Inside Politics

Privacy commissioner not consulted on new online tax system

by Kady O'Malley Posted: January 22, 2013 8:00 PM Last Updated: January 23, 2013 9:32 AM
Recent efforts by the Canada Revenue Agency to streamline the electronic filing process have some would-be online filers worried that the simplified security setup could put them at risk of a particularly pernicious type of identity theft.

In previous years, anyone who wanted to take advantage of the NETFILE process had to register for an access code, which was distributed by mail.

Under the new system, however, that additional step would no longer be required. Instead, users will simply enter their Social Insurance Number and date of birth in order to submit their return.

Those are, of course, two pieces of information that could easily be obtained by a mischief-minded third party -- an aggrieved estranged spouse, for instance, or a former employer -- who could use them to temporarily impersonate an unwitting target just long enough to send in a false return, which would, at the very least, cause no end of inconvenience when the legitimate owner of those numbers attempted to file his or her real return.

According to Canada Revenue Agency spokesperson Philippe Brideau, the changes will have no effect on the integrity of the online filing process.

He assured CBC.ca that the CRA "conducts numerous internal validations ... on each return submitted through NETFILE to confirm the sender's identity and income amounts transmitted."

No "confidential information" is ever revealed to the user, nor can a Netfiler change their address or direct deposit information." 

"[It's] a one way transmission of information."

He also confirmed that the "My Account" service -- which lets users update contact and payment information, as well as view and, if necessary, make changes to returns -- will still require a separate security code, which is delivered via Canada Post.

It does not, however, allow users to file online, which means that those wary of the new protocol may have to go back to doing it the old-fashioned way: printing out a hard copy, sticking it in an envelope and slapping on the correct postage and dropping it in the nearest mailbox. 

That would be a distinctly unfortunate side effect from the point of view of the CRA, which brought in the new system specifically to encourage more people to file online. 

We'll have to wait until later this year to find out how many NETFILE first-timers were won over by the simplified system versus the number who went back to ink-and-paper-based returns out of an abundance of e-caution. 

UPDATE: It sounds like Privacy Commissioner Jennifer Stoddart may have a few security-related questions for the CRA as well.

Earlier this afternoon, OPC communications manager Scott Hutchinson confirned that the agency had not consulted the office before making the change, although they "may soon" be providing them with more information on the new system.

"Although it doesn't appear on the surface that CRA is collecting new information from tax filers that it already hadn't been [collecting] in the past," he noted, the commissioner will still want to know how, exactly, the "security of personal information [is] being upheld" -- and specifically "whether there is the potential for fraudulent filers to access an individual's personal information" under the new system. 

As for the possible risk of filing fake returns, the act itself would constitute a fraud, and, as such, would be handled as a criminal matter, according to Hutchinson. 

"That said, federal organizations are obligated to protect personal information under their control with appropriate safeguards against such actions, which is where our Office could become involved in the event of a complaint under the Privacy Act." 

Here's CBC Ottawa's report on local concerns.

Tags: blackberry jungle, canada revenue agency, computer security