Information & Ethics Committee on Dec. 5th, 2024

The CRA is in contact with the taxpayer. They inform them and provide them with that information. At that time, there's advice about what to do.

I think the time starts to run once you figure out there's been a privacy breach and a real risk of significant harm.

We've been in touch with the CRA in the context of this investigation and since, but we received the formal breach notification only in May. Our exchanges have been good and collaborative, but the concern is the delay in providing that formal response and those details to us as per the policy.

No. As I said, the results of an investigation into privacy breaches of 34,000 people through the GCKey system were released in February 2024.

At the time, we made a number of recommendations and found a number of issues, including that the CRA and government organizations had not sufficiently assessed the risk level.

A big issue is understanding how serious this is and the impact it has on people. It's not a conceptual thing. Fraud in the thousands of dollars causes stress and can have an impact on health. It also has an impact on people's time, because the money needs to be recovered and so on.

We found that security had been lacking, so we recommended that it be increased through multifactor verification.

We also found communication problems between decision-makers and departments. We then made several recommendations, all of which were accepted. I have to say that there was excellent co-operation with the agency during that time, and there still is.

Nevertheless, a breach occurred, and the necessary corrective measures must be taken.

We're seeing a general increase. We see that the number of attempts is increasing and that the repercussions are more serious. According to last year's statistics, even though the number of incidents was about the same, twice as many Canadians were affected. Last year it was 12 million. This year it was 25 million.

We see that governments and departments are prime targets. At my office, a number of investigations are under way, one of which concerns privacy breaches at the Department of Foreign Affairs. Another one is about public servants who suffered a significant breach related to relocation support.

That is a trend seen all over the world.

The entities co-operate well with us. We have regular meetings with the CRA on privacy breaches and privacy issues.

Our overall investigation of the incidents from 2020 to 2023 found that there was sometimes a lack of co-operation among the departments themselves. Representatives of a department could say that the responsibility didn't lie with them, that Shared Services, for example, was responsible, or the Treasury Board or the Revenue Agency. We stated in our report that working in silos was a problem.

It doesn't matter to Canadians which department is responsible for the problem. They deal with the government and need solutions. One of our recommendations dealt with that very subject.

However, we are still seeing, as I said, that the official notifications of breaches are unfortunately still coming to us too late and that the seven-day deadline set out in the Treasury Board policy is not being followed.

As you say, people can turn to the taxpayers' ombudsman, François Boileau, who is an excellent colleague. However, he does not have the power to issue orders. I agree that the ombudsman should have only the power to make recommendations, but that power is not as effective as the power to issue formal orders. The power to make recommendations is persuasive and important. The recommendation is often followed, but not always. If it isn't, the redress process becomes more complicated, when there is one.

However, the ombudsman produced a report on the Taxpayer Bill of Rights and on communication with taxpayers, as well as a very significant report on the importance of communications.

Are you talking about the various breach levels, for example when I was talking about levels 2 and 3?

In our report, we laid out the methodology used by the government to determine the risk level and the verification level required.

In this specific case, the departments considered it to be a level 2, which required verification, but not multifactor verification. That is what allowed the breach to occur. We said in our report that level 3 is related to situations that cause moderate harm, both financially and health-wise. We indicated that, in our opinion, the potential loss of thousands of dollars could certainly have a considerable impact on people, including on their health. They get stressed and they struggle. Financially, people could have their wages garnished and then have to go through a process.