Audit of CRA seeks improved safeguards for taxpayer data
OTTAWA, Oct. 29, 2013 /CNW/ - Tabled today in Parliament, the 2012-13
annual report on the Privacy Act is marked by record highs in complaints by Canadians and in reported
data breaches by federal organizations. Privacy Commissioner Jennifer
Stoddart's final report before the end of her mandate provides details
on investigation findings and privacy trends across federal departments
and agencies, and also includes the conclusion of an audit into the
privacy practices of the Canada Revenue Agency (CRA).
Recommendations to improve CRA's protection of Canadians' personal
Following numerous reports of privacy breaches involving employees
inappropriately accessing taxpayer information in recent years, the
Office of the Privacy Commissioner of Canada selected the CRA for an
audit under Section 37 of the Privacy Act.
The audit found weaknesses in key privacy and security practices that
led to taxpayer information not being protected as it should, with
thousands of files being accessed inappropriately for years without
Our Office made 13 audit recommendations to the CRA on a number of
matters including privacy breach reporting, monitoring of employee
access rights, threat and risk assessments for IT systems and ensuring
that Privacy Impact Assessments are completed for new programs
involving changes to the management of personal information. The
Agency has fully agreed with our recommendations, and has shared a plan
outlining its corrective actions
"Canadians deserve to have their personal information protected,
particularly when they provide it to the government under legal
compulsion," said Commissioner Stoddart. "CRA collects and retains
sensitive, personal, financial data of Canadians. By meeting our
recommendations, the Agency can move forward in maintaining Canadians'
confidence in the tax system. Our Office will follow-up within two
years to ensure they are fulfilled."
Record highs reached in complaints and reported data breaches
For the second year in a row, new all-time highs were set for both
privacy complaints about federal organizations submitted by Canadians
and data breaches reported by departments and agencies to our Office.
From April 2012 to March 31, 2013, our Office received 2,273 such
complaints, up from 986 over the same period a year before. Much of
this increase owes to the 1,159 total complaints generated by two
highly publicized data breaches involving Employment and Social
Development Canada (formerly known as Human Resources Development
Canada) and Justice Canada. The full total number minus these
complaints however would still stand at a record annual high of 1,114.
The number of data breaches reported to our Office by federal
institutions rose to 109 from 80 during the same period a year before,
marking an increase of over 36 per cent. Given data breach reporting
within the federal government is voluntary, it's unclear whether this
statistic represents an actual increase in breaches or more diligent
reporting by departments.
"While it would be somewhat encouraging if the upward trend in reported
data breaches could indeed be attributed to more diligent reporting,
this may understandably serve as cold comfort to Canadians," said the
Commissioner. "Even if this were the case, Canadians would be
justified in demanding that institutions focus greater efforts on
taking greater precautions up front and avoiding breaches in the first
Focusing on border security initiatives
This year's annual report also offers details on investigations
concluded in the past fiscal year into privacy practices of
Correctional Services Canada and the Royal Canadian Mounted Police. It
also offers details on Privacy Impact Assessments prepared for
initiatives under the Beyond the Border Action Plan.
It includes concerns raised by our Office regarding:
A proposed 75 year retention period for information collected under the
Canada-U.S. Entry/Exit System; and
A lack of signage informing individuals they are in a "Customs
Controlled Area." These are designated by the Public Safety Minister
and would extend the powers of CBSA officers to detain, question, and
search any individual into areas typically associated with border
crossings, such as departure lounges or shipping terminals.
"Perimeter security is and will remain an important priority for the
government," added Commissioner Stoddart. "Our Office has joined with
our provincial and territorial colleagues in raising the need to ensure
that the standards and values behind our privacy laws are not
diminished. As the initiatives affecting Canadians continue to evolve,
our Office led by my successor will continue to give this the attention
it deserves from a privacy standpoint."
The full annual report and audit of CRA are available at www.priv.gc.ca. The Privacy Commissioner of Canada is mandated by Parliament to act as
an ombudsman and guardian of privacy in Canada.
SOURCE: Office of the Privacy Commissioner of Canada
For further information:
For more information (media only), please contact:
Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via email.