Yesterday, the CBC reported on their website (http://www.cbc.ca/news/politics/canada-revenue-agency-privacy-breach-leaks-prominent-canadians-tax-details-1.2849336?cmp=rss) that it had obtained a copy of a CRA spreadsheet listing donations of manuscripts, photographs and fine art to Canadian galleries and museums, and the associated claims for tax credits. The spreadsheet included personal information, such as the names and home addresses of the individuals, many of whom are very well known people. According to the CBC, the spreadsheet was inadvertently provided, in unredacted form, as part of an access to information request.
This is just the latest in a string of recent information management errors by the CRA and other federal government agencies. In the past eight months, the government has reported 168 incidences where private information was accessed without authorization or inadvertently provided. Privacy breaches by the CRA accounted for 22 of these (averaging almost three per month).
Although the latest breach appears to be due to a mistake on the part of one or more CRA employees, it highlights a lack of sufficient information governance controls. Had this document been classified as containing personal information, and had proper information governance rules been set up with respect to access to information request, this document would have automatically been flagged for additional attention, reducing the possibility of a person incorrectly identifying and producing it.
Information governance is not just a fancy term for records management. It encompasses many aspects, including identifying those records that contain personal data. Every organization, private and public, can benefit from implementing an information governance plan.