CRA on the Privacy Commissioner’s Radar for Privacy Breaches

According to CBC news, the Canada Revenue Agency (“CRA”) is apologizing, and the Privacy Commissioner of Canada is investigating, after a recent privacy breach involving the confidential records of taxpayers. Apparently, it is not the CRA’s first.

Danielle Baxter of Langley B.C., wrote to the CRA to request information she needed to complete a return for her deceased child. The information she received mistakenly included a variety of cover letters and confidential taxpayer information. After numerous attempts to return the information, including a personal visit to her local tax office, she was turned away. The only remedies she was offered were to leave the documents in a drop box (she felt that was inadequate) or to request a special CRA envelope by mail, an option which would have taken ten days.

Staff at the local tax office refused to accept the confidential information from Ms. Baxter, so she returned home and contacted Go Public at the CBC. The CBC contacted the taxpayers whose information had been included in the package and the CRA, who then sent an employee to collect the information from Ms. Baxter.

The Privacy Commissioner is now investigating this matter. According to the CBC article published on June 3, the “CRA was already on [Jennifer Stoddart’s] radar for too many privacy breaches.”

“It happens far too often,” she said. “We have had quite a few data breaches with the CRA. And we have had enough data incidents, I’d say, enough incidents of mishandling of Canadian’s personal information, that I asked the CRA be audited…we’ll be reporting on that in my next annual report.”

This is another example of how policies, process and good information governance can minimize or eliminate such privacy breaches. At a minimum, they would have set out an appropriate process to rectify the situation such that Ms. Baxter would not have had to resort to the CBC for a suitable remedy.

For more information on this story, see the June 3, 2013 CBC article by Kathy Tomlinson:

​(http://www.cbc.ca/thenational/indepthanalysis/gopublic/story/2013/05/31/bc-craprivacybreach.html).