REGINA — Saskatchewan’s justice department is investigating a former government employee who was found to have inappropriately accessed personal information as part of an alleged illegal immigration scheme.
Richelle Bourgoin, the province’s deputy minister of immigration and career training, said Wednesday that prosecutors are looking into whether to lay charges after the ministry found the employee had inappropriately accessed information of 40 clients looking to come to Saskatchewan.
“We’ve provided all of our material to our colleagues at the Ministry of Justice,” she said.
Saskatchewan information and privacy commissioner Ron Kruzeniski recently recommended prosecutors probe the case following his own investigation earlier this year.
His report, released in late May, said the immigration ministry suspected the employee was sharing clients’ personal information with a third party outside the ministry as part of an illegal immigration scheme.
The report said a complainant told the ministry the third party sought money in exchange for approval of their immigration application.
It said the employee has since resigned.
He said a prosecution would signal to government employees that it’s not OK to snoop and access private information.
“We have to put up every deterrent we can so that employees don’t turn into rogue employees and don’t, for curiosity reasons, think they can just dip into a system with immunity,” he said.
“As to whether we have the evidence, I would leave that to the prosecutors. But I really want the prosecutors to take a close look and decide where there’s sufficient evidence here to do it — and I hope there is.”
Kruzeniski said it’s his understanding Saskatchewan has not historically charged a person for violating someone’s privacy under freedom of information and privacy legislation.
In February, the ministry asked Kruzeniski’s office to investigate the privacy breach.
The report indicated that the ministry initially became aware of suspicious activity in April 2022, when a client complained the employee had inappropriately accessed their file, shared it with a third party and sought money.
Given the seriousness of the allegations, the report said, the ministry then informed the Canada Border Services Agency.
The ministry then audited its online portal that contains immigration files and found the employee had “unusual activity” on the site.
The ministry says another complaint was made in June 2022, which had spurred an in-depth investigation.
That investigation found various breaches and determined the employee had not complied with freedom of information and privacy rules.
The review found the employee had accessed client files they weren’t assigned to. The staff member had also accessed files when they were working after hours or when on vacation, which is not allowed.
Kruzeniski’s report noted the employee had been investigated in 2020 for similar reasons. However, allegations during the 2020 investigation were not substantiated, the ministry said.
The ministry said it’s yet to fully understand the employee’s motivations.
“We have our suspicions that the employee or a known associate may have had criminal intent, but as that investigation is ongoing at this time, we cannot state that with sense of certainty,” it said in the report.
“Hubris is the only root cause that can be determined at this time, as (they) did not believe (they) would be caught.”
Kruzeniski said Immigration’s executive director notified the ministry’s privacy department of the allegations in November — seven months after officials were made aware of the issue.
He said the privacy department should have been notified sooner, which could have allowed affected clients to be made aware earlier.
“I think (privacy department staff) should be on the ground floor as soon as possible so they can work with the technical experts,” he said. “Sometimes, perfection on the technical side is not needed to at least tell individuals that their information has been breached.”
He recommended the ministry implement mandatory, annual privacy training for employees.
He also said it should offer credit monitoring to those who could be at risk of identity theft.
Bourgoin said the ministry has implemented new technology that would flag any irregular activity on its systems.
It has also provided additional training for employees, she added, noting the privacy officer is to be notified sooner should a future breach happen.
“We are confident in the steps that we’ve taken to prevent future breaches of privacy,” she said. “And we are in the process of preparing that response to the commissioner’s report, but we do appreciate the feedback he’s provided so far.”
This report by The Canadian Press was first published June 21, 2023.