Personal information shared erroneously: Material privacy breach

February 17, 2020

As part of regular operations, Public Services and Procurement Canada (PSPC) sends departmental heads of human resources (HR) and chief financial officers an encrypted email with a bi-weekly report listing employee overpayments for their department. The report includes the employees’ full name, Personal Record Identifier (PRI), home address and overpayment amounts.

In the most recent distribution of this report, which occurred earlier this month, certain public servants’ above-mentioned personal information was shared in error with federal government departments other than their own, which constitutes a privacy breach. There is no evidence that this information was shared outside of the government.

We take the protection and security of personal information very seriously. As soon as the breach was discovered, immediate steps were taken to contain and destroy the improperly shared information. We have notified the Office of the Privacy Commissioner of Canada and affected employees will be notified in the coming days.

We are also conducting an internal investigation to further assess the situation, and to identify steps to ensure this doesn’t happen again. We have stopped the distribution of these overpayment reports until we receive the results of the investigation.

To whom was this information sent?

The personal information of public servants was sent to 161 chief financial officers and heads of HR in 62 departments.

When did this breach take place and what was done to address it?

The email was sent on February 4, and the error was reported on the same day. Recipients were contacted immediately and asked to delete the e-mail. On February 6, following a review of the situation, the breach was deemed material, and PSPC's information technology services took additional steps to contain the breach by deleting the e-mail on its servers.

On February 7, the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat were notified. Chief security officers in all 62 recipient departments were asked to delete the e-mail from their respective servers.

How can I, as an affected employee, be sure that personal information wasn’t shared with unauthorized individuals?

PSPC took immediate steps, in collaboration with departments who received the e-mail, to contain the situation by deleting the e-mail. The e-mail distribution was limited to heads of HR and chief financial officers across 62 departments, and there is no evidence that this e-mail would have been shared outside of government.

What steps have been taken to ensure this doesn’t happen again?

PSPC has reviewed and adjusted how it will share this information in the short and long-term.

Immediate actions include stopping the distribution of these reports until we have the results of the investigation and have reviewed current procedures and controls.

To address this situation over the long term, we will review and validate the needs of client departments for information, further increase awareness around security and privacy, and explore other more secure methods to share information of this nature.

Date modified: