Investigation into a privacy breach at Public Services and Procurement Canada

March 31, 2021

---

Complaints under the Privacy Act

Description

Public Services and Procurement Canada (“PSCP”) experienced a data breach affecting 69,087 public servants when it improperly disclosed pay-related information to the wrong Government of Canada institutions.

Overview

1. In February 2020, the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) received complaints from federal public servants who alleged that Public Services and Procurement Canada (“PSPC”) improperly disclosed their pay-related information to the wrong Government of Canada institutions (the “disclosure” or the “breach”).
2. PSPC had already notified our Office about this breach of personnel overpayment reports affecting 69,087 public servants.^{Footnote 1} It explained that each pay period, it sends personnel overpayment reports with information originating from its Phoenix Pay System (“Phoenix”) to client institutions. Each institution receives the report for its own employees. However, on February 4, 2020, PSPC sent institutions reports with information about employees in other departments or agencies.
3. Our investigation concluded that PSPC contravened the Privacy Act (the “Act”) with regard to this unauthorized disclosure of personal information. The complaints are therefore well-founded. Based on our review of PSPC’s response to the breach and its actions to remedy the vulnerabilities that caused it, we also consider the complaints to be resolved.

Background and scope

4. Our investigation focused on the disclosure and PSPC’s response to the breach. Complainants also raised a number of additional concerns including questions about whether PSPC had implemented the recommendations from our Office’s 2017 Phoenix report^{Footnote 2} and the possible harm resulting from the breach. This report also answers those questions.

Methodology

5. In reaching our conclusions in this investigation, we consulted open sources (for example the notice about the breach that PSPC posted on its website) and reviewed evidence received through the following means:
   1. Telephone interviews with operations staff from the PSPC Pay Administration Branch and the Phoenix Operations Centre;
   2. Written and oral representations from the PSPC Access to Information and Privacy office; and
   3. Representations from complainants, including copies of breach notification messages that originated from PSPC and individuals received via their home departments.

Summary of investigation

PSPC’s disclosure of information in the breach

6. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc. The Act states that personal information can only be disclosed with an individual’s consent – subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.

Background of the disclosure

7. The PSPC Pay Administration Branch provides pay services and benefits to public servants in Government of Canada institutions. The legal authorities under which PSPC provides those services include section 12 of the Department of Public Works and Government Services Act which states:

   The Minister shall provide such administrative and other services required for the disbursement of pay to persons employed in or by any department, and to persons employed in or by other portions of the federal public administration, as the Governor in Council may direct.

8. PSPC submitted that its pay services include tracking and coordinating the recovery of overpayments with financial and human resource (“HR”) services of client institutions. In particular, it uses personnel overpayment reports to inform institutions about outstanding overpayment balances, repayment plans, employee status and home address in case the employee is “inactive” and they need to be reached for overpayment recovery. According to PSPC, personnel overpayment reports also highlight “[…] accounts whose overpayments will be recovered from first available funds, which the department may wish to prevent in order not to cause financial hardship to their employee. Departments use this report as part of their regular bi-weekly pay operations.”
9. The genesis of the breach was in the production of personnel overpayment reports.

Production of personnel overpayment reports

10. PSPC submitted that in order to produce personnel overpayment reports, the Pay Administration Branch extracts information about employees with identified overpayments from Phoenix. The Pay Administration Branch saves the data to the master spreadsheet that was used for the previous pay period report which it then splits into separate emails (with spreadsheets) by institution. The Pay Administration Branch saves those emails in a repository and informs the Phoenix Operations Centre, responsible for sending the reports, that the material is ready for distribution.
11. PSPC explained that the extraction and processing of information “[…] takes place outside of the Phoenix pay system environment and associated built-in security controls due, in part, to the fact that Human Resources and Finance stakeholders do not have necessary access to the pay system and that the information in Phoenix is stored in this system in an aggregate fashion.”
12. Although PSPC had been producing personnel overpayment reports in this manner since 2018, when the breach occurred in 2020 it did not have a documented process with quality controls to produce them.

How the breach occurred

13. On February 4, 2020, when preparing the master spreadsheet the Pay Administration Branch did not delete certain data from the previous pay period report. The result was that information in the “Department” column did not match information in the “Name” column.
14. PSPC sent 164 individuals in 61 institutions^{Footnote 3} personnel overpayment reports with information about individuals in other departments. PSPC could not state how many of the recipients actually accessed the reports. However, it informed our Office that soon after it sent the flawed reports, recipients started reporting that they had received information about employees of other government departments. Ultimately, nine institutions reported receipt of flawed reports.
15. In the course of our investigation, we requested an anonymized copy of the information in the reports. PSPC’s response noted that all of the flawed reports had the following fields of possible information, but not all reports contained data in all fields:
    1. Name (first and last name of employee);
    2. PRI;
    3. Arrears balance (amount owed to the Crown by the employee, in dollars);
    4. Address (including home street address, city, postal code and province);
    5. Department code;
    6. Pay office / Pay list (represented as a number);
    7. Deduction code (where the field indicates if Phoenix has recognized an amount owed to the Crown by the employee);
    8. HR status (active or inactive);
    9. Agreement? (Yes or No);
    10. Minimum deduction amount (in dollars);
    11. Other deduction amount (Yes or No); and
    12. Whether the individual was acting.

Analysis

16. Of the information disclosed, the following elements that were possibly breached in the flawed reports constitute personal information, as defined in section 3 of the Act^{Footnote 4}: name, PRI, arrears balance, home address, agreement (Yes or No), minimum deduction amount and other deduction amount (Yes or No).
17. Given that the personal information was sent to the wrong institutions and accessed in at least nine institutions by recipients who did not have a “need to know” information about employees in other government departments, we determined that unauthorized disclosures of personal information occurred, as none of those disclosures were in accordance with any of the provisions outlined in subsection 8(2) of the Act.

Conclusion

18. For the reasons described above, we are of the view that PSPC disclosed personal information in contravention of section 8 of the Act.

How PSPC responded to the breach

19. The remainder of this report considers whether PSPC has since taken corrective measures to resolve the issue to the satisfaction of our Office. In particular, we focused on PSPC’s response to the breach and how it resolved the vulnerabilities that caused the breach.

Preventing further unauthorized disclosure of personal information

20. The Interim Directive on Privacy Practices - subsection 6.2.5 – makes executives and senior officials who manage programs or activities involving the creation, collection or handling of personal information responsible for implementing the government institution’s plan for addressing privacy breaches when necessary. We reviewed a copy of PSPC’s Privacy Breach Protocol. The protocol includes procedures for responding to a privacy breach that state that upon learning of an actual or suspected privacy breach, immediate action must be taken to stop and report the breach. The procedures also explain that the PSPC office of primary interest should immediately secure compromised records in order to prevent further unauthorized disclosure.
21. PSPC submitted that on the day the breach occurred (February 4, 2020), it asked the relevant institutions to disregard and delete the flawed personnel overpayment reports. Three days^{Footnote 5} after the breach, PSPC asked the Chief Security Officers of the receiving institutions to instruct and authorize their information technology services to urgently seek and destroy the flawed reports on their respective email networks, and confirm completion^{Footnote 6}.
22. PSPC followed-up with departments to confirm deletions and, 18 days after the breach, it received confirmation that the last outstanding department had completed the deletion request.
23. As a final step, PSPC asked Shared Services Canada to search the entire Government of Canada network for residual copies of the flawed reports. The search revealed residual copies; however, Shared Services Canada was not able to delete those copies without approval by the relevant Departmental Security Officers. After our Office’s intervention, PSPC committed to contacting the security and ATIP sections of the relevant departments, in writing, to alert them to the matter of the residual emails.

Potential for misuse of personal information through the Client Contact Centre (CCC)

24. Our investigation considered whether personal information compromised by the breach could be misused, for example, through the CCC. PSPC represented that the CCC requests and verifies a caller’s PRI, name (first and last) and date of birth. The breach did not compromise dates of birth. The CCC may also request additional information elements to verify the caller’s identity. We reviewed a list of those additional elements and noted that the breach did not compromise any of them.
25. We allowed that the breached information could be combined with other information – for example, from publicly available sources or through malicious means such as social engineering – to obtain date of birth information and enable identity fraud through the CCC. However, we considered that was unlikely. In making our assessment, we noted that the breach was unintentional and non-malicious and that PSPC knew and had contacted all of the inadvertent recipients of the information. Finally, we received no evidence that the personal information compromised in the breach was misused.

PSPC’s notification of individuals

26. The Directive on Privacy Practices - subsection 6.1.2 – makes heads of government institutions or their delegates responsible for establishing a plan for addressing privacy breaches within their institution. Further, section 4 of the Guidelines for Privacy Breaches strongly recommends that institutions notify affected individuals “as soon as possible following a breach to allow individuals to take actions to protect themselves against, or mitigate the damage from, identity theft or other possible harm”.
27. The PSPC Privacy Breach Protocol sets 13 days as the institution’s preferred standard for notifying affected individuals.
28. As a preliminary matter, PSPC explained to our Office that it concluded the type of harm at issue was the psychological impact on affected individuals who have already suffered pay issues. PSPC concluded that no financial or physical harm could come to the affected individuals from the breach.
29. PSPC issued two breach notices for individuals on February 17, 2020 (nine days after the breach). First, it posted a notice on its website. In addition, PSPC sent affected individuals’ home departments a breach notification letter and a list of the employees to whom it should be forwarded. The correspondence stated, “Departments and agencies should urgently distribute the attached letter to impacted employees listed in the attached report.” PSPC also submitted that, eleven days after the breach, it held telephone conferences with the departments to discuss the request and answer any questions.
30. According to PSPC, departments distributed the breach notification letter as early as February 17, 2020. While the current complaints corroborated that information, some complaints also indicated that it took as many as 17 days for other departments to forward the letters.
31. Our investigation found that the breach notification letter contained a general description of the incident; a list of the personal information elements that had been or may have been compromised; advice to the individual in respect of related risks; and a point of contact for additional information. It did not, however, indicate that other elements, such as arrears balance; agreement (Yes or No); minimum deduction amount; and other deduction amount (Yes or No) could also have been compromised.
32. PSPC submitted to our Office that the notification letter was in PDF format and it expected the letter would be circulated without modifications. However, our investigation revealed that in certain cases, departments modified the wording by either adding or removing information prior to distributing the letter. This meant that not all affected individuals received the same information about the breach. For example, one department added the incorrect information that PSPC “sent an email containing your personal information to the chief financial officers and heads of human resources of 62 departments and agencies”. A letter sent by a different department omitted the phrase about related risks: “there is little to no risk that your personal information could be used for malicious purposes”.
33. Our investigation further revealed certain other inaccuracies within PSPC’s notification letter. For example, contrary to what PSPC had indicated in its letter about the positions of the unintended recipients, the flawed personnel overpayment report did not just go to CFOs and heads of HR. Our analysis revealed that 52 of the recipients held positions ranging from Assistant Deputy Minister to Team Lead and Project Officer.
34. We accept that a description of an incident may not include all details that apply to all affected individuals, which reinforces the value of providing a point of contact to answer questions, as PSPC did in the case at hand. However, when it comes to the list of personal information elements that have been or may have been compromised, we strongly suggest that it is important to provide individuals with complete information. This allows individuals to assess the risk and take actions they deem necessary to protect themselves against possible harm resulting from the breach of their personal information.

PSPC’s actions to resolve the vulnerabilities that caused the breach

35. According to PSPC, since the breach, it has implemented a process and quality assurance checklist for producing the emails. The steps include downloading and verifying that the template does not inadvertently contain personal information from the previous pay period. The checklist has been tested and integrated in the relevant Pay Administration Branch processes. The Phoenix Operations Centre has also been integrated into this process. Finally, oversight has been added in the form of a requirement for certain signatures once the checklist is completed. A signed copy of the checklist is kept on file.
36. PSPC also explained to our Office that it surveyed departments to find out if the over-payment report is still required, and at what frequency. Based on the results of the survey, PSPC will continue to send the reports to the departments on a bi-weekly basis, but the reports will not include the employee home address.
37. PSPC is also exploring alternative solutions to respond to client information needs with automated solutions to generate the overpayment reports and/or to leverage existing technology to allow client departments/agencies to access their respective data sets/reports through a central repository. The latter solution would negate the need for distribution of emails with the overpayment information.

Conclusion and recommendation

38. In view of all of the above, we consider the complaints to be well-founded and resolved. Notwithstanding the contravention of Section 8 of the Act, it is evident that the corrective actions taken by PSPC, both at the time of the breach and subsequently, mitigated damage(s) flowing from the breach, and diminished the probability of recurrence. We were also pleased to see the expedient actions taken to notify affected Canadians.