A federal department has lost the sensitive legal files of five retired members of Parliament, the latest in a series of privacy breaches across government.
Public Services and Procurement Canada lost the original documents last November as it was preparing to return them by registered mail through a suburban Ottawa mailroom.
The packages contain details such as addresses, telephone numbers and pension information, as well as original or notarized power-of-attorney declarations.
"While the loss of this document is regrettable, we want to assure you that safeguards and quality assurance measures remain in place to ensure the ongoing integrity of your pension account," says a copy of the letter sent to the five.
"In the event that the document is ever located, you will be contacted and advised immediately."
CBC News obtained a copy of the form letter, as well as related briefing documents from June this year, under the Access to Information Act.
The identities of the five are not contained in the Access to Information release package, and Public Services would not release names except to say some are retired MPs and others are spouses who receive part of the pension of a deceased MP.
The executive director of the Canadian Association of Former Parliamentarians, Francis LeBlanc, said he was not aware of the identities, nor was he aware of any previous such breaches. The Ottawa-based association represents some 1,000 former parliamentarians.
Canada's privacy commissioner said the department notified the office of the breach on Aug. 9 this year, more than nine months after the breach.
The privacy office "is still actively working with [Public Services] on this file," said spokesperson Tobi Cohen. "We are not in a position to discuss whether or not we've received a complaint from any specific individuals, for privacy reasons."
In July 2016, Public Services committed one of the deepest privacy breaches in government, accidentally sending out by email the unencrypted personal information of 12,901 federal employees, including their salaries and test results.
'Processes for managing personal information shared with third parties are not in place.' - Internal 2016 review of gaps in privacy protocols at Public Services and Procurement Canada.
And in 2015 and 2016, two other Public Services breaches connected with the flawed Phoenix payroll program involved 300,000 workers, though less personal data was involved.
The department reported no material privacy breaches to the privacy commissioner in 2014-15, four in 2015-16 and nine in 2016-17, suggesting the problem is getting worse or more breaches are being detected for the first time. Since April, two breaches have been reported to the commissioner.
The latest episode involving the five MPs comes at an awkward time: the administration of pensions for retired MPs was transferred on Oct. 3 to the federal pension centre in Shediac, N.B., as the government consolidates pension administration for many institutions for greater efficiencies.
Public Services' standards require investigations into alleged or actual privacy breaches to be closed within 90 days, but the briefing notes show an investigation was started only on June 6 this year, more than seven months after the incident.
The letters to the five, which offered to cover the cost of replacing power-of-attorney documents, were sent out only in June. The briefing notes indicate the people affected were also called by telephone that month.
Gaps in training
On March 31, 2016, an internal review of the department's privacy policies found major gaps.
"There is no formal privacy training provided to employees to provide them with the knowledge and awareness necessary to meet privacy obligations," it found. "Processes for managing personal information shared with third parties are not in place."
The review also found that privacy breach investigations are completed within the 90-day target only 70 per cent of the time, down sharply from previous levels of 85 per cent.
Public Services did not respond to a series of questions about the latest breach.
Follow @DeanBeeby on Twitter