The confidential tax files of almost 2,700 Canadians are missing after a Canada Revenue Agency worker took them home and let a friend download them onto a laptop.
The laptop has disappeared, the agency is scrambling to rewrite its security protocols and the privacy commissioner is asking why no one alerted her to the breach in confidentiality.
"Our office was not informed about this incident," said Anne-Marie Hayden, spokeswoman for Jennifer Stoddart, privacy commissioner of Canada. "We will be following up with CRA for further information on the issue."
The investigation report, along with related documents, was obtained by The Canadian Press under the Access to Information Act.
The major breach occurred in early 2006, when an auditor in the agency's Toronto office asked a government computer technician to download 37,488 of her e-mails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.
The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.
The breach only came to light when the woman produced the CDs during a grievance hearing before the Public Service Labour Relations Board in 2008. She wanted the panel to read a key 2005 e-mail on one of the CDs, in support of her grievance that the CRA had not accommodated her health problems.
"She was upfront at the hearing that the CDs contained taxpayer information and advised [CRA senior official]Tracey O'Brien to safeguard the information," says an internal report into the privacy breach. "This caused a disruption in the hearing."
The woman employee, who suffers from fibromyalgia which causes chronic body pain, eventually won her grievance and was awarded $6,000 for pain and suffering. Two of her supervisors were required to take training in how to accommodate workers with disabilities.
But the privacy breach uncovered at the hearing triggered a wide-ranging internal probe into why the confidential material was poorly safeguarded — and whether it could be retrieved. The woman was sent a letter in early 2009, asking her to produce the friend's laptop.
"He [the friend]told her that he would not provide the laptop and was uncooperative," says the investigation report.
The agency eventually recovered the 16 CDs from the employee, but still has not recovered the laptop.
"The laptop was the property of a private company and was no longer available at the time of the administrative investigation," CRA spokesman Philippe Brideau said when asked about the incident.
"However, the facts gathered during the investigation determined reasonable grounds to believe that the information copied to the laptop had been erased in such a way that an average user could not access through a normal operating system."
Mr. Brideau confirmed the agency's policy requires that personal information copied onto CDs or any other removable storage device must be encrypted, but there was a "gap in awareness training and procedures."
He said CRA is currently drafting a guideline to prevent further breaches in confidentiality.
The internal probe found at least 2,660 instances of confidential taxpayer information on the single CD that the employee said she had given to her friend to download. All 16 CDs contained much more confidential information, but the investigation did not indicate how many more taxpayers were involved.
The heavily censored report notes, however, that "a limited number of taxpayer accounts was reviewed. At that point, there did not appear to be any income tax implications such as requested adjustments or unusual refunds."
Treasury Board policy "strongly" recommends that institutions inform the privacy commissioner soon after learning of any breach if it "involves sensitive personal data such as financial… information." The CRA probe determined that the CDs contained exactly such financial information.
But Mr. Brideau said the incident was judged to be "low risk," and the decision taken not to inform the privacy commissioner.
He added that he could not comment on any sanctions taken against the offending employee because of privacy rules.
"All CRA employees are subject to a strict code of ethics and conduct," he said. "The CRA takes all allegations concerning the conduct of its employees very seriously and takes immediate action to have all allegations investigated."
"Any employee who violates this code may face disciplinary action up to and including termination of employment."
The laptop incident is among dozens in which tax agency workers have breached security rules, many of them snooping on other Canadians, including ex-spouses, mothers-in-law, creditors and others by reading confidential tax files.