Sask. government says employee may have been involved in 'illegal immigration scheme': privacy commish
Privacy breach shines a light on vulnerabilities in province’s immigration system
The Saskatchewan government believes an employee of the Ministry of Immigration and Career Training inappropriately accessed the files of 40 applicants, in connection with a suspected "illegal immigration scheme," according to a report late last month from Saskatchewan's information and privacy commissioner.
In February, the ministry asked the commissioner to investigate a privacy breach it had discovered during an internal investigation of an unnamed employee in the immigration services branch.
According to the commissioner, the province had discovered that the employee had inappropriately accessed the Saskatchewan Immigrant Nominee Program (SINP) files of 40 clients. The government suspected the worker was "sharing [client information] with a third party outside the ministry as part of an illegal immigration scheme."
That suspicion was based on a tip received in April 2022.
"Immigration explained that it received a complaint from one of its clients alleging that the third party sought money in exchange for the approval of their immigration application," Ron Kruzeniski's May 31 report says.
"Given the serious nature of the allegations, Immigration informed the Canada Border Services of the allegations."
The employee accessed a wide range of information.
"In some cases, only individuals' contact information was accessed. In other cases, affected individuals' entire file was accessed. Some of the files included information about the individuals' passports, employment, finances, and family members," the report says.
On July 26, 2022, three months after receiving the tip, the employee's access to the internal system was cut off. The employee resigned on Aug. 8.
- Do you have a tip? Contact Geoff Leo at geoff.leo@cbc.ca
'Hubris is the only root cause'
The commissioner noted that the ministry first identified that its clients privacy had been breached in April 2022, but didn't begin notifying those people until February 2023.
"Affected individuals have a right and need to know to protect themselves from any harm that may result," he wrote.
Kruzeniski said the ministry should also have offered the affected clients five years of credit monitoring, which wasn't done.
He noted that the ministry offered an explanation for the delay. It said that there were multiple investigations into the matter, making the situation complex. In addition, the ministry didn't know if those clients may have themselves been involved in the scheme.
"It was not known if the affected individuals were associates of [the employee]. In order to avoid negatively impacting an active criminal investigation, the decision was made not to inform the affected individuals immediately," the ministry said in the report.
Kruzeniski was also concerned that the ministry "failed to notify [privacy officials] 'as quickly as possible' after becoming aware of a potential breach." The breach was confirmed in April 2022, but the ministry didn't inform its own privacy officials until November and didn't tell the commissioner until February.
In an email to the commissioner, the ministry offered its thoughts about how this breach happened.
"We have our suspicions that the employee or a known associate may have had criminal intent, but as that investigation is ongoing at this time, we cannot state that with sense of certainty," the ministry wrote, according to the commissioner.
The ministry noted that the employee was well aware that their activities on the internal database could be tracked. It said this employee had been investigated in 2020. While the allegations weren't substantiated at that time, the employee was warned to not review files that were not assigned to them.
"Hubris is the only root cause that can be determined at this time, as [they] did not believe [they] would be caught," the ministry told the commissioner.
Ministry making changes
Kruzeniski commented that in his view, the root cause of the breach was the employee's failure to follow policy.
"The other circumstances suggest that the employee may have been motivated by criminal intent and the desire for financial gain," he wrote.
He said the ministry needs to improve employee training and tighten up access to internal systems to ensure this doesn't happen again. He also recommended the government refer this matter to the Ministry of Justice for possible prosecution under privacy legislation.
Richelle Bourgoin, deputy minister of the Ministry of Immigration and Career Training, confirmed in an interview that the ministry has forwarded the file to the Ministry of Justice.
"We do take the privacy of our program incredibly seriously," she said, adding that the ministry is reviewing the commissioner's report to determine next steps.
She said this situation has already led to change.
"That's really led us to immediately look to strengthen our audit functions," she said. "But at the same time enhancing the training and the clarity of expectations for employees in the program."
She said the ministry will consult with the privacy commissioner much sooner in the future.