Evidence of meeting #18 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
11:35 a.m.
Senior Research Analyst, Human Rights Protection Branch, Canadian Human Rights Commission
The example is in the report. There's a case that is referred to. There are certain religious practices that lend themselves more toward scanning with one hand and not both hands, or with the other hand.
11:35 a.m.
Liberal
Geoff Regan Liberal Halifax West, NS
Thank you very much.
Ms. Gardner-Barclay, I think you probably told us this already, but when you referred to the 2,900 breaches, what period were you talking about?
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
It was for the year 2013.
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
11:35 a.m.
Liberal
Geoff Regan Liberal Halifax West, NS
What process was in place before that to prevent this from happening?
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
We actually had many processes in place to prevent it from happening. As a result of this, and particularly around the OPC's report from 2013, we strengthened those processes. But we did have front-end controls that looked at managing carefully employee access to CRA systems.
We do have back-end controls. We are putting a system in place over the next two years that will strengthen that. We do have the ability to monitor employee access to our systems and what information they're looking at.
All through 2010 to 2013, we revised our privacy policies and procedures. We implemented a new discipline policy. We strengthened our training and awareness programs for employees. That began in 2010 and continues, but the bulk of that work was done over the last three years.
11:35 a.m.
Liberal
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Correct.
11:35 a.m.
NDP
The Chair NDP Pat Martin
You're well over time, actually. I cut you a lot of slack because you're new. You'll have to continue that in the next round.
The last questioner for the seven-minute round is Pat Davidson.
April 8th, 2014 / 11:35 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Thanks to our witnesses this morning. These certainly are interesting things you are filling us in on.
I want to start with a quick question for the CRA, please. You stated in your opening comments, “It's important to note that many of the breaches identified by the CRA do not constitute privacy breaches, as no personal information was disclosed.”
How do you define “personal information”?
11:35 a.m.
Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
Perhaps I can answer that.
Private information is about an individual. We were distinguishing between that and breaches that could be information about a business, for example, a piece of mail with the business name and address, which is public information. We would have considered that a breach of information but not necessarily a breach of privacy.
I don't know if that explains it.
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Perhaps I can add to that.
In order to define privacy breaches, we rely on the Treasury Board guidelines. The Treasury Board guidelines define a privacy breach as an improper or unauthorized collection, use, disclosure, retention, or disposal of personal information. Anything that is outside of that category we would define as an information and data breach, but not a privacy breach.
11:35 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Would you classify personal information then as an individual's name, address, birthdate, SIN?
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
11:35 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Okay. But if it's a company's name and address that is publicly available, that's a different situation.
11:35 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Yes. It's when the name and address are publicly available on public databases. Exactly.
11:35 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Okay.
In your opening remarks, you also referred to section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibiting disclosure of taxpayer information by any employee unless specifically authorized under these acts.
What does that mean? What would be specifically authorized?
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
The act does permit some disclosure, if authorized. The most clear example would be if you have the consent of the taxpayer. There are some instances where the taxpayer is providing consent for their information to be disclosed to another party.
A good example of that would be that authorized representatives, income tax companies which prepare returns, need to have the taxpayer's consent to share that information with them. That's the most obvious example.
11:40 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
In an MP's office, working for a constituent, we need to have a consent form signed.
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
That's correct. That would be another instance. We have a consent form. Taxpayers will complete that form, and their MPs will complete that form, and send it to us. That's the mechanism by which we are then permitted to share confidential taxpayer information with an MP who's representing a taxpayer.
11:40 a.m.
Conservative
Patricia Davidson Conservative Sarnia—Lambton, ON
Okay.
I had a constituent express some concerns to me last weekend. Of course we all know it's income tax time, and we're all hustling to get our returns prepared. This individual had used a particular preparer for several years, had some issues, and decided to go to a different preparer this year.
They went to the second preparer, and they took along their previous information so that they could share their past returns with the new group. They were told they didn't need to worry about that, because all the new preparer had to do was go online and they could access all of the past returns.
Is that correct?
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
This is a little outside our area of expertise, but the second tax preparer would have to have obtained authorization from the taxpayer to be able to access any of the information that is available online. I am aware of no scenario where a tax preparer could simply find that information without obtaining the appropriate authorization. Our controls on this are very strict. We use the same technological controls that major Canadian financial institutions use to be able to manage access to that sort of information that may be available online.