The Canada Revenue Agency ha fired 14 employees and suspended another 18 more employees over the past year for unauthorized access of computer files as the agency responds to criticism that it isn’t doing enough to protect the privacy of Canadians.
News of the disciplinary action comes on the heels of a damning audit report last fall by the federal privacy commissioner. Auditors found managers were unaware that some Canadian Revenue Agency (CRA) employees had been inappropriately accessing records from thousands of taxpayers for years undiscovered.
“I think the numbers do reflect that we take the problem quite seriously and that we do follow through when incidents do occur,” said Susan Gardner-Barclay, the Assistant Commissioner of the CRA, without providing any further details on the CRA employee firings and suspensions.
Eight former CRA officials have been charged in connection to a six-year corruption investigation by the RCMP, which announced the end of the probe in February.
Senior CRA officials were testifying Tuesday as part of a broader study by the Commons committee on Access to Information, Privacy and Ethics into concerns over identity theft. The agency was on the defensive over its approach to data breaches by mail.
The agency confirmed that over 2,983 data breaches took place in 2013 – almost all related to mail going to the wrong location – and that 46 per cent of those cases involved personal information. Yet the CRA acknowledged that the vast majority of taxpayers who have had their information sent to the wrong place are never made aware of the breach. Further, the CRA only told the privacy commissioner about 479 of the breaches.
Ms. Gardner-Barclay said the agency’s decisions on whether or not to inform taxpayers or the privacy commissioner about a breach are based on an internal risk assessment used to determine the seriousness of the release.
The CRA said it reclaims about 95 per cent of mail that was sent to the wrong place, but also acknowledged that it can only measure breaches that have been reported back to the agency, meaning the true numbers could be much higher.
Officials said one of the main causes of data breaches is because automated mail sorters place letters meant for two separate addresses into a single envelope.
“It’s usually a machine error,” said Ms. Gardner-Barcley, explaining that virtually all mail has been automated. “It’s very rare that we would be putting documents in envelopes by hand.”
NDP MP and committee member Charmaine Borg – who has dealt with a constituent who received mail from CRA meant for someone else – said Canadians should be told when their information has been breached.
The NDP had previously asked through a written request in Parliament for data on all breaches going back to 2006, however the CRA said it only began tracking such statistics last year.
“I think it’s very concerning,” she said after the meeting, arguing the CRA should be forced to inform Canadians whenever there is a breach. “As a Canadian, you give your information to the government and you should have faith that the government is going to protect that information. But to not even be aware of when your personal information was breached or put at risk? It’s a problem in my view.”