Income tax preparation company mails personal information to wrong clients

PIPEDA Case Summary #2006-337

(Principles 4.3, 4.7)

Our Office initiated a complaint after learning that an income tax preparation company had mailed Notices of Assessment (NOAs) to the wrong clients.  The company acknowledged that, due to a data processing error,  personal information, such as names, addresses, SINs and financial data, was disclosed improperly.

Following this incident, the company took action to correct the problem, notify the individuals concerned, and implement additional quality assurance measures to prevent a recurrence.  The Assistant Privacy Commissioner concluded that the complaint was well-founded and resolved.

The following is an overview of the details of the investigation and findings.

Summary of Investigation

Our Office learned that an income tax preparation company had mailed NOAs to the wrong clients.  A Commissioner-initiated complaint was therefore opened.

The company confirmed that, due to a data processing error, some NOAs were sent to the wrong clients.  This resulted in the disclosure of names, addresses, SINs and financial information.  NOAs are mailed with a Schedule 2 or “RC72 Notice of the Actual Amount of the Refund of Tax” document.  This document contains some of the personal information from an NOA, specifically, name, address, SIN and tax refund amount.

The firm provided this Office with a detailed description of the incident, including background on how NOAs are issued, a chronology of the incident, and a description of corrective action taken.  The company contracts a third party to collate client information, such as company-generated documentation, with NOAs produced by the Canada Revenue Agency.  As part of the collating process, the third party creates and prints an RC72 document.  The RC72 is then sent together with the NOA to the client.

A data processing error caused client data to be mismatched.  Three categories of mismatching occurred:

1. Clients received their own NOA and RC72 as well as an NOA and RC72 belonging to someone else but with their own address on the RC72;
2. Clients received only someone else’s NOA and RC72 but addressed to the correct recipient;
3. Two groups of NOAs and RC72s were mailed with the same name and address but different SINs.  (This situation affected related individuals at the same address.)

 

The corrective action taken by the company included;

• Notifying affected clients in writing;
• Engaging a credit bureau to notify credit grantors of the incident and provide fraud-detection database-monitoring services to the affected clients; and
• Programming changes to the data-matching process so that all data will be automatically cross-checked for mismatches.

Findings

Issued June 9, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.  Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

In making her determinations, the Assistant Commissioner deliberated as follows:

• The income tax preparation company did not dispute that it had mailed NOAs to the wrong clients, as a result of a data processing error.  As a consequence, the personal information of some of its clients was released without their knowledge or consent, in contravention of Principle 4.3.
• The company’s security safeguards were obviously not effective, thus contravening Principle 4.7.
• Appropriate corrective actions were taken by the company to mitigate the effects of the release of information and to decrease the possibility of a recurrence.

Accordingly, she concluded that the complaint was well-founded and resolved.