Privacy commissioner to investigate data breach of public servants' personal info

Canada's privacy commissioner is launching a formal investigation into one of two data breaches linked to the federal government's troubled computerized payroll program, called Phoenix.

The decision comes as new details are made public about the scope of both incidents involving sensitive information belonging to federal government employees.

The commissioner will probe the second breach, which took place earlier this year, and involved managers having access to information belonging to employees who did not work for them.

The number of employees who had their data exposed during this incident is not known.

"The information that could be seen included an employee's name and personal record identifier (PRI) — the employee number assigned under the federal government's human resources management system," said Valerie Lawton, a spokesperson for the privacy commissioner's office. "According to PSPC [Public Services and Procurement Canada], no other personal information could be viewed."

In an email to CBC News, Lawton said news coverage of the breach led to a number of complaints, which prompted the commissioner to investigate.

The first breach involves highly sensitive data for 10,000 public servants that was "inadvertently transmitted" to the private contractor building the federal government's Phoenix payroll system, according to the department responsible for the troubled program.

Phoenix Falling

CBC Ottawa has been collecting stories from civil servants, part-time employees and student workers who have been hit by the Phoenix payroll system problems. Here are some of their stories:

Want to share your own story? Email us​

That incident happened sometime between March and July of 2015, when Phoenix was in the testing phase, and the department was not aware of the transfer of personal data until IBM alerted the government.

"The contractor alerted PSPC of the breach in June of 2015 and subsequently removed all of the sensitive data from its database," Lawton said.

The federal government's new government-wide electronic payroll system has been beset by problems since it was implemented. Some 80,000 federal public servants have experienced trouble receiving their pay, forcing the federal government to work around the clock to try and fix the issue.

Lawton said that in the first breach, "The department believed that one IBM employee opened an email containing the personal information and immediately reported the problem."

The department reported the breach to the Office of the Privacy Commissioner, saying it was confident that "any potential risk to the affected individuals was minimal" because the data would have required advanced technical skills to access and it is "unlikely that an IBM employee would have used the information inappropriately."

The privacy commissioner agreed with PSPC's assessment of the risk.

Potential for identity theft

But that answer is not sitting well with Ann Cavoukian, a three-term Ontario privacy commissioner and now executive director of the Privacy and Big Data Institute at Ryerson University in Toronto.

"The personal record identifier is equated, in terms of sensitivity, to the social insurance number — and everyone, I think, would agree that the social insurance number is extremely sensitive. If people have access to it, it subjects the individual to a much greater chance of identity theft," said Cavoukian.

"The fact that they would let this information go over to IBM ... I just think it's outrageous," she added.

Cavoukian says the security that should have been attached to this information appears to have been completely missing. She also says that while IBM is a "respectable company" with a "solid reputation," that does not mean there was no risk.

"Something like three-quarters of the cases of data breaches arise because of insiders, whether intentional or not," she said.

Cavoukian says the government needs to conduct a full investigation of who and what systems were responsible for the error and make the necessary corrections to ensure it does not happen again.

"The whole point of sensitive data is that it should only be used for the purpose it was intended and access to it should be restricted to those who are authorized to see it," she said. "Within the government, you would hope that at least that would be respected."

'Dysfunctional' payroll system

"It's shocking but in a sense not surprising," said NDP public services and procurement critic Erin Weir. "If you put employees' information into a dysfunctional payroll system, then privacy will be at risk."

Weir says the data breaches as well as the ongoing fiasco of 80,000 public servants who are not receiving their proper pay and benefits is just more proof that the Phoenix system has to be fixed immediately.

"It's really a basic expectation in any workplace that the employers will pay its employees correctly and on time without compromising their personal information," he said. "It's quite striking that our federal government is failing to meet these basic obligations."

Correction : In an earlier version of this story, Valerie Lawton was identified as a spokeswoman for Public Services and Procurement Canada. In fact, she is a spokeswoman for the Privacy Commissioner. (Jul 22, 2016 10:35 PM)