Privacy Breaches in the federal government in Canada in 2014 exceed 5,000.

March 26, 2015 |

The article  Some 5,600 privacy breaches in federal government in 2014: documents provides a salutory lesson on how much store can be placed on government agencies in storing personal information. The report relates to  breaches of Canadian Governments sites but there is no reason to assume that the Australian situation is any better.  There is no mandatory data breach notification laws in Australia and the Australian Privacy Commissioner is not forthcoming about the extent or the nature of breaches that come to his attention, not even describing matters in the most anodyne way.

The article provides:

At National Defence, there were 11 breaches that affected 30,642 individuals, of which one was reported to the Privacy Commissioner’s Office, which affected 30,632 people. This large breach ‘involved basic information about CAF members’ which was ‘low risk,’ but personal.

There were 5,600 privacy breaches in the federal government in 2014, affecting almost 44,000 individuals, according to data ministers tabled in the House of Commons on March 23.

According to the 2013 annual report from the privacy commissioner, there were 426 complaints received. This includes all complaints from departments and the public. The 5,600 privacy breaches are all internal departmental investigations, of which only 255 were referred to the Privacy Commissioner’s Office.

NDP MP Charlie Angus (Timmins-James Bay, Ont.) asked a question on the Order Paper regarding data, information, or privacy breaches in government departments, institutions, and agencies.

Each department provided an answer broken down into the following: the total number of breaches, the total number of individuals affected by all breaches, the total number of breaches reported to the Office of the Privacy Commissioner, the total number of individuals affected by breaches reported to the OCP and the total number of breaches known to have led to criminal activity.

According to the 469-page answer to Mr. Angus’ question, there are no breaches that led to criminal activity. Of the 255 reported to the Privacy Commissioner’s Office,  36,884 individuals were affected. The Canada Revenue Agency reported the most number of privacy breaches at 4,121, affecting 5,826 individuals. Thirty of those breaches were reported to the Office of the Privacy Commissioner.

Mr. Angus said in Question Period on Tuesday that Canadians want to be treated with respect and asked Canada Revenue Agency Minister Kerry-Lynne Findlay (Delta-Richmond East, B.C.) about the 4,121 CRA privacy breaches. “Is she planning on getting a handle on these embarrassing privacy breaches that continue to happen under her watch?”

Ms. Findlay responded that the government understands Canadians expect their personal information to be respected. “The CRA has taken concrete measures to strengthen privacy management as recommended the Privacy Commissioner by implementing a directorate responsible for CRA policy and assessment procedures, a proactive training program to ensure CRA employees are fully informed of their duties to protect the privacy of Canadians and revised security and privacy related processes.”

In a note prefacing the information on privacy breaches released in a sessional paper in the House on March 23, Ms. Findlay said that the CRA is one of the largest departments in Canada, employing 40,000 people.

“The CRA takes the integrity and the protection of taxpayers’ information very seriously. The confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada’s tax system of voluntary compliance and self-assessment,” she wrote.

Ms. Findlay wrote that 94.7 per cent of the privacy breaches involved misdirected mail; 3.5 per cent was related to the theft, loss or compromise of information and 1.8 per cent represented administrative investigations.

“Misdirected mail incidents refer to information that has been directed or addressed incorrectly via mail, fax, or email. If mail has been opened, this is considered a security incident involving a breach of information. Approximately 10 per cent, to 15 per cent, of misdirected mail can be attributed to taxpayer error,” Ms. Findlay said in the note.

The CRA also states that 41 per cent of those identified were individual privacy breaches.

“For example, this includes cases where the information breach related to an organization or a business; where the information breach did not put the privacy of an individual at risk (e.g.: information was available publicly); or where a letter, which does not include any personal information, was sent to the wrong individual.”

The second highest number of breaches was made at Employment and Social Development Canada. According to the response in the sessional paper from Conservative MP Scott Armstrong (Cumberland-Colchester-Musquodoboit Valley, N.S.), Parliamentary secretary to the minister, there were 559 privacy breaches, affecting 5,826 individuals. Of those, three were reported to the Privacy Commissioner’s Office. Mr. Armstrong wrote that ESDC is responsible for more than 70 programs delivered to Canadians.

“As of Dec. 31, 2014, a total of 149 million payments for Employment Insurance, the Canadian Pension Plan and Old Age Security were made to Canadians, representing $95.8-billion in benefits. ESDC interacts daily with Canadian citizens through Service Canada’s national multi-channel network. In 2014-2015, Service Canada provided service to 4.5 million visitors at more than 572 points of service, 1.36 million callers to its call centre network and some 57.57 million visitors to servicecanada.gc.ca,” Mr. Armstrong wrote.

“The delivery of many of the department’s programs requires that Canadians provide their personal information so that they may receive the benefits and services for which they are eligible. Through vigorous process, ESDC protected the personal information of over 99.99 per cent of citizen clients who interacted with the department,” stated Mr. Armstrong.

ESDC took measures in 2012 to strengthen security, Mr. Armstrong said. For instance, unapproved USB keys are not allowed to be used on ESDC’s network and “approved encrypted USBs are now centrally managed and distributed.”

In addition, “risk assessments have been conducted regarding portable security devices used in the department’s work environment to ensure that appropriate safeguards are in place. These assessments will continue on a regular, ongoing basis. New data loss prevention software technology is being implemented which will be configured to control or prevent the transfer of sensitive information.”

Citizenship and Immigration had the third highest number of privacy breaches. In 2014, there were 357 breaches in which 777 individuals were affected. Eighty-eight of those were reported to the Office of the Privacy Commissioner.

Immigration Minister Chris Alexander (Ajax-Pickering, Ont.) wrote in his response: “Most of CIC’s breaches are considered ‘low risk/impact’ (for example, misdirected mail or email) and are dealt with internally. OPC is notified when serious breaches occur. CIC assesses the risk of privacy breaches by applying criteria provided by the Treasury Board Secretariat in conjunction with the OPC.”

Twenty-five departments and agencies found no privacy, data or information breaches.

In the case of the Canadian Security Intelligence service, however, no information was given “for reasons of national security.”

Public Safety Minister Steven Blaney (Lévis-Bellechasse, Que.) wrote in his response in the sessional paper to Mr. Angus that, “CSIS does not disclose information related to data, information or privacy breaches. That said, all the activities undertaken by CSIS are mandated by the CSIS Act and consistent with Canadian law, including the Privacy Act and the Charter of Rights and Freedoms.”

Mr. Blaney said that there are “robust internal security policies and procedures” in place to protect classified information and assets.

“This includes having controls in place for the removal, transportation and storage of classified information and controls to prevent unauthorized access to this information. In addition, CSIS provides security awareness training to its employees to ensure they are aware of security policies, procedures and or other security measures and are accountable for their role in implementing them. It should be noted that CSIS, like other government departments and agencies, is subject to the scrutiny of the privacy commissioner.”

At National Defence, there were 11 breaches that affected 30,642 individuals, of which one was reported to the Privacy Commissioner’s Office, which affected 30,632 people. This large breach “involved basic information about CAF members” which was “low risk,” but personal.
The information breached were names, employee ID numbers and payments made by members to various charitable organizations, military messes, insurance companies, and financial service companies, wrote Conservative MP James Bezan (Selkirk-Interlake, Man.), Parliamentary secretary to the National Defence minister. This information was accessible to the public between April and October 2014.

“The information that became accessible is not generally considered sensitive information but was information that was not intended to be publicly accessible nonetheless,” Mr. Bezan said. “It was made accessible through what are called bulk pay allotment reports. These reports did not include individual or personal pay amounts and at no time was any personal banking information accessible or available. There is no evidence that any of the information has been improperly used in any way.”

Mr. Bezan explained also that the employee ID numbers included in the report are “unusable to anyone outside” DND.
When the breach was discovered, Mr. Bezan said in his response, the department “sent notifications of the breach to units and instructed them to inform their members. After a thorough investigation, it was determined that only 99 of the 30,632 had information disclosed that warranted further attention. As a precaution, these individuals were contacted and offered anti-fraud protection services.”

Mr. Bezan said DND “is confident that the issue has been resolved” but also noted that the Privacy Commissioner’s Office is also conducting its own investigation into the matter.

At the Communications and Security Establishment, there were 21 breaches in which 164 individuals were affected and one was reported to the Privacy Commissioner’s Office. That one reported to OPC affected 146 people.

“All of the breaches were administrative in nature and did not relate in any way to CSE’s foreign intelligence and cyber defence operations,” Mr. Bezan said.

The breaches involved unauthorized access of personnel files. “In the course of upgrading CSE’s personnel security case management system, some personal information related to the screening of prospective and current CSE employees became accessible to unauthorized CSE personnel. Once discovered, the affected files were immediately secured,” Mr. Bezan wrote.

Of the 146 people affected by the personnel breach, five cases were deemed a “material” breach. “Four are CSE employees and one is a member of the public. Several existing safeguards mitigated the risk of the information being disclosed outside of the organization,” Mr. Bezan wrote in his response. “As a result of this breach, CSE, in addition to other administrative steps has made appropriate system level changes to CSE’s corporate files holding personal information, had managers review access permissions and promulgated an internal privacy breach policy.”

The CSE did not provide a response for breaches of data and operation information because of “the risk of injury and national security.”

One Response to “Privacy Breaches in the federal government in Canada in 2014 exceed 5,000.”

  1. Privacy Breaches in the federal government in Canada in 2014 exceed 5,000. | Australian Law Blogs

    […] Privacy Breaches in the federal government in Canada in 2014 exceed 5,000. […]

Leave a Reply





Verified by MonsterInsights