Canadian Privacy Commissioner reports record high in privacy complaints and reported data breaches

October 30, 2013 |

In her last Annual Report (found here) before retiring Ms Stoddart, the Federal Privacy Commissioner, highlights a less than optimum picture of privacy protection by the federal government.

The News release (found here) provides:

Privacy Commissioner’s final report calls for greater care in government handling Canadians’ personal information

Audit of CRA seeks improved safeguards for taxpayer data

OTTAWA, October 29, 2013 — Tabled today in Parliament, the 2012-13 annual report on the Privacy Act is marked by record highs in complaints by Canadians and in reported data breaches by federal organizations. Privacy Commissioner Jennifer Stoddart’s final report before the end of her mandate provides details on investigation findings and privacy trends across federal departments and agencies, and also includes the conclusion of an audit into the privacy practices of the Canada Revenue Agency (CRA).

Recommendations to improve CRA’s protection of Canadians’ personal information

Following numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years, the Office of the Privacy Commissioner of Canada selected the CRA for an audit under Section 37 of the Privacy Act.

The audit found weaknesses in key privacy and security practices that led to taxpayer information not being protected as it should, with thousands of files being accessed inappropriately for years without detection.

Our Office made 13 audit recommendations to the CRA on a number of matters including privacy breach reporting, monitoring of employee access rights, threat and risk assessments for IT systems and ensuring that Privacy Impact Assessments are completed for new programs involving changes to the management of personal information.  The Agency has fully agreed with our recommendations, and has shared a plan outlining its corrective actions

“Canadians deserve to have their personal information protected, particularly when they provide it to the government under legal compulsion,” said Commissioner Stoddart.  “CRA collects and retains sensitive, personal, financial data of Canadians.  By meeting our recommendations, the Agency can move forward in maintaining Canadians’ confidence in the tax system.  Our Office will follow-up within two years to ensure they are fulfilled.”   

Record highs reached in complaints and reported data breaches

For the second year in a row, new all-time highs were set for both privacy complaints about federal organizations submitted by Canadians and data breaches reported by departments and agencies to our Office.

From April 2012 to March 31, 2013, our Office received 2,273 such complaints, up from 986 over the same period a year before. Much of this increase owes to the 1,159 total complaints generated by two highly publicized data breaches involving Employment and Social Development Canada (formerly known as Human Resources Development Canada) and Justice Canada. The full total number minus these complaints however would still stand at a record annual high of 1,114.

The number of data breaches reported to our Office by federal institutions rose to 109 from 80 during the same period a year before, marking an increase of over 36 per cent.  Given data breach reporting within the federal government is voluntary, it’s unclear whether this statistic represents an actual increase in breaches or more diligent reporting by departments.      

“While it would be somewhat encouraging if the upward trend in reported data breaches could indeed be attributed to more diligent reporting, this may understandably serve as cold comfort to Canadians,” said the Commissioner.  “Even if this were the case, Canadians would be justified in demanding that institutions focus greater efforts on taking greater precautions up front and avoiding breaches in the first place.”

Focusing on border security initiatives

This year’s annual report also offers details on investigations concluded in the past fiscal year into privacy practices of Correctional Services Canada and the Royal Canadian Mounted Police.  It also offers details on Privacy Impact Assessments prepared for initiatives under the Beyond the Border Action Plan. 

It includes concerns raised by our Office regarding:

  • A proposed 75 year retention period for information collected under the Canada-U.S. Entry/Exit System; and
  • A lack of signage informing individuals they are in a “Customs Controlled Area.”  These are designated by the Public Safety Minister and would extend the powers of CBSA officers to detain, question, and search any individual into areas typically associated with border crossings, such as departure lounges or shipping terminals.

“Perimeter security is and will remain an important priority for the government,” added Commissioner Stoddart.  “Our Office has joined with our provincial and territorial colleagues in raising the need to ensure that the standards and values behind our privacy laws are not diminished.  As the initiatives affecting Canadians continue to evolve, our Office led by my successor will continue to give this the attention it deserves from a privacy standpoint.”

The full annual report and audit of CRA are available at www.priv.gc.ca. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

In relation to the breaches involving disclosure of taxpayer information at the Canada Revenue Agency the Privacy Commissioner’s audit found:

Serious breaches involving the disclosure of taxpayer information have occurred at the Agency

  1. From a list of internal investigations conducted by the CRA during 2011 and 2012, we identified more than 50 that involved inappropriate access to taxpayer information.  Our review of a sample of those investigations indicated that many also involved inappropriate disclosure of taxpayer information.  Some files involved employee access to thousands of taxpayer files over an extended period of time during which they went undetected.
  2. The Agency’s records about access and disclosure breaches indicate that employee motivation varied from curiosity, to personal gain, preferential treatment and fraud.  Where employee wrongdoing was established disciplinary measures were applied, ranging from a warning to dismissal.
  1. Recommendation: Consistent with Treasury Board Guidelines for Privacy Breaches, the Canada Revenue Agency should ensure that the Access to Information and Privacy Directorate is notified of all breaches as they are discovered.

Agency’s response:

The CRA agrees with this recommendation and continues to enhance its established information-sharing protocol by:

  • immediately expanding the existing protocol to include the notification of all breaches in accordance with the Treasury Board Secretariat Guidelines on Privacy Breaches;
  • ensuring more timely breach notifications to the Access to Information and Privacy Directorate (ATIP).

Leave a Reply