NDP MP Charmaine Borg says Canadians should be notified when their personal information has been shared inappropriately.CHRIS WATTIE/Reuters
The Canada Revenue Agency has fired 14 employees and suspended another 18 over the past year for unauthorized access of computer files as the agency responds to criticism that it isn't doing enough to protect the privacy of Canadians.
News of the disciplinary action comes on the heels of a damning audit report last fall by the federal privacy commissioner. Auditors found managers were unaware that some CRA employees had been inappropriately accessing records from thousands of taxpayers for years.
Susan Gardner-Barclay, the Assistant Commissioner of the CRA, told a Commons committee Tuesday that the firings show the agency is tackling the problem.
"I think the numbers do reflect that we take the problem quite seriously and that we do follow through when incidents do occur," she said, without providing further detail on the firings and suspensions.
The CRA media team could not immediately answer follow-up questions from the Globe as to how many employees were fired or suspended for other reasons. Eight former CRA officials have been charged in connection to a six-year corruption investigation by the RCMP, which announced the end of the probe in February.
Senior CRA officials were testifying Tuesday as part of a broader study by the Commons committee on Access to Information, Privacy and Ethics into concerns over identity theft. The agency was on the defensive over its approach to data breaches by mail.
The agency confirmed that over 2,983 data breaches took place in 2013 – almost all related to mail going to the wrong location – and that 46 per cent of those cases involved personal information. Yet the CRA acknowledged that the vast majority of taxpayers who have had their information sent to the wrong place are never made aware of the breach. Further, the CRA only told the privacy commissioner about 479 of the breaches.
Ms. Gardner-Barclay said the agency's decisions on whether or not to inform taxpayers or the privacy commissioner about a breach are based on an internal risk assessment used to determine the seriousness of the release.
The CRA said it reclaims about 95 per cent of mail that was sent to the wrong place, but also acknowledged that it can only measure breaches that have been reported back to the agency, meaning the true numbers could be much higher.
Officials said one of the main causes of data breaches is because automated mail sorters place letters meant for two separate addresses into a single envelope.
"It's usually a machine error," said Ms. Gardner-Barcley, explaining that virtually all mail has been automated. "It's very rare that we would be putting documents in envelopes by hand."
NDP MP and committee member Charmaine Borg – who has dealt with a constituent who received mail from CRA meant for someone else – said Canadians should be told when their information has been breached.
The NDP had previously asked through a written request in Parliament for data on all breaches going back to 2006, however the CRA said it only began tracking such statistics last year.
"I think it's very concerning," she said after the meeting, arguing the CRA should be forced to inform Canadians whenever there is a breach. "As a Canadian, you give your information to the government and you should have faith that the government is going to protect that information. But to not even be aware of when your personal information was breached or put at risk? It's a problem in my view."
Follow me on Twitter: @curryb
Bill Curry