Audit of the Canada Revenue Agency - page 5

AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA,
2013
3
Main Points
Main Points
WHAT WE EXAMINED
The Canada Revenue Agency (CRA or the Agency)
administers tax laws and various benefit programs for
the Government of Canada and several provinces and
territories. This requires the collection and use of
taxpayer information. We looked at how this informa-
tion is managed, with a particular focus on how the
Agency assigns and monitors access to taxpayer
information by its employees.
Our audit examination was conducted between
July 13, 2012 and March 31, 2013. During the audit
we reviewed the way that the Agency assigns privacy
responsibilities, manages privacy risks and ensures
compliance with the
Privacy Act
. We examined the
Agency’s personal information management policies
and procedures, training materials, privacy impact
assessments, breach investigations, internal audits
and security reviews. We also reviewed information
technology security, access to electronic systems and
the monitoring of employees who access taxpayer
information on a daily basis. Finally, we interviewed
numerous officials at the Agency’s headquarters and
in its four largest regions—Ontario, Pacific, Prairies
and Quebec.
WHY THIS ISSUE IS IMPORTANT
The Agency collects income taxes and delivers
benefits to more than 27 million Canadian taxpayers
and has one of the largest personal information
record holdings in Canada. In addition, taxpayer files
contain highly sensitive financial, health, employment,
family and identifying information.
Taxpayer information is the cornerstone of the
administration of the CRA’s tax related programs
and services. The Agency is dependent on Canadians’
personal information to collect taxes necessary to pay
for public programs and services.
The CRA operates within a voluntary compliance
regime when collecting taxes. More than 91 per cent
of Canadians filed their income tax returns and 94 per
cent paid amounts due on time last year. At the same
time, taxpayers expect the Agency and its officials to
be vigilant in ensuring that all necessary steps are
taken to protect their personal information from
inappropriate access, use or disclosure.
Over the past number of years our office has been
informed about privacy breaches involving the
inappropriate access to taxpayer information at the
Agency. We were made aware of these breaches by
Agency officials, complainants or through the media.
Privacy breaches could potentially have a serious
impact on the individuals affected in the form of
identity theft and fraud, financial hardship and/or
personal embarrassment. Privacy breaches could also
tarnish the Agency’s reputation as a trusted custodian
of Canadians’ sensitive personal information.
WHAT WE FOUND
The CRA has a culture of security and confidentiality
through its integrity framework, policies, training and
awareness and other initiatives. Marked weaknesses
exist however in the implementation and monitoring
of some of its key privacy and security policies and
practices. These weaknesses impair CRA’s ability to
ensure that taxpayer information is as secure as it
can be from inappropriate internal access, use or
disclosure. Most notably,
1,2,3,4 6,7,8,9,10,11,12,13,14,15,...32
Powered by FlippingBook