Phoenix pay system also breached federal workers' privacy

CBC News has learned that a new pay system that has been withholding workers' earnings has also compromised their personal information. Officials knew about the problem in January, but did not disclose it to workers, their unions - or even the minister responsible.

Newly disclosed documents show troubled federal pay system had a flaw that compromised personal info

Public Services and Procurement Canada set up a satellite pay office to deal with the backlog of calls for public servants who are not getting paid. Documents obtained by CBC News show the pay system also had a flaw that led to a massive privacy breach. (Facebook)

A dysfunctional compensation system that's withholding paycheques from federal workers has also been breaching their privacy, CBC News has learned.

Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees' personnel records, including social insurance numbers.

Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure.

Chris Aylward, vice-president of the Public Service Alliance of Canada, says he's furious the union was not told of a major privacy flaw in the federal government's Phoenix payroll system. (Julie Ireton/CBC )
The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems.

The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system.

A spokeswoman for Canada's privacy commissioner confirmed the department "has reported this matter to our office and we have followed up with them." Valerie Lawton said she could provide no further details.

The minister in charge, Judy Foote, said she learned only this week of the internal breach of private information. "I am aware of it, and I've been told that none of the information became public," she said in an interview.

Over to privacy commissioner

Foote said she has turned the matter over to the privacy commissioner for investigation, and will focus on getting people paid.

An official of a union representing 140,000 federal workers said he learned of the privacy breach on Tuesday from CBC News.

Public Services Minister Judy Foote says she was not made aware of a major privacy issue with the Phoenix payroll system until this week. Her officials knew of the problem in January. (CBC)
"This is the first time we're hearing about this," Chris Aylward, vice-president of the Public Service Alliance of Canada, said in an interview.

"It's another demonstration of how much of a boondoggle this whole Phoenix system really has become now.… It has just become appalling to us, to say the least."

Unfortunately, this is not an unforeseen situation.- April 2016 briefing document noting privacy-breach issue was known in January 2016.

The released documents show that information about the privacy breach was removed from a key accountability document, called a Privacy Impact Assessment, that the department must compile whenever a new program or system like Phoenix is introduced that could affect privacy.

Details about the Phoenix privacy flaw were purged from the report on Jan. 21, after department officials assured that "the issue had been resolved."

In fact, the flaw persisted at least through April and was identified as "material" with the "highest risk impact" because of the potential for identity theft. As one document noted: "Unfortunately, this is not an unforeseen situation."

The department has been assuring all government employees for months that Phoenix protects their privacy, with one document stating: "Phoenix is secure and will ensure that your personal information is protected."

The Phoenix system was supposed to allow only designated human resource individuals within a department to have access to the personnel records of workers within the same department.

Phoenix falling

CBC Ottawa has been collecting stories from civil servants, part-time employees and student workers who have been affected by the Phoenix payroll system problems. Here are some of their stories:

But the flaw allowed thousands of designated officials to get access to records of every worker in every department.

Treasury Board President Scott Brison has blamed the Phoenix payroll problems on the previous government. (Paul Palmeter/CBC)
It was not immediately clear whether the flaw has been corrected. Foote said department officials would provide a briefing about the issue on Thursday.

The documents say that the flaw is in violation of Section 8 of the Privacy Act, which says that personal information shall not be disclosed, without consent, except for the purpose it was obtained or compiled for, or for a use consistent with that purpose. And they warn Ottawa could be subject to legal action.

Foote and Treasury Board President Scott Brison have each blamed the previous government for the Phoenix boondoggle, though the decision to roll out the system occurred earlier this year under the Liberal government's watch.

Minister Judy Foote on Phoenix pay system

7 years ago
Duration 7:34
Featured VideoThe Minister of Public Services says the flaws in the federal pay system are 'totally unaceptable.'

Follow @DeanBeeby on Twitter


Dean Beeby

Senior reporter, Parliamentary Bureau

Dean Beeby is a CBC journalist, author and specialist in freedom-of-information laws. Follow him on Twitter: @DeanBeeby

With files from David McKie, Katie Simpson, Rosemary Barton and Jennifer Choi