Mr. Speaker, members should note that the CRA has over 40,000 employees working across Canada. Employee behaviour and expectations are guided by the CRA code of integrity and professional conduct, “the code”, and the values and ethics code for the public sector. The consequences of misconduct are set out in the CRA directive on discipline, “the directive”.
Please note that the code contains specific references to the privacy and confidentiality of taxpayer information and refers to CRA’s detection and prevention of unauthorized access or unauthorized disclosure of taxpayer information.
With regard to the failure to protect information, the code notes that the legal obligation to safeguard the confidentiality and integrity of taxpayer information flows from the Income Tax Act; the Excise Tax Act; the Excise Act, 2001; the Privacy Act; and the Access to Information Act.
The code references the protection of CRA proprietary and taxpayer information. Employees are informed that they must never access any information that is not part of their officially assigned workload, including their own information; disclose any CRA information that has not been made public without official authorization; serve, or deal with the file of, friends, acquaintances, family members, business associates, current or former colleagues, or current or former superiors unless prior approval has been obtained from their manager; or use any CRA information that is not publicly available for any personal use or gain, or for the use or gain of any other person or entity. If the security of CRA or taxpayer information is compromised, the code requires that it must be reported immediately.
With regard to (a), between November 4, 2015, and November 27, 2018--that is, the date of the question--the CRA had 264 confirmed privacy breaches as a result of unauthorized access to taxpayer accounts by CRA employees. A total of 41,361 Canadians were affected by these incidents.
With regard to (b) and (c), in every case in which a CRA investigation determines that an employee has made unauthorized access to taxpayer accounts, the CRA uses Treasury Board Secretariat of Canada guidelines, found at http://www. tbs-sct.gc.ca /pol/doc-eng. aspx?id=26154) to assess the risk of injury to each affected individual and notifies them accordingly. Notification is done predominantly by letter, which includes information about the taxpayer’s right of complaint to the Office of the Privacy Commissioner of Canada.
To date, the CRA has notified 1,640 of the affected individuals that unauthorized accesses have been made to their accounts. An additional 34 notifications are in progress and the notification letters to the affected individuals are currently being prepared.
For 37,502 individuals for whom the risk of injury was assessed as low, the individuals were not notified. Information was viewed as part of various ALPHA T searches, but accounts were not directly accessed. An ALPHA T search is used to search for an individual using various search criteria (name, address, postal code, etc.), when the SIN is not available.
For a number of other reasons, 2,185 individuals were not notified. These reasons included the individual being deceased with no authorized representative on file, there being no valid address on file, or the risk of injury to the individual being assessed as low.
With regard to (d), 264 CRA employees accessed data without authorization between November 4, 2015, and November 27, 2018--that is, the date of the question.
With regard to (e), the applicable steps and consequences of misconduct are covered under the code and the directive. Consequences of misconduct are based on the severity of the incident and its impact on trust both inside and outside the CRA. Misconduct may result in disciplinary measures, up to and including termination of employment. Of the 264 CRA employees who accessed data without authorization since November 4, 2015, 182 were disciplined; 46 left the CRA; and 36 are pending a decision.
The CRA is limited in its ability to respond in the manner requested. Pursuant to section 8 of the Privacy Act, disciplinary action is considered personal information and is protected from disclosure. Furthermore, when the number of employees is so small that an employee could be directly or indirectly identified, aggregate data cannot be released.