Privacy regulators slam CRA

October 30, 2013 | Last updated on October 30, 2013
4 min read

More federal organizations are being hit by data breaches.

That was the message Jennifer Stoddart, the Canadian privacy commissioner, stressed in her 2012/2013 annual report on the Privacy Act. The federal government tabled the report yesterday.

Not only are consumers logging more privacy complaints, but more data breaches are also occurring across the country, says the report. The new evidence backs Stoddart’s frequent claims that legislation must be strengthened, and that the Office of the Privacy Commissioner of Canada (OPCC) needs more power to protect people’s information.

Read: Regulators aren’t protecting client data, for more on Canada’s privacy legislation and IIROC’s data loss

Problems at CRA

Many reports of privacy breaches have indicated people are inappropriately accessing taxpayer information. That’s why the OPCC selected the CRA for an audit between 2012 and 2013.

That audit found weaknesses in key privacy and security practices of the CRA. The report says thousands of files were accessed inappropriately for years without detection.

Read: Monitoring digital risks crucial for businesses

Following the audit, the OPCC made 13 recommendations to do with the agency’s privacy breach reporting, monitoring of employee access rights, and threat and risk assessments for IT systems. It also asked the CRA to make sure privacy impact assessments are completed for all new data programs.

The agency accepted the recommendations and plans to correct its mistakes.

Yesterday, Stoddart told the House of Commons, “Canadians deserve to have their personal information protected, particularly when they provide it to the government under legal compulsion. CRA…can move forward in maintaining Canadians’ confidence in the tax system, and our office will follow-up within two years to ensure” this occurs.

More breach numbers

From April 2012 to March 2013, Stoddart’s office received more than 1,400 privacy-specific complaints during 2012 and 2013 (out of a total 2,273 complaints, compared to only 986 in the previous year). These complaints had to do with how companies collected, used or disposed of people’s data.

However, only 196 were resolved through either investigation or formal resolution. In both cases, companies weren’t fined, though they did have to ramp up their data protection policies.

Read: Financial firm data breaches are costly

That means less than 10% of the complaints were resolved. This is a major problem, Stoddart told the House of Commons, since “Canadians are becoming increasingly sensitive about how their government collects and uses their personal information.” They also have “a growing sense…that their ability to protect their personal information is diminishing.”

She adds, a 2012 survey showed seven in 10 “think their personal information has less protection in their daily lives than a decade ago, marking a 10% increase since the same question was asked in 2011. Meanwhile, only 21% [say]…the federal government takes its responsibility to protect citizens’ personal information…seriously.”

Read: Review data security after LinkedIn hack

Further, the report finds people became more concerned about their privacy after Human Resources and Skills Development Canada lost a hard drive containing the data of more than 500,000 former post-secondary students who are connected to Canada Student Loans Program.

“Massive data breaches like the lost hard drive are an example of the privacy vulnerabilities of modern information technology,” says Stoddart. “The rise in such vulnerabilities is one of the four trends that [my] office” finds is impacting consumer confidence .

The number of data breaches reported to the OPCC by federal institutions through 2012 and 2013 rose to 109 from 80 during 2011 and 2012, marking an increase of over 36%. Since data breach reporting is voluntary, it’s unclear whether this statistic represents an actual increase in breaches or rising diligence.

“It would be…encouraging if the upward trend in reported data breaches could indeed be attributed to more diligent reporting, [but] this may understandably serve as cold comfort to Canadians,” says Stoddart.

Read: Is your private financial data secure?

This report is Stoddart’s last before the end of her 10-year run as privacy commissioner this December. The document details current privacy trends; deficiencies discovered during an audit of CRA’s data policies; and OPCC’s future priorities.

During her speech yesterday, Stoddart said the office has joined with provincial and territorial colleagues to “ensure the standards and values behind [Canada’s] privacy laws aren’t diminished. As the initiatives affecting [consumers] continue to evolve, [the OPCC] led by my successor will continue to” take steps to protect people.

For more on privacy issues and how laws affect your firm, check out the upcoming November issue of Advisor’s Edge Report. Also, check out November’s Advisor’s Edge for tips on how to safeguard clients’ data.


FINTRAC has too much personal data, audit reveals

What’s your personal data worth?

Secure your data

Social media offer free client info