Hundreds of federal government employees had their privacy breached after the Treasury Board of Canada Secretariat sent a mass email containing personal information to those claiming Phoenix pay damages with the department.
In an email sent to more than 200 claimants on May 3, the secretariat’s “Severe Impacts Team” acknowledged people’s claim submissions for severe impacts related to the Phoenix pay system, and told them teams were “working diligently” to process the high volume of claims and asked for their patience.
The issue, however, lay in which field the secretariat pasted claimants’ emails — personal and work emails, many of which included full or partial names. Instead of “blind copying” the emails in the “BCC” field, the secretariat pasted all of the claimants’ emails in the “CC” field.
I was just really freaking mad.– Public servant whose privacy was breached
That meant everyone included on the email was able to see who else had applied for compensation under the Treasury Board Secretariat’s program.
This is the latest issue related to the Phoenix pay system, which was introduced more than six years ago. Public servants say they’re still affected by the government’s troubled pay system, which has cost taxpayers more than $2.4 billion by April 2022.
Some former and current public servants have turned to the secretariat’s claim office, set up to reward damages to those severely impacted. The Office of the Privacy Commissioner of Canada is now investigating this incident, and declined to comment because the process is ongoing.
Public servant’s privacy breached twice
One public servant, who was copied in the mass email, says this isn’t the first time they have had their privacy breached by the government related to Phoenix.
In a February 2020 email, Public Services and Procurement Canada, the Phoenix pay system administrator, admitted it breached some people’s privacy by sending a mass email containing full names, personal identifiers, home addresses and Phoenix overpayment amounts to officials in 62 departments and agencies, instead of sending employees’ information to their respective department heads.
The employee, who CBC agreed not to name due to their fears of facing career reprisals, says they were “really freaking mad” about the breach.
“There’s zero concern for any public servant tied up in this nightmare. Seriously, and it’s six and a half years — and they can’t even get your privacy right,” the employee said.
“It’s one more reason to not trust anything by anybody dealing with Phoenix. Really, you can’t get an email address right? I have zero faith.”
‘Disturbing,’ says former privacy watchdog
Former Ontario privacy commissioner Ann Cavoukian says it is “obvious knowledge” to BCC emails when there are several hundred people included.
“Any first grader would know that,” she said.
Cavoukian explained this isn’t the most egregious breach she’s seen, but it’s still “disturbing” due to the claimants’ loss of control over their privacy.
A breach occurs when personally identifiable data, linked to some information, is revealed, she said. In this case, the information reveals specific individuals applied for damages under Phoenix.
“Privacy is all about control, personal control relating to the use and disclosure of your personal information. You shouldn’t have information like this revealed,” she said.
“That’s what astounds me. The federal government wouldn’t be aware of that? I mean, please, give me a break.”
Stricter guidelines needed
She said the Treasury Board of Canada Secretariat needs to apologize and implement stricter guidelines on how to handle people’s information via email adding, “that should have been in place 50 years ago.”
“We have an excellent privacy commissioner Daniel Therrien … and I’m sure he would be outraged at this.”
The secretariat said in an emailed statement the mass email sent in May was “due to an administrative error.”
Spokesperson Martin Potvin said the claims office followed up by sending all recipients “a message stating that it regretted this occurrence.”
The department says it’s working with the federal privacy commissioner and reviewing its internal processes “to ensure that an error like this does not re-occur.”