As many as 70,000 managers had excess and unneeded access to the personal details of all 300,000 federal employees enrolled in the new and problem-filled Phoenix pay system, according to CBC News.
Citing Public Services Canada documents released under the Access to Information legislation, the broadcaster said senior officials were warned as early as Jan. 18 that the soon-to-be deployed Phoenix had a flaw that gave managers widespread access to employees’ personnel records, including social insurance numbers.
The issue raises questions about the ability of federal managers to go snooping through files.
Senior officials said “the issue had been resolved,” but apparently it wasn’t by the time Phoenix went live. In fact, the story says information about the privacy problem was removed from a Privacy Impact Assessment the department has to issue when a new program or system is introduced that could affect privacy, perhaps because of the assurance the issue was fixed.
However, the story says, the flaw persisted at least through April and was identified as “material” with the “highest risk impact” because of the potential for identity theft. One document quoted by the CBC said, “Unfortunately, this is not an unforeseen situation.”
The system, which made headlines this week with the revelation by Public Services minister Judy Foote that some 80,000 civil servants have had pay problems with Phoenix, including 720 who haven’t been paid some regular salaries. Most are missing supplementary pay, such as acting or extra duty pay, and salary increment adjustments. Foote said that of the those who are missing a full salary cheque 486 will receive a payment on the July 27 pay day.
The federal privacy commissioner has been notified and is investigating the privacy problem.
There are still questions about the source of the privacy issue, such as how the software gave such wide access to personal information, which may be cleared up today when Public Services officials are supposed to brief reporters.
In her statement earlier this week Foote said the software was tested with more than 16,000 different pay scenarios to ensure that information flowed accurately between federal human resource systems and Phoenix.
The news troubles Imran Ahmad, who heads the cyber security practice at the Toronto law firm Miller Thomson LLP and is a member of advisory board of the Canadian Advanced Technologies Alliance’s cyber security council. “What struck me was they flagged this in some sort of document in January. We’re now in June. They should have known,” he said in an interview.
“Somebody may have said this has been dealt with, but it clearly wasn’t. The test (in law) is no one of absolute perfection but is one of were reasonable steps taken. I don’t have information as to what led to that determination that the issue was resolved, but certainly there would have been steps they would have had to take. At the very least they should have asked very specific questions to whoever the designer of the software was, ‘Will people have access to it? What kind of information can they access? Under what kind of conditions? What kind of administrative or technical fencing have you created around the software?'”
A spokesperson for Public Services could not be reached this morning for comment.