Diane McLeod-McKay, the territory’s information and privacy commissioner, says “highly sensitive” personal information belonging to thousands of Yukon government employees was being widely circulated to more than a dozen departments and the legislative assembly. (Crystal Schick/Yukon News file)

Personal data from thousands of Yukon government employees was accessible to too many people: report

Yukon Information and Privacy Commissioner says the government broken access to information laws

“Highly sensitive” personal information belonging to thousands of Yukon government employees has been widely circulated to over a dozen departments and the legislative assembly, a breach of the territory’s information and privacy legislation, according to an investigative report by the Yukon Information and Privacy Commissioner.

The Public Service Commission (PSC) isn’t authorized to do this, Commissioner Diane McLeod-McKay told the News when the report was released on Jan. 29.

“All employees of the Yukon government and potentially more than that” were impacted by the wholesale exchange of personal data, she said. “The information system itself was being used to process the personal information of all employees.”

That same data, collected at the point of hire and onwards until termination or retirement, was deemed to be insecure.

The report was spurred by a complaint lodged in November 2016 that alleged similar concerns.

Using an electronic human resources tool, PSC distributed details including “biographical information” and job titles to different HR branches belonging to 16 other departments and the legislature, the report says.

“Employees’ names, addresses, telephone numbers, identifying numbers, ages, sex, marital status, family status and information about their educational, financial and employment history is the identifiable information at issue,” it says.

“A short assessment of (the HR management system) security, using publicly available information and scenario-based modeling, recently resulted in the detection of a security risk to the overall system.”

Certain particulars of the report have been redacted for privacy reasons.

“Some departmental human resource professionals across government previously had access to personal information of employees not in their own department,” said Nigel Allan, a PSC spokesperson, in a written statement.

“Access by human resource personnel to employee information is now restricted to employees in their own departments. In addition, any sharing of employee information between departments is now limited to the Public Service Commission for general human resource management purposes and the Department of Finance for payroll purposes.”

Asked if this data was obtained by anyone outside the Yukon government, McLeod-McKay said “We have no indication that there has been any harm caused as a result of (the breach),” adding that making such a finding hinges on PSC conducting evaluations of its system.

Managers with proper clearances had access to personal information, the report says.

“For example, any manager who has such a designation could access the (private information) of any employee in (HR management system) outside the scope of that manager’s public body despite having no reasonable and direct connection to it, nor any necessity to use it,” it says.

The bottom-line is that data was available to people who simply shouldn’t have had access to it, McLeod-McKay said.

“Every government department had access to information to all the employees in the system,” she said. “We determined, in the report, that they did not have authority to do that.”

Personal information must be exclusive to the department in which an employee works, the report says.

Human resources “elsewhere have no function in the collection of (personal information) as it affects employees working in other public bodies.”

Personal data provided to the Department of Finance is authorized because these details are required to process salaries, bonuses and benefits.

The PSC is only able to disclose personal data “if it’s use is consistent with the purpose for which it was obtained or compiled,” according to the report.

There are certain restrictions. The financial branch, for instance, is not privy to biographical information, the report says, attributing it to a statement from the PSC.

“… I am satisfied that the collection of employee (personal information) to provide compensation and superannuation benefits to that employee is a key component of the administrative activity,” it says.

“(Personal information) must be limited to authorized persons whose responsibilities require such access, as opposed to their status, rank or office, or on a premise of practical or functional convenience.”

The report outlines 17 recommendations for the PSC to implement, which include containing the breach, revoking access that “designated employees” have to private information belonging to all government workers, excluding those who are retired, and bringing in prevention measures to ensure such incidents don’t occur again.

“The Public Service Commission has accepted them and we are working actually with them on doing a privacy impact assessment on their (human resources system), which essentially means we walk through the entire system … and find their authorities to collect these and disclose, as well as look at their security parameters to make sure they’re sufficient enough to secure the information appropriately, appropriately in accordance with the act,” McLeod-McKay said.

“Laws are there to protect citizens, which all of us are, so it’s really important, especially in this day in age of cybercrime and other kinds of leaks of information, that these steps now be taken to ensure that the information is properly secured.”

Allan, the PSC spokesperson, said most of the recommendations will likely be implemented by April.

Contact Julien Gignac at julien.gignac@yukon-news.com

Just Posted

Yukon government was wrong in evicting youth from a group home, commissioner finds

The health department has roughly two months to respond to recommendations

Stephanie Dixon ready to dive into new role as chef de mission for 2019 Parapan American Games and 2020 Paralympic Games

“You do it because you believe in yourself and you have people around you that believe in you”

WYATT’S WORLD

Wyatt’s World

Whitehorse becomes first community north of 60 to have private pot shop

Triple J’s Canna Space opens its doors to first customers

Whitehorse council news, briefly

Some of the news that came out of Whitehorse city council this week

Snowmobiles and snow bikes descend on Mount Sima for Yukon Yamaha Uphill Challenge

“I think everyone had their eyes opened on what could be done there”

Yukon Orienteering Association starts Coast Mountain Sports Sprint Series off in the right direction

The race on April 11 was the first of five sprint races planned for the spring

Yukon gymnasts stick the landing at inaugural B.C. Junior Olympic Compulsory Championships

Seven Polarettes earned five podium finishes at the two-day event in Langley, B.C.

École Émilie-Tremblay hosts first Yukon elementary school wrestling meet of 2019

“You can grab kids and you can trip and you can do that rough play, but there are rules”

Driving with Jens: Survey says….

If you’re like me, you probably feel inundated with surveys. It seems… Continue reading

Editorial: Promising electoral reform is the easy part

Details of what that would actually look like are much harder to come by

Yukonomist: The centre of the business universe moves 4,000 k.m. northwest

The Canadian Federation of Independent Business named Whitehorse Canada’s top place to start and grow a business

Whitehorse starts getting ready for Japanese students

This summer 13 Japanese students are slated to come north

Most Read