Investigation Reveals that CRA Employees Have Been Accessing Taxpayer Information on an Unauthorized Basis
November 30, 2018
According to an investigation by CBC News, employees at the Canada Revenue Agency (CRA) have committed privacy breaches and have continued to “snoop” on the confidential tax files of their partners, spouses, colleagues, neighbours, and others. CBC obtained ten months of internal reports which showed the files of at least 10,000 Canadians were compromised by CRA employees, who used their privileged access to government databases to access taxpayers’ private financial affairs. This occurred despite a $10 million initiative intended to discourage them from doing so.
The Enterprise Fraud Management Solution
In March 2017, the CRA completed a $10.2 million technology project known as the “Enterprise Fraud Management Solution”. The purpose of the project was to track and deter any unauthorized access to taxpayer information by CRA employees.
Privacy Breaches Reported to the Privacy Commissioner
Every year, federal institutions report significant privacy breaches to the privacy commissioner, as required by law. Of these, the CRA consistently ranks among the top privacy offenders. In addition, unlike other institutions where privacy breaches tend to arise from inadvertent error such as mail sent to the wrong address, privacy breaches at the CRA tend to be the result of employee misconduct.
Statistics provided by the privacy commissioner suggest that major privacy breaches reported by the CRA were 38 in 2014-2015, fell to 10 in 2016-2017, and ultimately increased to 25 in 2017-2018, which suggests that such employee misconduct might be on the rise.
A report made to Parliament in early 2017 noted that more than 2,000 privacy incidents had occurred at the CRA between September 2016 and June 2018. Many of these involved misdirected mail and were considered so minor that the CRA concluded it did not need to report them to the privacy commissioner.
However, CBC News obtained information on 14 privacy breaches that were significant enough to be reported to the commissioner. 10 of these breaches involved “rogue employees”, the other 4 involved inadvertent disclosure, such as a box of files being sent to the incorrect address.
These 14 breaches involved “material” violations, defined as those “involving sensitive personal information…that could reasonably be expected to cause serious injury of harm to the individual and/or [involve] a large number of affected individuals.” These were all disclosed to the privacy commissioner.
Examples of Misconduct
Some specific examples of these employee breaches included:
- An employee at CRA’s office in Calgary who made unauthorized access to the accounts of 310 individuals in his community (including his spouse, his mother, and his former boss, among others) and kept a detailed spreadsheet on their financial data;
- An employee at CRA’s office in Scarborough who conducted 49 unauthorized data searches to briefly access the files of more than 3,700 taxpayers. The same employee downloaded detailed tax files, without authorization, of 16 other individuals;
- An employee at the CRA’s Vancouver office who made unauthorized access to her own taxpayer information and to a total of 38 other accounts, 4 of family members, 9 of friends, 4 of random taxpayers, 4 of neighbours, 3 of CRA employees, 3 of local churches, and 11 of the churches’ members.
This unauthorized access generally revealed social insurance numbers, addresses, phone numbers, dates of birth, marital status, income, deductions, and employment details (all of which is standard information on annual tax forms).
None of the reports made to the privacy commissioner provided any motivation behind the behaviour of these “rogue” employees. These employees themselves were also not identified, outside of general information about their targets.
The CRA’s Response
A CRA spokesperson told the CBC that the sharp increase in the number of reported breaches in 2017-2018 was the direct result of the effectiveness of the Enterprise Fraud Management system.
The spokesperson did not indicate how the CRA had disciplined these “rogue” employees, telling the CBC only that “the most extreme cases of misconduct attract the most severe measures of discipline, up to and including termination of employment”.
About 40,000 employees work for the CRA, of those, approximately 60% have access to taxpayer files. The CRA spokesperson noted that the agency has been stepping up monitoring of staffers and limiting their ability to see data that is not directly relevant to their work.
We will continue to monitor this story and will provide updates as they become available. Our highly experienced team regularly keeps track of developments that may impact taxpayers so that we can better advise and protect our clients.
In the meantime, if you have questions about personal tax planning in either Canada or the U.S., about cross-border tax and estate planning, corporate tax planning, or any other related issue, contact Feigenbaum Law. With professional accounting designations from both Canada and the US, coupled with being admitted to the bar in the U.S. and Canada, Mark Feigenbaum and his team are uniquely positioned to provide tax advice to clients on both sides of the border. Professionals on both sides of the border, such as lawyers, accountants, financial planners, agents, and business managers, frequently refer complicated tax matters to our firm. We have developed a reputation for finding creative solutions to seemingly unsolvable problems and for the exceptional quality of our work.