Privacy and the Phoenix pay system
The Government of Canada takes the safeguarding of employees' personal information very seriously. Below is a list of questions and answers on the privacy breaches related to the Phoenix pay system.
What happened?
Between February and October 2016, Public Services and Procurement Canada encountered several privacy breaches as a result of the implementation of the Phoenix pay system. In most cases, employees’ personal information, such as Personal Record Identifiers (PRI), names, dates of birth, home addresses and pay amounts, was inadvertently made accessible to other employees who did not have a need to access the data. For example, pay data of all employees in Phoenix could be viewed by all compensation advisors across government. Normally, compensation advisors can only access the information of employees within the departments they serve. In other instances, personal information was accessible to managers and financial officers.
There is no evidence that employees’ personal information ever left the hands of federal employees, mainly compensation advisors, or government contractors as a result of these breaches. A few breaches involved the potential for unauthorized transactions to be processed. These transactions were verified, and the necessary corrections were made in the system, with no impact on any individuals.
Upon discovery of these breaches, Public Services and Procurement Canada investigated to determine their cause and took quick action to resolve them. These incidents were then reported to the Office of the Privacy Commissioner of Canada for review.
What is being done to prevent similar breaches from happening again?
Thorough reviews were conducted by Public Services and Procurement Canada. These breaches occurred as a result of human error or software glitches, which have been resolved to prevent further problems.
The Office of the Privacy Commissioner of Canada made several recommendations to strengthen the protection of personal information, and all of these have been or are being addressed. The department is providing additional training to compensation advisors and clarifying their roles and responsibilities, implementing more robust processes, finding a better way to monitor users’ view access and activities within Phoenix, and reviewing all of its methodology and protocols. Public Services and Procurement Canada is also currently developing a series of queries that will allow departments to monitor compensation advisors’ activities within Phoenix. This will help identify situations where users have improperly changed information in the system.
Additional measures include a full review of security access for all sections within Phoenix, which was completed by June 30, 2017, as well as a review of Public Services and Procurement Canada’s privacy breach protocol to inform employees of the required steps when a breach is discovered. Any necessary updates resulting from these reviews will be implemented promptly.
Are employees at risk because of the privacy breaches?
An employee name and identification number (Personal Record Identifier) cannot be used to access pay/pension accounts without other information, such as passwords and myKEY.
There is no evidence that employees’ personal information ever left the hands of federal employees or government contractors as a result of these breaches.
Were social insurance numbers shared with anyone?
No. Social insurance numbers were not shared nor at risk during the reported privacy breaches.
Why were employees not notified of the privacy breaches?
Information about these breaches is being posted on Public Services and Procurement Canada’s website and shared with all departments by the Deputy Minister. In line with a commitment to continual improvement, Public Services and Procurement Canada will review its protocols to identify opportunities to enhance future notifications.
How does the department safeguard personal information?
Public Services and Procurement Canada takes the security of employees' personal information very seriously. It is an integral component of departmental frameworks, culture, day-to-day operations and employee behaviours. The department is committed to protecting employees’ personal information and is taking the necessary steps to further increase its safeguarding practices.
In cases of a privacy breach, we follow a systematic approach to assess and address causes and consequences. This process follows the Treasury Board of Canada Secretariat's Directive on Privacy Practices.
In line with this directive, we report all material privacy breaches to the Office of the Privacy Commissioner of Canada for its review.