Advertisement

Watchdog flags privacy breaches in Phoenix pay system

Privacy Commissioner Daniel Therrien is pictured in Ottawa.
Privacy Commissioner Daniel Therrien is pictured in Ottawa. THE CANADIAN PRESS/Adrian Wyld

OTTAWA – The federal privacy watchdog says inadequate testing, coding errors and poor monitoring of the beleaguered Phoenix federal pay system resulted in exposure of the personal information of public servants.

In his annual report tabled today, privacy commissioner Daniel Therrien found at least 11 breaches occurred and the personal information at issue included employee names and salary information.

Therrien says most of the vulnerabilities were government-wide, meaning the information of all employees in the Phoenix system at the time of each breach was at risk.

WATCH: ‘Box of band-aids’: NDP slam Liberals over speed of fix for Phoenix pay system

Click to play video: '‘Box of band-aids’: NDP slam Liberals over speed of fix for Phoenix pay system'
‘Box of band-aids’: NDP slam Liberals over speed of fix for Phoenix pay system

READ MORE: Equifax data breach catches attention of Canada’s privacy commissioner

In some cases, the commissioner found, information could be changed and transactions could be conducted.

Story continues below advertisement

 

Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day.

Get daily National news

Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy.

Therrien also determined there may be lingering vulnerabilities that could lead to future breaches.
The Phoenix pay system has been riddled with other problems, leaving some public servants without pay cheques for many weeks.

Therrien warns in his report that in a general sense, Canadians fear they are losing control over their personal information in the digital age.

 

In addition to Phoenix, his office looked into potential privacy issues with the mydemocracy.ca website used to consult Canadians last year on electoral reform. Therrien found that the site contained third-party scripts that could disclose users’ personal information to Facebook without their consent.

WATCH: Conservatives slam Liberals over electoral reform website’s ‘privacy nightmare’

Click to play video: 'Conservatives slam Liberals over electoral reform website’s ‘privacy nightmare’'
Conservatives slam Liberals over electoral reform website’s ‘privacy nightmare’

The privacy watchdog also tackled the Canada Border Services Agency’s “Scenario Based Targeting Program” which uses advanced analytics to identify potential terrorist threats based on traveler demographics.

Story continues below advertisement

“The review raised the concern that some of the national security scenarios used by CBSA are broad and based on personal characteristics which identify a large number of law abiding individuals, whose personal information is used and shared without sufficient privacy protections,” Therrien wrote in a summary of the report.

Therrien addressed all the findings at a news conference in Ottawa on Thursday afternoon.

Businesses are not currently being held to account when it comes to protecting Canadians’ privacy rights, he said.

“I’m calling for amendments to the federal private sector privacy law, to provide for order-making powers and the ability to impose administrative monetary penalties,” he said, adding that this would bring Canada in line with the U.S. and much of Europe.

“My office won’t wait for legislative changes, we will begin to act immediately,” Therrien added.

WATCH: Prime Minister Trudeau can’t tell Canadians how to protect privacy at U.S. border

Click to play video: 'Prime Minister Trudeau can’t tell Canadians how to protect privacy at U.S. border'
Prime Minister Trudeau can’t tell Canadians how to protect privacy at U.S. border

That will include updating existing guidance on how companies should seek online consent, issuing new guidance on “no-go” zones like sharing personal information that could cause harm to an individual, and shifting towards proactive enforcement rather than waiting for complaints to come in.

Story continues below advertisement

With files from Global News.

Sponsored content

AdChoices