Move constitutes 'material privacy breach': government
Just recently, the personal information of thousands of public servants was shared in error with 62 other federal government departments, constituting a “material” privacy breach, according to Public Services and Procurement Canada (PSPC).
As part of regular operations, PSPC sends 161 departmental heads of HR and CFOs an encrypted email with a biweekly report listing employee overpayments for their department. The report includes the employees’ full name, Personal Record Identifier (PRI), home address and overpayment amounts.
In the early-February distribution of this report, some public servants’ information was shared in error with federal government departments other than their own, which constitutes a privacy breach.
The breached involved 69,087 public servants caught up in the Phoenix pay system scandal, according to the CBC, and PSPC has stopped the distribution of the overpayment reports until it receives the results of an internal investigation looking into the situation, it says.
The error was reported on the same day and recipients were contacted immediately and asked to delete the email, says the government. Eventually, IT services took additional steps to contain the breach by deleting the email on its servers, and chief security officers in all 62 recipient departments were asked to delete the email from their respective servers.
“We take the protection and security of personal information very seriously. As soon as the breach was discovered, immediate steps were taken to contain and destroy the improperly shared information. We have notified the Office of the Privacy Commissioner of Canada and affected employees will be notified in the coming days,” says the PSPC. “There is no evidence that this email would have been shared outside of government.”
