Office workers at Public Services and Procurement Canada were cited 3,075 times last year for failing to lock up documents, USB keys and other storage devices containing sensitive information, says a new security report.

And six of those employees were found to be chronic offenders during a "security sweep" at the department in 2017-2018, with each of them leaving confidential material unsecured at least six times over the 12-month period.

"In 2017, we identified six employees who exceeded maximum offences and we are doing review for cause interviews," says a June 2018 briefing note, obtained by CBC News under the Access to Information Act.

Portable external hard drives and memory sticks, or USBs, accounted for about a third of all the infractions when Public Services and Procurement Canada did a security sweep to determine whether office workers were safeguarding sensitive information. (grebcha/Shutterstock)

The results of the sweep, which included after-hours inspections of workers' desks and filing cabinets for sensitive documents and for storage devices left unsecured, are the first since the program was tightened and standardized on April 1, 2017.

The new program now includes a rising scale of sanctions against rule-breaking employees, as well as stepped-up training and education.

It's not clear whether the tougher regime has helped safeguard more confidential information, which can include personal data about Canadians.

Worst offender

A previous report on infractions, covering Nov. 4, 2015, to Sept. 19, 2016, found a roughly similar number: 2,912 cases of unsecured documents, making Public Services and Procurement Canada (PSPC) the worst offender of all government departments during that period of almost 11 months.

Across all departments, there were more than 10,000 such security breaches over that period, said the report, delivered to the House of Commons in response to a question from an opposition MP.

A security sweep of PSPC offices conducted throughout 2016-2017 found 4,398 infractions for the year. Officials said the drop to 3,075 infractions in 2017-2018 may be related to other factors, including "clean desk" policies in some new offices that forbid staff from leaving any paper — sensitive or otherwise — on their desks.

"We are unable to clearly measure the success of the [new] Security Sweep Compliance and Awareness Program," says the briefing note to PSPC Deputy Minister Marie Lemay.

Under the program, chronic offenders are subjected to tough sanctions, including the threat of demotion or termination. But a department spokesperson said the six offending employees identified in the latest round are being treated leniently.

"As this is the first year of application of the processes and tools, people with multiple infractions have been addressed within a continuum of education and awareness," Rania Haddad said in an email.

Haddad said the department did not collect information on the number of repeat offenders for previous years.

The briefing note shows that about a third of the infractions in 2017-2018 involved unsecured storage devices, such as USB keys and external drives, which can contain thousands of documents.

Word of the security sweep statistics follows the theft of a storage device from Public Services and Procurement Canada on Aug. 21, 2018, which contained personal information about 227 federal employees at Infrastructure Canada. Information on the device was reportedly encrypted.

There have been other instances of federal departments and agencies hit with major privacy breaches when storage devices went missing:

In November 2012, a hard drive containing personal data on 583,000 people, mostly students, disappeared from Human Resources and Social Development Canada (now called Employment and Social Development Canada), prompting class action lawsuits and an RCMP investigation.

Last year, a courier working for the Canada Revenue Agency lost a DVD containing the private information of approximately 28,000 taxpayers in the Yukon.

A storage device was stolen sometime before May 7, 2018, from a CBC/Radio-Canada office. It contained personal data about 23,675 employees, former employees, contractors and others.

A spokesperson for Canada's privacy commissioner declined to comment on the latest PSPC security sweep, saying the results had not been shared with the office.

Among previous privacy breaches at PSPC were 11 involving the Phoenix payroll system. (Travis Golby/CBC)

Tobi Cohen noted that the department is No. 10 on the list of federal institutions with registered privacy complaints, based on the latest published annual report for 2016-2017, with 25 complaints that year.

Other breaches

Cohen also noted there were privacy breaches in that fiscal year that did not involve missing or stolen paper documents or storage devices.

In one case, a PSPC human resources officer sent an email to 180 senior officials that contained an Excel attachment exposing personal details about 14,241 employees.

The office also investigated 11 privacy breaches involving flaws in the Phoenix payroll system which allowed unauthorized officials to access employees' personal information.

"Particularly troubling in this case is that PSPC is unable to monitor or audit who accesses personal information used by Phoenix … [T]he breaches were the results of a combination of inadequate testing, coding errors and insufficient monitors and controls of the Phoenix system," the investigation concluded.

Follow @DeanBeeby on Twitter