Mr. Speaker, in 2012, the Canada Revenue Agency, CRA, put into place an updated information-sharing protocol between the CRA’s areas responsible for security and privacy to insure that information on privacy breaches was flagged to the CRA’s ATIP Directorate, which is responsible for liaising with the Office of the Privacy Commissioner of Canada. The 2012 protocol strengthened the procedures and protections included in the previous 2010 information-sharing protocol.
With regard to (a), (b), and (c), while the CRA captures the number of internal affairs investigations—that is, data, information, and privacy breaches--as well as the number of security incidents that are unrelated to employee misconduct and that involve the theft, loss, or compromise of information, as well as the number of misdirected mail incidents, it does not capture the information by breach in the manner and the time period requested. In order to produce the response for 2002-2012, a manual search of records would have to be undertaken to extract the data, which is not possible within the prescribed timeline.
With regard to (d), for the reasons noted above, the CRA was not able to provide this information in response to written question Q-1217.