A government website glitch that exposed the personal information of several dozen people has prompted calls for stricter adherence to federal privacy guidelines.


Experts are calling for stricter adherence to privacy guidelines after a malfunction on a federal government website released people's personal info. ((CBC File))

The two-day malfunction on Service Canada's Access Key site, a new portal that lets people manage benefits such as employment insurance, pension plans and old age security, was caught on Sept. 28, after the personal info of 75 people was mistakenly disclosed.

The glitch allowed some users to see other users' social insurance numbers and banking information.

Ottawa privacy expert and lawyer Kris Klein said the incident might have been prevented had the government followed its own rules for rolling out new services.

"If it had been taken more seriously, it's more likely that this glitch would have been caught earlier on in the process," he said.

Government guidelines require a department to complete a privacy impact assessment, or PIA, before launching new programs or services so that programmers can identify privacy risks and take steps to manage them. The department must also submit a copy to the Office of the Privacy Commissioner of Canada before the launch.

The PIA is generally required months ahead of time to help programmers assess their software. But the PIA for the Access Key site arrived on Aug. 26, one month before its launch.

The commissioner's office said it had hoped to receive the document in June.

"We would have liked to receive that much earlier in the game," said Anne-Marie Hayden, a spokeswoman for the privacy commissioner.

Both Klein and the office of the privacy commissioner said this case shows why reporting privacy breaches should be written into Canadian law. Currently, disclosing a privacy breach is optional.


  • The Office of the Privacy Commissioner of Canada says it received the privacy impact assessment for Service Canada's new Access Key website on Aug. 26, not Sept. 7 as it previously reported.
    Oct 16, 2013 11:51 PM ET