CRA Working from Home: Who’s Looking Over the Shoulder?

Privacy, confidentiality, security are foundational hallmarks in the relationship between taxpayers and their tax department. CRA takes this obligation seriously. However, during the pandemic, more than 90% of employees worked remotely.

Now, under tentative agreements with striking CRA workers, there is a commitment to flexibility that allows CRA employees to continue to work at home up to three days a week.   Should taxpayers be concerned about privacy and security in those home?  Tax and financial pros may get questions about this. Here’s how to approach these concerns.

About the new contract.  Here is what CRA published about the tentative agreement reached with its workers:

“The CRA continues to be committed to a modern, hybrid workplace that provides employees, where applicable, with the flexibility to continue to work up to three days from home a week. Outside of the collective agreement, the CRA and PSAC-UTE reached a tentative settlement on telework to the satisfaction of both parties. Both parties agreed to undertake a review of the Directive on virtual work arrangements, and to create a panel to advise the Commissioner and Deputy Commissioner regarding employee concerns.”

CRA’s Commitment to Keeping Taxpayer Information Safe.  CRA understands it’s in the trust business and says so right on its website where it makes certain commitments to accountability, which you may wish to point out:

• “The CRA supports its people in doing the right thing by providing clear guidelines and tools to ensure privacy, security and the protection of our programs and our data.
• We are committed to protecting the information that we receive from and about taxpayers and benefit recipients; all online transactions and communications with clients are conducted using secure servers which are protected by corporate firewalls to prevent unauthorized access.
• Personal information is stored on separate secure servers which are not directly accessible from the Internet.
• CRA employees work diligently to identify potential cyber-threats and our servers and firewalls are updated daily to provide the most up-to-date protection.
• All CRA employees have an obligation to report any detected or suspected unauthorized access or disclosure of information, misconduct, or fraud, and any processes that appear to be vulnerable to fraud.
• Allegations or suspicions of employee misconduct are taken seriously and thoroughly investigated.
• When misconduct is founded, we take the appropriate corrective measures, up to and including termination of employment. If criminal activity is suspected, the matter is referred to the proper authorities.”

What happens when there is a privacy breach?  This could include theft or loss of information.  But it might also include improper handling of information and malicious actions by employees, third parties or intruders.  CRA notes that it takes immediate steps to inform the taxpayer and the Office of the Privacy Commissioner where appropriate.  If they suspect criminal activity it co-operates with the RCMP.

Ensuring Taxpayer Rights.  CRA has also enshrined a Taxpayers’ Bill of Rights and produced a guide to explain them.  Right # 3 concerns the right to privacy and confidentiality. 

Specifically, CRA notes that under this right, “you can expect us to protect and manage the confidentiality of your personal and financial information according to the laws we administer, such as the Income Tax Act, the Excise Tax Act, the Excise Act (2001) and the Privacy Act. We also take other steps to protect your information and make sure it is kept confidential.  Only employees who need your information to administer programs and legislation have access to your information. We follow government-wide and internal policies on the security of information and privacy. We regularly review our internal processes to make sure your information is safe.”

With the CRA’s commitment to continue flexible remote work opportunities for its employees, some questions that may arise from taxpayers:

• How have security precautions for home information use been enhanced? How will this be monitored?
• How can CRA ensure that no one in the home where a CRA employee works can look at private and critical information such as SINs and banking account numbers?How will this be monitored?
• Will CRA ask taxpayers how comfortable they are with their detailed personal and financial information present in the homes of thousands of CRA employees?
• How will CRA provide supervision to ensure adequate, secure and accurate taxpayer services to delivered from the employees’ private homes?

What happens when there are breaches of confidentiality now?  CRA notes that the onus is on the taxpayer to Contact the CRA if they believe that the confidentiality of information has been compromised or shared with someone not authorized to represent them. Taxpayer concerns are then put through a judgement of sorts by the government:  “CRA then will confirm whether they agree that your information has been compromised” after which “we will act to prevent the fraudulent use of the information.” 

For now CRA has a website for “tips on protecting your personal information and preventing breaches of confidentiality. . . go to Security of your tax information.”  In addition, the CRA’s Taxpayer Bill of Rights provides a process that provides a lot of red tape to negotiate through:

“If you feel we did not respect your right to privacy and confidentiality, we want you to let us know. You can do so by contacting the Access to Information and Privacy Directorate.  If you feel your concerns have still not been fully considered after this first contact, you can send a complaint to the CRA Service Feedback Program. To find out how to send a service complaint, see 9. You have the right to lodge a service complaint and to be provided with an explanation of our findings.

If at any time during the process you are not satisfied with the way we treat your concerns about the handling of your personal information, you can send a complaint to the Office of the Information Commissioner of Canada or the Office of the Privacy Commissioner of Canada.”

These responses raise more questions about accountability when there is a serious breach of confidentiality:

• How will taxpayers know the source of the breach, given the much wider dissemination of their private information in the private homes of CRA employees?
• How will CRA compensate the taxpayer if there is financial or identity theft?
• How quickly will they act?
• Bear in mind that during the pandemic, more than 90% of employees worked remotely, and things went well.

Bottom Line:  All organizations are challenged with the potential for a security breach and to insert their own organization’s name in the place of CRA’s to answer the questions above. Plugging a leak of financial information or identity theft requires immediate response. CRA advises: . . .if you suspect that your confidential information has been compromised, you should contact the CRA.  If you are concerned about the proliferation of private financial information to home-based CRA workplaces in general, contact your local MP and/or the following resources:

The Access to Information and Privacy Coordinator by email to ATIP-AIPRP@cra-arc.gc.ca, orby calling 613-960-5393 (Ottawa area) or 1-866-333-5402, or write to the following address:

Director, ATIP Directorate
Canada Revenue Agency
5th Floor, 555 MacKenzie Avenue
Ottawa ON  K1A 0L5

If you are not satisfied with the CRA's response to your privacy concern, contact the Office of the Privacy Commissioner by telephone at 1-800-282-1376.

Does your organization have a disaster management plan in case of a privacy leak?  If not, be sure to get one in place.