Standards Section said in the statement.

The City of Calgary confirmed that the four identified victims have been informed of the incident, and that the investigation remains ongoing. Police have not released further information on any internal disciplinary processes, citing the continuing nature of the case.

Anyone with information regarding the incident is asked to contact police by calling 403‑266‑1234 and quoting case number SIU25‑084/4367. 

How can employers protect sensitive data in the workplace?

Here’s what employers and HR teams can do to protect sensitive information within their database, according to global data and technology company Experian:

• Implement strong, role-based access controls so only employees who genuinely need HR data can access it, and require multi-factor authentication for HR systems, email, and any platforms containing sensitive information.

• Encrypt all sensitive employee data, both at rest and in transit, to reduce the risk of unauthorised access if systems or communications are compromised.

• Regularly update and patch HR systems and related software to stay current with emerging threats and fix security vulnerabilities.

• Provide ongoing training for all staff on HR data privacy best practices, including phishing, tax-related scams (such as W‑2‑style fraud), social engineering, and secure password practices.

• Secure remote workers by requiring the use of VPNs, secure Wi‑Fi connections, and automatic screen‑lock policies on company devices.

• Conduct periodic internal security audits to identify weaknesses, verify that controls are working, and ensure compliance with data protection laws such as GDPR, CCPA, and HIPAA.

HR data systems often store highly sensitive personal details - from names and contact information to social insurance numbers, banking data and medical histories. And that's exactly the type of information cybercriminals target, Julia Latacka, an instructor in HR Data Analytics and Technology at Concordia University, previously told HRD.