Phoenix pay system also breached federal workers' privacy
Newly disclosed documents show troubled federal pay system had a flaw that compromised personal info
A dysfunctional compensation system that's withholding paycheques from federal workers has also been breaching their privacy, CBC News has learned.
Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees' personnel records, including social insurance numbers.
Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure.
The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems.
The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system.
A spokeswoman for Canada's privacy commissioner confirmed the department "has reported this matter to our office and we have followed up with them." Valerie Lawton said she could provide no further details.
The minister in charge, Judy Foote, said she learned only this week of the internal breach of private information. "I am aware of it, and I've been told that none of the information became public," she said in an interview.
Over to privacy commissioner
Foote said she has turned the matter over to the privacy commissioner for investigation, and will focus on getting people paid.
An official of a union representing 140,000 federal workers said he learned of the privacy breach on Tuesday from CBC News.
"This is the first time we're hearing about this," Chris Aylward, vice-president of the Public Service Alliance of Canada, said in an interview.
"It's another demonstration of how much of a boondoggle this whole Phoenix system really has become now.… It has just become appalling to us, to say the least."
Unfortunately, this is not an unforeseen situation. - April 2016 briefing document noting privacy-breach issue was known in January 2016.
The released documents show that information about the privacy breach was removed from a key accountability document, called a Privacy Impact Assessment, that the department must compile whenever a new program or system like Phoenix is introduced that could affect privacy.
Details about the Phoenix privacy flaw were purged from the report on Jan. 21, after department officials assured that "the issue had been resolved."
In fact, the flaw persisted at least through April and was identified as "material" with the "highest risk impact" because of the potential for identity theft. As one document noted: "Unfortunately, this is not an unforeseen situation."
The department has been assuring all government employees for months that Phoenix protects their privacy, with one document stating: "Phoenix is secure and will ensure that your personal information is protected."
The Phoenix system was supposed to allow only designated human resource individuals within a department to have access to the personnel records of workers within the same department.
CBC Ottawa has been collecting stories from civil servants, part-time employees and student workers who have been affected by the Phoenix payroll system problems. Here are some of their stories:
- Phoenix problems make public servant feel 'penalized'
- Public servant not getting any health or dental benefits
- Cancer survivor unpaid since return to work
- Single mom maxed out after 2 months without pay
- Without pay, student caught in desperate catch-22
But the flaw allowed thousands of designated officials to get access to records of every worker in every department.
It was not immediately clear whether the flaw has been corrected. Foote said department officials would provide a briefing about the issue on Thursday.
The documents say that the flaw is in violation of Section 8 of the Privacy Act, which says that personal information shall not be disclosed, without consent, except for the purpose it was obtained or compiled for, or for a use consistent with that purpose. And they warn Ottawa could be subject to legal action.
Foote and Treasury Board President Scott Brison have each blamed the previous government for the Phoenix boondoggle, though the decision to roll out the system occurred earlier this year under the Liberal government's watch.
Follow @DeanBeeby on TwitterWith files from David McKie, Katie Simpson, Rosemary Barton and Jennifer Choi