Tax workers continue to peek at forbidden files: internal reports

Canada Revenue Agency workers continue to poke into the confidential tax files of friends and foes, despite assurances to Canada's privacy commissioner that the chronic problem of unauthorized access is being fixed.

The 34 significant privacy breaches reported by the CRA to the commissioner in 2014 show all but two were deliberately committed by the agency's own employees and the files indicate no worker was fired or reported to police.

• How safe is your data withthe CRA?
• 5 security lapses at the CRA

The annual number of official breach reports has climbed dramatically, to 34 last year from just seven in 2011, even though the agency promised to clean up its act after a critical 2012 audit by the privacy commissioner.

Under the Access to Information Act, CBC News obtained detailed reports of every "material" 2014 breach, a package the agency released after eight months, in violation of deadlines set by the act.

"A CRA employee made unauthorized accesses to the accounts of nine individuals," says a March 26, 2014, report, referring to an incident in southern Alberta. "The employee made changes to five of the nine accounts accessed. Media attention is possible, since any of the nine individuals could contact the media."

The entry says "disciplinary measures were invoked" and that "law enforcement will not be notified," standard wording for almost every 2014 incident.

One reported breach in 2014 did not involve a deliberate act by an employee. That was the release to CBC News in November of a file with confidential information about 1,014taxpayers, many of them well-known names such as Margaret Atwood.

Mailroom mix-up

In that case, a mailroom mix-up delivered a confidential compact disc to CBC's Ottawa bureau, a CRA investigation later determined.

Another breach came from a hacker who exploited the so-called Heartbleed computer bug in April 2014, accessing about 900 social insurance numbers.

As of May 6, 2014, all federal institutions have been required to report "material" privacy breaches to the Office of the Privacy Commissioner of Canada, but the Canada Revenue Agency has been voluntarily doing so for several years.

The agency acknowledges there are several thousand minor privacy breaches each year, such as inadvertently misdirected mail, but these do not have to be reported to the privacy commissioner.

They happened all the time, but they're just finding them more.- David Fraser, Halifax privacy lawyer

Two major breaches at CRA's London, Ont., office were the largest of the deliberate incidents officially reported in 2014, where workers snooped into the files of 169 and 170 taxpayers.

The released documents show worker misbehaviour is geographically widespread, from British Columbia to the Maritimes, and that family members and acquaintances are frequent targets. The reports do not spell out motivation, but there have been cases in which a worker accessed tax information to renegotiate a child-support agreement, and where an employee allegedly used their access to do "due diligence" before a blind date.

The agency manages one of the biggest confidential databanks in Canada, and about two-thirds of its 42,000 workers have electronic access to files.

The privacy commissioner's office and experts caution that recent increases in breach numbers may reflect better reporting and electronic sleuthing by IT managers, rather than more misbehaviour, which may have gone undetected previously.

"They happened all the time, but they're just finding them more," said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. The privacy commissioner's 2012 audit also concluded "inappropriate accesses to thousands of taxpayers' files have gone undetected over an extended period of time."

Tougher measures

A spokesman for the CRA, Philippe Brideau, said the agency has tools in its computer systems to closely monitor what files workers are accessing.

• CRA privacy breach leaks prominent Canadians' tax details
• Massive data leak exposes offshore financial secrets
• Atwoodreacts to news of CRA leak of her personal data

"These tools are in addition to process measures that limit employee access on a 'need to know' basis and ensure that these access permissions are reviewed, at minimum, every six months."

Brideau also said CRA has toughened its disciplinary measures to combat abuse, up to and including termination. In April 2014, agency officials told a parliamentary committee that 14 people had been fired, and 18 suspended, over the previous year for accessing files without authorization.

Fraser said every government should have zero tolerance for privacy breaches, given that Canadians normally have no choice when surrendering their personal information to federal, provincial and municipal agencies.

"I think government needs to be held to a higher standard than the private sector," he said. "Immediate dismissal you're out on the street."

Follow @DeanBeeby on Twitter