Audit of the Canada Revenue Agency - page 6

• Fulfilling a commitment stretching back to our
2009 audit, the CRA appointed a Chief Privacy
Officer (CPO) on April 3, 2013. However, the role
of the CPO has not been fully defined to ensure
Agency-wide coordination of privacy account-
abilities, responsibilities and activities.
• Privacy Impact Assessments are not always
completed to assess risks prior to the imple-
mentation of program changes affecting
taxpayers’ personal information.
• Threat and Risk Assessments are not
completed for many information technology
systems that process taxpayer information
which may result in undetected weaknesses.
• The effectiveness of the Agency’s controls to
detect and prevent inappropriate employee
access and use of taxpayer information is limited
by its lack of an automated tool to identify and
flag potentially inappropriate accesses and by
certain gaps in the collection of audit trail
information for CRA computer systems.
• Inappropriate accesses to thousands of
taxpayers’ files have gone undetected over
an extended period of time.
• The Access to Information and Privacy
Directorate is not regularly informed about
privacy breaches involving inappropriate access
to and disclosure of taxpayer information.
Since our last audit report in 2009, the CRA has
made progress to strengthen its privacy and security
policies and procedures, and to communicate its
expectations to employees about the safeguarding
of personal information. Agency plans are also
underway to improve access rights management
and to more closely monitor employee access to
taxpayer information.
The observations and recommendations in this report
are intended to enhance the Agency’s personal
information handling practices—and by extension,
mitigate the risk of unauthorized access, use or
disclosure of taxpayers’ personal information.
The Agency has responded to our audit findings
and its management responses follow each
report recommendation.
1,2,3,4,5 7,8,9,10,11,12,13,14,15,16,...32
Powered by FlippingBook