CRA spends millions but fails to stop tax workers from snooping on Canadians, documents show

Canada Revenue Agency workers continue to snoop on the confidential tax files of businesses, acquaintances and others, despite at least $10.5 million spent so far to try to stop them.

CBC News has uncovered nine significant cases reported since Jan. 1in which tax workers improperly poked around the government's electronic records to extract sensitive private information about income, deductions, benefits, payments and employment.

It's a long-term, chronic problem at the agency, exposed in 2009 and again in 2013 by Canada's privacy commissioner, who was assured that managers were taking tough action to prevent the breaches.

But more than three years later, confidential tax files are still susceptible to nosy workers armed with passwords and CRA-supplied computers.

On Feb. 18, for example, the agency reported that a "CRA employee made unauthorized access to the accounts of 90 acquaintances and family members, 1 business and his/her own account."

In another breach reported on Feb. 22, an employee improperly accessed the accounts of 227 businesses and individuals.

CBC News obtained records detailing the latest crop of privacy breaches, altogether affecting about 500 Canadians, under the Access to Information Act.

Deliberate snooping

Federal government departments are responsible for hundreds of significant privacy breaches each year, but most are inadvertent, such as mailsent with the wrong addressor misplaced memory sticks.

Most cases at CRA, on the other hand, are the result of deliberate snooping by employees.

The agency has spent $10.5 million since 2013 to make its computers more secure against its own workers, and more money is earmarked for next year to comply with recommendations from the federal privacy office, including enhancing system controls so employees can only access information they need to do their jobs.

The agency reports that it has made several important improvements to its management of personal information.- Privacy Commissioner DanielTherrien's 2016 report

Privacy Commissioner Daniel Therrien's latest annual report, delivered in September, said his office was assured that CRA has implemented almost all the safeguards recommended in the 2013 audit.

"The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks," he wrote.

CRA hasbeen voluntarily reporting breaches since at least 2011. SinceMay 2014, federal government policy has required all departments and agencies to report material breaches to both the privacy commissioner and to the Treasury Board Secretariat.

The government defines "material" breaches as "those that involve sensitive personal information and could reasonably be expected to cause injury or harm to the individual."

The numberof breaches rose from seven in 2011to 30 in 2015, butexperts saythat'slikely the result of greater vigilance in spotting rogue employees rather than more snooping. The total for 2016 is not yet available, but CRA says it's down from last year.

• Spy agency data breaches linked to departure of CRA employee

CRA manages one of the biggest confidential databases in Canada, and about two-thirds of some 40,000 workers have electronic access. The agency is the fourth worst offender for materialprivacy breaches among some 240 federal institutions that are subject to the Privacy Act, behind only Veterans Affairs Canada, Immigration, and Corrections Canada.

The agency typically notifies taxpayers whenever their information has been compromised, though this year's victims includedseveral deceased Canadians.

CRA says it has fired eight of the nine workers caught so far this year.

"CRA systems are strong, tight controls are in place, and we continue to assess and improve our controls on an ongoing basis," spokeswoman Lisa Damien said in an email.

High-profile cases

CRA has seen at least three other high-profile privacy controversiesin the past three years.

In April 2014, a hacker managed to exploit the so-called Heartbleed computer vulnerability to access about 900 social insurance numbers.

A mailroom mix-up at CRA later that year sent a CD full of confidential taxpayer information to CBC News.

And earlier this year, a federal oversight body reported CRA had been turning over confidential taxpayer information to the Canadian Security Intelligence Service, even though the spy agency had not first secured the necessary court warrant.

• Thousands of classified or protected federal documents mishandled

Follow @DeanBeeby on Twitter