Evidence of meeting #18 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
11:40 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
When those files are sent in, are they kept at CRA, or are they kept at the tax preparers, or are they kept at both?
11:40 a.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
Again, it's a little bit outside of our area of expertise, but CRA obviously needs to hold the information if it's to do with the CRA and to do with our taxes. I imagine the preparer would also need to have some record.
I'm not sure if that answers your question.
11:40 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Yes, it does. I'm just a little bit concerned about how the taxpayer then...maybe there's something on the original tax preparer's form where they've given consent to share that information. I don't know, but maybe that's what the individual needs to be concerned about.
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
We'd be happy to provide you with further information on that so that you have a good sense of what the framework is around how that would be managed.
11:40 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
I'd be interested in that. If you could send it to the clerk, that would be good. Thank you very much.
You talk about getting information out, reaching communities and vulnerable groups, and so on, and you talk about some of the different organizations that you partner with. I just have a suggestion, and maybe you already do it on a lot of things, but maybe it's not happening with some things. MPs are excellent people to partner with. We all have websites, and most of us are on social media of some kind with Facebook or Twitter, and most of us have lots of people following what we're doing. It's a good way to get things out. I know we received information on the phishing scams that were going on and that was something that put out, and it was very well received in the community. People want to know these things. So we're a good avenue to help you.
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
I'll just add to that. We've always known it, but we took action on it last year for tax filing season when we in fact provided a member of Parliament kit on everything that your constituents need to know about the tax filing season. We did that last year, and we got an excellent response. There were literally thousands and thousands of access to those pages. We replicated it this year and it's having an even better response. This was sent out to the offices of all members of Parliament so that you would have it.
We gladly welcome any suggestions for improvement. We'll make sure that the information about phishing scams is included if it wasn't this year. I'm looking through the table of contents in my head, and I'm not sure it was there. I know it went separately, but we'll make sure it's part of that package next year.
11:45 a.m.
NDP
The Chair NDP Pat Martin
Thank you, Ms. Davidson. Your time was concluded.
Next we'll go to five-minute rounds, beginning with Mathieu Ravignat.
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
This question is directed to the Canada Revenue Agency. Thank you for being here, Mesdames.
Maybe you can correct me if I'm wrong, but my understanding is that of the 2,983 incidents, only 1% of them were actually reported to the Privacy Commissioner. That represents about 1,700 Canadians, I think. Does this mean that those individuals have no idea what happened with regard to their data and whether or not this data can be stolen for purposes of identity theft?
11:45 a.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
If I may start, I'm sure that my colleague will continue with the answer, but I just want to make one point of clarification. Of the 2,983 breaches that we reported on, there were only 46% that were actually privacy breaches. The rest were information breaches. So in terms of your numbers, I just want to make sure that's what that—
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
Were all of those 46% of cases reported to the Privacy Commissioner?
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
No. There's a protocol from Treasury Board that gives departments guidance on which cases should be reported to the Privacy Commissioner. It covers a fairly detailed risk assessment. Departments are asked to look at the sensitivity of the information that was disclosed. Is it, for example, financial or medical information? Departments are asked to make an assessment of the risk of identity theft or fraud as a result of the loss. Departments are asked to assess the potential to cause harm to the individual, for example, to the individual's reputation, their career—
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
One per cent seems pretty low. In regard to those guidelines that you're following in order to not report some of these cases to the Privacy Commissioner, can you tell me a little bit more about that? Why is it there were so many that you decided not to report to the Privacy Commissioner, using those criteria? Was there one main reason or...?
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
We are guided by the outcome of our risk assessment. If the risk assessment indicates that there is a reasonable chance of harm to the individual, then we will report to the OPC. In that timeframe, we reported 479 cases.
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
Is that decision completely internal? Is the risk assessment completely internal, or is there an external peer review process to say, “Yes, you're on the right track; these cases shouldn't be reported to the Privacy Commissioner”?
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
It is internal, but it is done in two different places in the agency. Ms. Brown's security and internal affairs division does the initial assessment, and then it is reviewed for quality by a separate shop in a separate branch in our ATIP organization, which has responsibility and close relations with the Privacy Commissioner to ensure that our assessments are, in fact, of the highest quality.
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
Does Treasury Board then validate it? Is there a validation process?
11:45 a.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
No, my understanding is that just recently Treasury Board has put in a framework for us to report to them, but up until this time, it's been the OPC that we deal with on these matters.
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
The Treasury Board has asked that by next year all departments report privacy breaches to them as well as to the OPC, so that system is coming into place.
11:45 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
Did the Privacy Commissioner, once she was aware of the breach and of the percentage that you reported to her, ask for any additional information?
11:50 a.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
When you talk about whether it's an internal process, what I can say is that we did review our risk assessment tool that we use with the Office of the Privacy Commissioner to make sure it follows the spirit of the guidelines that come from Treasury Board.
I also want to clarify that there are two things that we assess. One is whether to advise the taxpayer, and one is whether to advise the OPC. There are two separate things going on in the area of your question.
11:50 a.m.
NDP
Mathieu Ravignat NDP Pontiac, QC
In regard to an order paper question from my colleague, Charlie Angus, he asked you to give statistics on how many privacy breaches there were between 2006 and 2012, but he didn't get a response from you. I was wondering why that would be. Is it that you don't collect this data, or that it isn't available?
11:50 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
I'm sure Ms. Brown will want to add detail to my answer, but that is correct.
At the time, the CRA was certainly monitoring privacy breaches, but we were doing it by monitoring and tracking centrally the number of investigations. At the time that question was asked, we had not centrally started to record within each investigation how many breaches had occurred and how many individuals had been affected.
Mr. Angus' question asked for that specific detail. In order to be able to produce it, we would have had to go back through many years of reports and manually cull that information from those reports.
With Mr. Angus' guidance, we've changed our process so that we now are able to centrally track both individuals and numbers of breaches within each investigation.
11:50 a.m.
NDP
The Chair NDP Pat Martin
Thank you.
I'm afraid that concludes your time, Mr. Ravignat.
Next, for the Conservatives, is Ms. Tilly O'Neill Gordon.
11:50 a.m.
Conservative
Tilly O'Neill-Gordon Conservative Miramichi, NB
I want to thank the witnesses for being with us today. You bring us great information on things to think about. I also want to thank you for all you do to ensure the safeguards that are in place to protect Canadians' personal info, and in turn, reduce the risk of identity theft. Of course, for all of us that's a very important aspect and a very important idea to think about.
At the same time, I was going to say for the CRA, we all have a role to play in preventing identity theft. What roles do you see that consumers, businesses, banks, the federal government, the Privacy Commissioner have to play in preventing and combatting identify theft? Can you give us some ideas?
11:50 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Well, you're right, certainly the CRA views privacy—