CRA Security Breaches:  Taxpayers Must Be Able To Rely On Privacy

Canada has a taxation system that is based on self-assessment.  We are required to accurately assess income, deductions and credits, filing our tax returns on time, or face penalties, interest and/or jail in serious instances. 

This system has served us well, with the vast majority (over 90%) of Canadians filing and paying their taxes on time.  One of the reasons we are so compliant as a nation is that we trust in the confidentiality we are promised under our Taxpayer Bill of Rights.

Here’s what it says in Right #3:  You have the right to privacy and confidentiality.

“Under this right, you can expect us to protect and manage the confidentiality of your personal and financial information in accordance with the laws we administer, such as the Income Tax Act, the Excise Tax Act, the Excise Act, 2001, and the Privacy Act. Only employees who need your information to administer programs and legislation have access to your information. We also take other steps to protect your information and make sure it is kept confidential. For example, we follow government-wide and internal policies on the security of information and privacy. We also regularly review our internal processes to make sure your information is safe."

It’s entirely possible these internal processes are up for review now.  Recent security and privacy breaches at CRA are more than eye-brow raising – they are alarming.  Last week, the CBC reported human error was to blame for leaking confidential donation claims to the CBC, which published the names of the individuals affected by the breach. The event drew a number of responses, including this one from the former Ontario privacy commissioner Ann Cavoukian who told the CBC that she was "outraged" to learn of the breach. "It's completly unfathomable," she said. "Perhaps you have to discharge certain employees... You need a complete overhaul, top to bottom." 

This news story goes on to say that "a total of 168 federal privacy breaches have been reported since April 1, including 22 from the Canada Revenue Agency, making it one of the worst offenders.  In October 2013, Canada's privacy commissioner noted "numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years," and "weaknesses in key privacy and security practices that led to taxpayer information not being protected as it should, with thousands of files being accessed inappropriately for years without detection.""

CRA notes on its website that those who feel that their right to privacy and confidentiality has not been respected, should contact the Access to Information and Privacy Directorate, Ottawa Telephone: 613-960-5393 (Ottawa-Gatineau), 1-866-333-5402.

If not satisfied after first contact, a complaint can be filed with CRA – Service Complaints. Or, if still not satisfied, a complaint can be made directly to the Privacy Commissioner of Canada 3rd Floor, Tower B, Place de Ville, 112 Kent Street, Ottawa ON  K1A 1H3, Telephone: 613-995-8210 (Ottawa-Gatineau), 1-800-282-1376.

Breaches of confidentiality are also addressed on the website.  Specifically, taxpayers are told:

“Contact us at once if you believe that the confidentiality of your information has been compromised or that your information may have been shared with someone whom you did not authorize to represent you. If we confirm that your information has been compromised, we will act to prevent the fraudulent use of the information in our systems and processes.”

The promise is important. A tax system that relies on honest self-assessment by taxpayers and requires that this responsibility be met with consistent accountability, must itself be prepared to display exemplary standards in its responsibilities to ensure privacy and confidentiality as well as fairness and equity in return.

It’s Your Money.  Your Life.   It remains to be seen if CRA will indeed act to prevent further breaches and how they propose to do so.  This story is, however, a reminder that now is a good time to review systems and procedures in your own family and business to ensure the privacy and confidentiality of financial information.  Don’t hesitate to secure the help of qualified professionals to make sure your privacy rights, and those of family members, business suppliers and employees, are not compromised. And, you may wish to make sure that any requests for information by CRA are first received in writing to confirm that they are official.