BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Privacy Act/Phoenix pay system compromised Public Servants’ privacy
Federal (Canada)Office of the Privacy Commissioner of CanadaPrivacy ActWell-founded
Flag of Canada

Phoenix pay system compromised Public Servants’ privacy

Organization: Public Services and Procurement Canada (PSPC)
Decision: Jun 8, 2017Published: Jun 8, 2017
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

Key Issues
  • Unauthorized access to and disclosure of personal information within the Phoenix pay system.
  • Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
  • Scope and impact of the privacy breaches on federal public servants.
  • Timeliness and adequacy of PSPC's notification to affected individuals.
Outcome

Complaints well-founded: The OPC found that PSPC improperly disclosed personal information due to vulnerabilities in the Phoenix system.

Reasoning

The investigation confirmed that at least 11 breaches occurred due to inadequate testing, coding errors, and insufficient controls, exposing personal information including names, PRI numbers, and salary details. PSPC was aware of some vulnerabilities before the system's launch but failed to adequately address them.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

The OPC made several recommendations to PSPC, including auditing system accesses, improving testing procedures, enhancing security risk management, mitigating call centre vulnerabilities, providing better notification to affected individuals, and completing a review of pages with row-level security. PSPC agreed to implement these recommendations.

Statutory provisions cited
  • s. 3 Privacy Act
  • s. 8(1) Privacy Act
  • s. 8(2) Privacy Act

This summary is informational only and not legal advice.