On-line security of taxpayers’ information

A Chartered Accountant challenged the security of the Canada Revenue Agency (CRA)’s on-line system. She complained that the existing system could improperly disclose taxpayers’ information. Individual taxpayers do not have to ask for on-line access—it is available by default. She argued that CRA has put the onus on taxpayers to protect their information. Instead it should require taxpayers wanting on-line service to register, and should then enhance the security requirements.

In October 2003 CRA introduced a program allowing taxpayers to access their 2001 and 2002 tax information via the “My Account” section of CRA’s Web site at www.cra-arc.gc.ca. To gain access, taxpayers have to supply their Social Insurance Number, date of birth, amount of income reported on line 150, and their eight-digit access code from their Notice of Assessment. Taxpayers can block on-line access to their information by getting in touch with CRA’s e-help desk at the toll free number provided.

CRA also protects the information with encryption technology and security procedures. Taxpayers wanting to use the service must first install a secure browser which requires the taxpayer to use a personally assigned password.

The accountant also pointed out that with the exception of the date of birth, all the information required for on-line access is printed on the Notice of Assessment. Since taxpayers are frequently asked to provide the notices as proof of income by lenders, credit card providers, financial advisors and other institutions, anyone with a copy could access the taxpayer’s file. The complainant had no evidence of any unauthorized access.

The OPC concluded that CRA’s security measures are sufficient to protect taxpayers’ information in the system and the complaint was not well-founded. Also the Income Tax Act requires CRA to provide taxpayers with a Notice of Assessment. Once taxpayers receive the notice, the onus is on them to protect the information.

Date modified: