Details are trickling out about two incidents of snooping within the Ministry of Immigration and Career Training in Saskatchewan.
The province’s information and privacy commissioner, Ronald Kruzeniski, released one report on the two separate incidents this month. This comes a few months after an immigration scheme within the ministry was revealed by another of Kruzeniski’s reports.
According to the new report, two employees both accessed information inappropriately in their work for the ministry and were found out through questions around conflicts of interest.
These are two of the three people the ministry announced in June had been fired for privacy breaches, at the same time it announced a mass privacy breach in its system.
For the first employee, a potential conflict of interest was flagged in November of last year, though it’s never been explained exactly what the conflict might have been.
The investigation eventually found that the employee accessed the information of 34 immigration clients inappropriately, including client names, contact details, information about their immigration applications, place and date of birth, education, work experience, family members, social insurance numbers, and financial information like bank account information.
That employee was placed on administrative leave in December, and then was fired about three weeks later.
For the second employee, the ministry discovered they had been working for an outside business in March of last year, but it wasn’t until January that it found the outside employer had active files with immigration.
The investigation into the second employee found they had accessed the personal information of eight clients in the online immigration system, applicants and an employer.
The second employee was fired in March of this year.
In both cases, the ministry told the commissioner that it was a lack of access controls based on the employees’ roles that was the root cause of the problem.
It said an action plan was being developed and was going through an internal review. It also improved access and reporting requirements, and will install barriers to reduce the risk of employees getting into information they don’t need.
For the most part, the commissioner said the ministry had handled the situation appropriately. However, he did recommend that the ministry be quicker at notifying affected parties; it took the ministry three months to send out letters in both cases after a breach had been confirmed.
Kruzeniski also said the ministry should be including a warning about the risk of identity theft in its notification letter to people who had their privacy breached, and that it should be offering credit monitoring services.