Politics

Tax workers continue to peek at forbidden files: internal reports

The Canada Revenue Agency reported 34 significant privacy breaches to the privacy commissioner in 2014, and all but two were inside jobs by workers poking into unauthorized files. Documents obtained by CBC News show that rogue employees are a continuing threat to the confidentiality of tax returns.

Most privacy breaches at Canada Revenue Agency are caused by snooping workers: internal reports

Internal reports on privacy breaches at the Canada Revenue Agency, obtained by CBC News, show rogue workers are responsible for the lion's share of illegally accessing taxpayer accounts. (Evan Mitsui/CBC)

Canada Revenue Agency workers continue to poke into the confidential tax files of friends and foes, despite assurances to Canada's privacy commissioner that the chronic problem of unauthorized access is being fixed.

The 34 significant privacy breaches reported by the CRA to the commissioner in 2014 show all but two were deliberately committed by the agency's own employees — and the files indicate no worker was fired or reported to police.

The annual number of official breach reports has climbed dramatically, to 34 last year from just seven in 2011, even though the agency promised to clean up its act after a critical 2012 audit by the privacy commissioner.

Under the Access to Information Act, CBC News obtained detailed reports of every "material" 2014 breach, a package the agency released after eight months, in violation of deadlines set by the act.

Author Margaret Atwood was among more than 1,000 people whose personal information was inadvertently released to CBC News by the Canada Revenue Agency last November. (Darren Calabrese/Canadian Press)

"A CRA employee made unauthorized accesses to the accounts of nine individuals," says a March 26, 2014, report, referring to an incident in southern Alberta. "The employee made changes to five of the nine accounts accessed.… Media attention is possible, since any of the nine individuals could contact the media."

The entry says "disciplinary measures were invoked" and that "law enforcement will not be notified," standard wording for almost every 2014 incident.

One reported breach in 2014 did not involve a deliberate act by an employee. That was the release to CBC News in November of a file with confidential information about 1,014 taxpayers, many of them well-known names such as Margaret Atwood.

Mailroom mix-up

In that case, a mailroom mix-up delivered a confidential compact disc to CBC's Ottawa bureau, a CRA investigation later determined.

Another breach came from a hacker who exploited the so-called Heartbleed computer bug in April 2014, accessing about 900 social insurance numbers.

As of May 6, 2014, all federal institutions have been required to report "material" privacy breaches to the Office of the Privacy Commissioner of Canada, but the Canada Revenue Agency has been voluntarily doing so for several years.

The agency acknowledges there are several thousand minor privacy breaches each year, such as inadvertently misdirected mail, but these do not have to be reported to the privacy commissioner.

They happened all the time, but they're just finding them more.- David Fraser, Halifax privacy lawyer

Two major breaches at CRA's London, Ont., office were the largest of the deliberate incidents officially reported in 2014, where workers snooped into the files of 169 and 170 taxpayers.

The released documents show worker misbehaviour is geographically widespread, from British Columbia to the Maritimes, and that family members and acquaintances are frequent targets. The reports do not spell out motivation, but there have been cases in which a worker accessed tax information to renegotiate a child-support agreement, and where an employee allegedly used their access to do "due diligence" before a blind date.

The agency manages one of the biggest confidential databanks in Canada, and about two-thirds of its 42,000 workers have electronic access to files.

The privacy commissioner's office and experts caution that recent increases in breach numbers may reflect better reporting and electronic sleuthing by IT managers, rather than more misbehaviour, which may have gone undetected previously.

"They happened all the time, but they're just finding them more," said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. The privacy commissioner's 2012 audit also concluded "inappropriate accesses to thousands of taxpayers' files have gone undetected over an extended period of time."

Tougher measures

A spokesman for the CRA, Philippe Brideau, said the agency has tools in its computer systems to closely monitor what files workers are accessing.

"These tools are in addition to process measures that limit employee access on a 'need to know' basis and ensure that these access permissions are reviewed, at minimum, every six months."

Privacy lawyer David Fraser says there should be zero tolerance for government workers inappropriately accessing confidential records. (CBC)
Brideau also said CRA has toughened its disciplinary measures to combat abuse, up to and including termination. In April 2014, agency officials told a parliamentary committee that 14 people had been fired, and 18 suspended, over the previous year for accessing files without authorization.

Fraser said every government should have zero tolerance for privacy breaches, given that Canadians normally have no choice when surrendering their personal information to federal, provincial and municipal agencies.

"I think government needs to be held to a higher standard than the private sector," he said. "Immediate dismissal — you're out on the street."

Follow @DeanBeeby on Twitter