Privacy Commissioner’s final report calls for greater care in government handling Canadians’ personal information
Audit of CRA seeks improved safeguards for taxpayer data
OTTAWA, October 29, 2013 — Tabled today in Parliament, the 2012-13 annual report on the Privacy Act is marked by record highs in complaints by Canadians and in reported data breaches by federal organizations. Privacy Commissioner Jennifer Stoddart’s final report before the end of her mandate provides details on investigation findings and privacy trends across federal departments and agencies, and also includes the conclusion of an audit into the privacy practices of the Canada Revenue Agency (CRA).
Recommendations to improve CRA’s protection of Canadians’ personal information
Following numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years, the Office of the Privacy Commissioner of Canada selected the CRA for an audit under Section 37 of the Privacy Act.
The audit found weaknesses in key privacy and security practices that led to taxpayer information not being protected as it should, with thousands of files being accessed inappropriately for years without detection.
Our Office made 13 audit recommendations to the CRA on a number of matters including privacy breach reporting, monitoring of employee access rights, threat and risk assessments for IT systems and ensuring that Privacy Impact Assessments are completed for new programs involving changes to the management of personal information. The Agency has fully agreed with our recommendations, and has shared a plan outlining its corrective actions
“Canadians deserve to have their personal information protected, particularly when they provide it to the government under legal compulsion,” said Commissioner Stoddart. “CRA collects and retains sensitive, personal, financial data of Canadians. By meeting our recommendations, the Agency can move forward in maintaining Canadians’ confidence in the tax system. Our Office will follow-up within two years to ensure they are fulfilled.”
Record highs reached in complaints and reported data breaches
For the second year in a row, new all-time highs were set for both privacy complaints about federal organizations submitted by Canadians and data breaches reported by departments and agencies to our Office.
From April 2012 to March 31, 2013, our Office received 2,273 such complaints, up from 986 over the same period a year before. Much of this increase owes to the 1,159 total complaints generated by two highly publicized data breaches involving Employment and Social Development Canada (formerly known as Human Resources Development Canada) and Justice Canada. The full total number minus these complaints however would still stand at a record annual high of 1,114.
The number of data breaches reported to our Office by federal institutions rose to 109 from 80 during the same period a year before, marking an increase of over 36 per cent. Given data breach reporting within the federal government is voluntary, it’s unclear whether this statistic represents an actual increase in breaches or more diligent reporting by departments.
“While it would be somewhat encouraging if the upward trend in reported data breaches could indeed be attributed to more diligent reporting, this may understandably serve as cold comfort to Canadians,” said the Commissioner. “Even if this were the case, Canadians would be justified in demanding that institutions focus greater efforts on taking greater precautions up front and avoiding breaches in the first place.”
Focusing on border security initiatives
This year’s annual report also offers details on investigations concluded in the past fiscal year into privacy practices of Correctional Services Canada and the Royal Canadian Mounted Police. It also offers details on Privacy Impact Assessments prepared for initiatives under the Beyond the Border Action Plan.
It includes concerns raised by our Office regarding:
- A proposed 75 year retention period for information collected under the Canada-U.S. Entry/Exit System; and
- A lack of signage informing individuals they are in a “Customs Controlled Area.” These are designated by the Public Safety Minister and would extend the powers of CBSA officers to detain, question, and search any individual into areas typically associated with border crossings, such as departure lounges or shipping terminals.
“Perimeter security is and will remain an important priority for the government,” added Commissioner Stoddart. “Our Office has joined with our provincial and territorial colleagues in raising the need to ensure that the standards and values behind our privacy laws are not diminished. As the initiatives affecting Canadians continue to evolve, our Office led by my successor will continue to give this the attention it deserves from a privacy standpoint.”
The full annual report and audit of CRA are available at www.priv.gc.ca. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.
- 30 -
For more information (media only), please contact:
Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via email.