Let me begin by giving you a bit of context around the numbers that appeared in written question 255, which I think is the question you're referring to.
That response indicated that the CRA had experienced around 2,900 information, privacy, and data breaches in the time period requested. Some 2,800 of those were actually misdirected mail. That constitutes about 0.001% of the 150 million pieces of mail that the CRA handles in any given year.
Having said that, we certainly understand that we need to take strong measures in any instance where a taxpayer's information ends up where it shouldn't be. We do have measures that are aimed at addressing misdirected mail specifically, and my colleague Helen Brown can speak to that.
I'll also mention the number of initiatives that we have put in place as a result of the two Office of the Privacy Commissioner audits we had in 2009 and 2013, which I referred to in my opening remarks.
We essentially now have a tiered response to managing information security and privacy breaches.
Our first line of defence, of course, is our employees. We have a very strong code of conduct that makes it absolutely clear to our employees what their responsibilities are with regard to security management.
We have ongoing staff training and awareness. We have a mandatory course for security for all of our employees at the CRA. We now have extensive information-sharing protocols within the CRA that help us to identify and address breaches when they do occur, particularly between our security and advisory directorate and our ATIP directorate, which has responsibility for monitoring these things.
We now have active controls at the front end of our technological systems which ensure that only the computer systems that employees need to access to do their jobs are those that they can access. We now have very strong back-end controls and are working to actually strengthen those through some technological changes that we'll have in place over the next two years We will put in place systems that will allow us to very carefully monitor employee activity on all of our computer systems, right down to what files they're accessing, how they're accessing them, and what information they're looking at on those files.
We have a very strong regime of policies and practices that go along with that, including a very strong discipline policy that situates unauthorized access as a significantly serious offence within the disciplinary regime. We have a very strong oversight process, which includes my office. It includes the integrity advisory committee that I referred to, and of course, the OPC, which takes great interest in our privacy regime.