Politics

CRA spends millions but fails to stop tax workers from snooping on Canadians, documents show

$10.5 million spent to prevent tax-file snooping, but at least nine workers caught breaching privacy in 2016

Canada Revenue Agency

Records obtained under access to information show at least nine Canada Revenue Agency workers breached the privacy of about 500 Canadians so far this year. (Sean Kilpatrick/Canadian Press)

 shares

 

Canada Revenue Agency workers continue to snoop on the confidential tax files of businesses, acquaintances and others, despite at least $10.5 million spent so far to try to stop them.

CBC News has uncovered nine significant cases reported since Jan. 1 in which tax workers improperly poked around the government's electronic records to extract sensitive private information about income, deductions, benefits, payments and employment.

It's a long-term, chronic problem at the agency, exposed in 2009 and again in 2013 by Canada's privacy commissioner, who was assured that managers were taking tough action to prevent the breaches.

But more than three years later, confidential tax files are still susceptible to nosy workers armed with passwords and CRA-supplied computers.

On Feb. 18, for example, the agency reported that a "CRA employee made unauthorized access to the accounts of 90 acquaintances and family members, 1 business and his/her own account."

In another breach reported on Feb. 22, an employee improperly accessed the accounts of 227 businesses and individuals.

CBC News obtained records detailing the latest crop of privacy breaches, altogether affecting about 500 Canadians, under the Access to Information Act.

Deliberate snooping

Federal government departments are responsible for hundreds of significant privacy breaches each year, but most are inadvertent, such as mail sent with the wrong address or misplaced memory sticks.

Most cases at CRA, on the other hand, are the result of deliberate snooping by employees.

The agency has spent $10.5 million since 2013 to make its computers more secure against its own workers, and more money is earmarked for next year to comply with recommendations from the federal privacy office, including enhancing system controls so employees can only access information they need to do their jobs. 

'The agency reports that it has made several important improvements to its management of personal information.' - Privacy Commissioner Daniel Therrien's 2016 report

Privacy Commissioner Daniel Therrien's latest annual report, delivered in September, said his office was assured that CRA has implemented almost all the safeguards recommended in the 2013 audit.

"The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks," he wrote.

CRA has been voluntarily reporting breaches since at least 2011. Since May 2014, federal government policy has required all departments and agencies to report material breaches to both the privacy commissioner and to the Treasury Board Secretariat.

The government defines "material" breaches as "those that involve sensitive personal information and could reasonably be expected to cause injury or harm to the individual."

Racial Profiling 20160107

Privacy Commissioner Daniel Therrien was told CRA has taken action to stop workers from improperly snooping on Canadians' confidential tax files, but new documents show the breaches have continued. (Adrian Wyld/Canadian Press)

The number of breaches rose from seven in 2011 to 30 in 2015, but experts say that's likely the result of greater vigilance in spotting rogue employees rather than more snooping. The total for 2016 is not yet available, but CRA says it's down from last year.

CRA manages one of the biggest confidential databases in Canada, and about two-thirds of some 40,000 workers have electronic access. The agency is the fourth worst offender for material privacy breaches among some 240 federal institutions that are subject to the Privacy Act, behind only Veterans Affairs Canada, Immigration, and Corrections Canada.

The agency typically notifies taxpayers whenever their information has been compromised, though this year's victims included several deceased Canadians.

CRA says it has fired eight of the nine workers caught so far this year.

"CRA systems are strong, tight controls are in place, and we continue to assess and improve our controls on an ongoing basis," spokeswoman Lisa Damien said in an email.

High-profile cases

CRA has seen at least three other high-profile privacy controversies in the past three years.

In April 2014, a hacker managed to exploit the so-called Heartbleed computer vulnerability to access about 900 social insurance numbers.

Heartbleed-new-background

The so-called Heartbleed vulnerability in CRA's computers allowed a hacker to extract the social insurance numbers of some 900 Canadians in 2014.

A mailroom mix-up at CRA later that year sent a CD full of confidential taxpayer information to CBC News.

And earlier this year, a federal oversight body reported CRA had been turning over confidential taxpayer information to the Canadian Security Intelligence Service, even though the spy agency had not first secured the necessary court warrant.

Follow @DeanBeeby on Twitter

The cbc.ca login and signup tools are temporarily unavailable for and will re-open within 24 hours. We're sorry for the inconvenience. If you’re already signed in, you can continue commenting.

More On This Story

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Submission Policy

Note: The CBC does not necessarily endorse any of the views posted. By submitting your comments, you acknowledge that CBC has the right to reproduce, broadcast and publicize those comments or any part thereof in any manner whatsoever. Please note that comments are moderated and published according to our submission guidelines.