Evidence of meeting #18 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
Noon
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Regrettably, the answer may be available, but the CRA would not track it.
Noon
Conservative
Bob Zimmer Conservative Prince George—Peace River, BC
That's fine.
Since it's tax season, a lot of us use electronic means of filing our taxes, and I guess there are probably good programs and bad programs. I was just doing some searches on the web. Are you seeing that as potential fertile ground for people with identity theft motives, to somehow target free tax programs or that kind of thing? Have we seen that in Canada yet? I see it in other countries, but have we seen it in Canada yet?
Noon
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Again, it's outside our expertise, but we're not aware of any instance where we would have run across that.
I mentioned in response to a previous question that all of the commercial software that is made available on the CRA website has gone through an extremely rigorous authentication and certification program. We're absolutely confident that the software that's listed there works well with CRA systems and is secure and safe to use.
12:05 p.m.
Conservative
Bob Zimmer Conservative Prince George—Peace River, BC
So it would be key for Canadians to look at your list online to make sure they use services from that particular list. Good.
This is a question for both groups. What is the best way, and we can avoid the obvious, that Canadians can combat identity theft? That's a pretty broad question, but are there any particular programs that you would recommend? I know it's a bit beyond your purview as well, but do you have some recommendations for the average Canadian who might be reading what we're talking about here? What would you recommend to them as the best way of preventing identity theft from happening to them?
Let's start with Philippe, please.
12:05 p.m.
Director General and Senior General Counsel, Human Rights Protection Branch, Canadian Human Rights Commission
What we would say, really, may be more directed to organizations that collect information, whether private, public, or government, and it would be to ensure that the methods used do not have an adverse effect on someone because of a prohibited ground, so they don't have an impact on seniors or persons with disabilities and so on. If there is, we must identify those impacts at the beginning stage when we're developing the measure, that we assess the measure, that we gather information to really monitor whether there is an impact, and what can we do to minimize it.
12:05 p.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
Canada Revenue Agency has a website about how to protect yourself against identity theft, which you might find of interest. It talks about things like never providing your personal information by Internet or e-mail. CRA never asks you to provide that type of information by e-mail. Anyway, there's a list: keep your access codes, your user IDs, and your PIN secret, keep your address current.... There are a bunch of things here and it talks about how to minimize your risk by protecting your SIN, immediately reporting lost or stolen credit cards, that sort of thing. We do have a reference that you might find useful.
12:05 p.m.
Conservative
Bob Zimmer Conservative Prince George—Peace River, BC
Sure.
I have one last question. I think my colleague across the way asked the question about the breaches that had occurred. You had said it had been incorrectly addressed mail or incorrectly received mail. I just wanted to highlight a specific thing that you had mentioned in what you had said. You said there was no personal information attached in those letters...some of them. What percentage of that group would you say would Canadians need to be worried about? Considering the breach as 100, how many would not have given personal information in that mail-out?
12:05 p.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
If I understood your question, part of the answer is that of those almost 3,000 pieces of correspondence, 46% were considered to be privacy breaches and the rest were not considered to be privacy breaches. In terms of how many, I wasn't sure that—
12:05 p.m.
Conservative
Bob Zimmer Conservative Prince George—Peace River, BC
No, that's exactly what I was asking. So out of about 3,000, roughly half would be considered more serious, so literally.... And for those people, it's 1,600 too many, right? That's what we would say. I'm sure you would agree. But it's a fairly small number.
12:05 p.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Keep in mind that many of those pieces of correspondence were, in fact, ultimately recovered by the agency.
12:05 p.m.
Conservative
April 8th, 2014 / 12:05 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
Mr. Chairman, I'm going to return to the question that I was beginning to ask before I was so rightly interrupted, and courteously interrupted, I must say, but it seems like an oxymoron, doesn't it? But it was of note because my time was obviously up.
Let me go back to the question of the breaches. When I asked about the processes you had in advance of last year to avoid them, you focused mainly on the breaches that were not misdirected mail. Let me refer to the 2,800 examples of misdirected mail. I guess the key question would be, what have you changed since January 1 of last year? That will really tell me both what it was and what it is now.
12:05 p.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
I can come at your question a couple of different ways.
What we've done in the last couple of years is we've started to centrally manage the reporting of misdirected mail so that we are able to better manage it. When we do hear of cases of misdirected mail, we can contain it, we don't send any more mail to that address. We retrieve the mail in, as I said, 95% of the cases. We try to find the root case of the misdirected mail so that we can correct it and reduce the risk of it happening again.
12:05 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
When you say that you retrieve 95%, I presume that the only way you become aware of misdirected mail is when someone receives it and notifies you. Is it fair to say that you really can't say for certain that it is 95% of all mail that is misdirected?
12:10 p.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
You're correct. We can't say with certainty.
12:10 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
Just so I understand how this can happen, is it human error? Does a person put the letter in an envelope? Have you looked at the question of having that done electronically, or have you found that there are more errors with one versus the other?
12:10 p.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
One of the benefits now that we've gone to centrally managing is we can actually track what the causes are.
For example, a range between 10% and 15% is because we didn't have the correct taxpayer address. Perhaps the taxpayers moved and didn't advise us. There's a certain percentage that are Canada Post errors of delivering it to the wrong place. There is a certain percentage of input errors: an employee receives a handwritten tax return and when they input it into the system, they put the numbers in backwards or something. We have some electronic or technical errors, and there are some double-stuffed envelopes.
We're tracking what the problems are and we're trying to rectify anywhere we can to reduce the volume of misdirected mail.
12:10 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
In terms of the times when a person puts the wrong document in the wrong envelope, let me go back to the question I asked about having that done by machine as opposed to humans. Is that a possibility, and have you a way to assess whether that would be more secure and have less of those problems?
12:10 p.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
In fact, all of our print-to-mail operations are essentially automated now.
When you get something in a wrong envelope, it's usually a machine error. It usually means that a machine has picked up two pages instead of one, or somehow the flow between the envelope and the documents that are to go into it has been altered in some way within the machine. It's a machine or technical error.
We don't have, except in very rare instances, and again I'm not sure I could point to any, but it's very rare that we would be putting documents in envelopes by hand. We just deal with too much.
12:10 p.m.
Liberal
Geoff Regan Liberal Halifax West, NS
I obviously encourage you to keep working at that because people get very upset about it and I appreciate your being here today to talk about it.
Thank you.
12:10 p.m.
NDP
The Chair NDP Pat Martin
Thank you very much, Mr. Regan.
If that concludes your questions, that does conclude this round of questioning, but I would like to take the prerogative of the chair to ask one question, or ask for clarification at least, on one thing that I believe I heard in testimony.
A recurring theme of the Privacy Commissioner has been that the public has a right to know if their information held by others has been compromised. Is it in fact the policy or the practice of the CRA that they do proactively inform any citizen whose privacy may have been infringed upon?
12:10 p.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
In this instance we do follow Treasury Board of Canada policy.
We spoke earlier about the risk assessment that is undertaken to determine the degree of the breach and its impact on an individual, and that includes whether there is potential for identity fraud. It covers three separate areas, including what kind of harm might be possible with regard to the individual whose information has been lost, including impact on reputation or career or health or safety. It's quite a detailed assessment that we go through. It is in accordance with Treasury Board of Canada policies. When we do that assessment and the outcome recommends that we inform the Privacy Commissioner, then we do that and we also inform the individual.
12:10 p.m.
NDP
The Chair NDP Pat Martin
Just so I'm clear, in a case like Madam Borg cited, that happened to her, the envelope she opened contained somebody else's information, would that other person have been notified by you that their information was accidentally sent to another party?