OTTAWA – The federal privacy watchdog says inadequate testing, coding errors and poor monitoring of the beleaguered Phoenix federal pay system resulted in exposure of the personal information of public servants.
In his annual report tabled today, privacy commissioner Daniel Therrien found at least 11 breaches occurred and the personal information at issue included employee names and salary information.
Therrien says most of the vulnerabilities were government-wide, meaning the information of all employees in the Phoenix system at the time of each breach was at risk.
WATCH: ‘Box of band-aids’: NDP slam Liberals over speed of fix for Phoenix pay system
READ MORE: Equifax data breach catches attention of Canada’s privacy commissioner
In some cases, the commissioner found, information could be changed and transactions could be conducted.
Therrien also determined there may be lingering vulnerabilities that could lead to future breaches.
The Phoenix pay system has been riddled with other problems, leaving some public servants without pay cheques for many weeks.
Therrien warns in his report that in a general sense, Canadians fear they are losing control over their personal information in the digital age.
In addition to Phoenix, his office looked into potential privacy issues with the mydemocracy.ca website used to consult Canadians last year on electoral reform. Therrien found that the site contained third-party scripts that could disclose users’ personal information to Facebook without their consent.
WATCH: Conservatives slam Liberals over electoral reform website’s ‘privacy nightmare’
The privacy watchdog also tackled the Canada Border Services Agency’s “Scenario Based Targeting Program” which uses advanced analytics to identify potential terrorist threats based on traveler demographics.
“The review raised the concern that some of the national security scenarios used by CBSA are broad and based on personal characteristics which identify a large number of law abiding individuals, whose personal information is used and shared without sufficient privacy protections,” Therrien wrote in a summary of the report.
Therrien addressed all the findings at a news conference in Ottawa on Thursday afternoon.
Businesses are not currently being held to account when it comes to protecting Canadians’ privacy rights, he said.
“I’m calling for amendments to the federal private sector privacy law, to provide for order-making powers and the ability to impose administrative monetary penalties,” he said, adding that this would bring Canada in line with the U.S. and much of Europe.
“My office won’t wait for legislative changes, we will begin to act immediately,” Therrien added.
WATCH: Prime Minister Trudeau can’t tell Canadians how to protect privacy at U.S. border
That will include updating existing guidance on how companies should seek online consent, issuing new guidance on “no-go” zones like sharing personal information that could cause harm to an individual, and shifting towards proactive enforcement rather than waiting for complaints to come in.
With files from Global News.