Hundreds of federal government employees had their privacy violated after the Treasury Board of Canada Secretariat sent a massive email with personal information to those demanding that Phoenix pay damages to the department.
In an email sent to more than 200 claimants on May 3, the secretariat’s “Serious Impact Team” acknowledged and filed claims for serious impacts related to the Phoenix payment system. say the teams were “working diligently” to process the high volume of claims. and he asked them for patience.
The question, however, was in which field the secretariat pasted the complainants’ emails: personal and work emails, many of which included full or partial names. Instead of “blindly copying” the emails into the “BCC” field, the secretariat pasted all of the complainants’ emails into the “CC” field.
He was very crazy.- Public official whose privacy was violated
This meant that everyone included in the email could see who else had requested compensation under the Treasury Board Secretariat’s program.
This is the latest topic related to the Phoenix payment system, which was introduced more than six years ago. Public officials say they are still affected by the problem of the government’s salary system, which has cost taxpayers more than $ 2.4 billion in April 2022.
Some former and current civil servants have gone to the secretariat’s complaints office, which was set up to compensate for the damage to those severely affected. The Office of the Privacy Commissioner of Canada is investigating this incident and declined to comment because the process is ongoing.
The privacy of the civil servant was violated twice
A public official, who was copied in the mass email, says this is not the first time the government has violated their Phoenix-related privacy.
In an email from February 2020, Public Services and Procurement Canada, the administrator of the Phoenix payment system, admitted that it violated the privacy of some people by sending a mass email containing full names, personal identifiers, addresses Phoenix overpayments and overpayments to officials in 62 departments and agencies. instead of sending employee information to their respective department heads.
The employee, whom CBC agreed not to name because of his fears of facing professional retaliation, says they were “really crazy” about the breach.
“There is no concern for any public servant tied up in this nightmare. Seriously, and it’s been six and a half years, and they can’t even get your privacy right,” the employee said.
“It’s one more reason not to trust anyone who has anything to do with Phoenix. You really can’t get an email address, can you? I don’t have faith.”
“Disturbing,” says the former privacy watchdog
Former Ontario privacy commissioner Ann Cavoukian says BCC emails are “obvious knowledge” when there are several hundred people included.
“Any first grader would know that,” he said.
Cavoukian explained that this is not the most egregious breach he has seen, but it is still “disturbing” due to the plaintiffs’ loss of control over their privacy.
A breach occurs when personally identifiable data, linked to any information, is revealed, he said. In this case, the information discloses specific persons claimed for damages under Phoenix.
“Privacy refers to the control, personal control related to the use and disclosure of your personal information. You should not disclose information such as this,” he said.
“That’s what surprises me. Wouldn’t the federal government be aware of that? I mean, please give me a break.”
The Centralized Public Service Payment Center is shown in Miramichi, NB. Public officials say they have suffered financially and emotionally as a result of the failure of the Phoenix payment system. (Michael MacDonald / The Canadian Press)
Stricter guidelines are needed
He said the Treasury Board of Canada Secretariat should apologize and implement stricter guidelines on how to handle people’s information by email, and added: “This should have been in place 50 years ago.”
“We have an excellent privacy commissioner, Daniel Therrien … and I’m sure he would be outraged by that.”
The secretariat said in a statement sent by e-mail that the mass e-mail sent in May was “due to an administrative error”.
Spokesman Martin Potvin said the complaints office followed up by sending all recipients “a message indicating that they regretted this fact.”
The department says it is working with the federal privacy commissioner and reviewing its internal processes “to ensure that an error like this does not happen again.”