Information & Ethics committee  You're correct. We can't say with certainty.

Information & Ethics committee  One of the benefits now that we've gone to centrally managing is we can actually track what the causes are. For example, a range between 10% and 15% is because we didn't have the correct taxpayer address. Perhaps the taxpayers moved and didn't advise us. There's a certain percentage that are Canada Post errors of delivering it to the wrong place.

Information & Ethics committee  Canada Revenue Agency has a website about how to protect yourself against identity theft, which you might find of interest. It talks about things like never providing your personal information by Internet or e-mail. CRA never asks you to provide that type of information by e-mail.

Information & Ethics committee  If I understood your question, part of the answer is that of those almost 3,000 pieces of correspondence, 46% were considered to be privacy breaches and the rest were not considered to be privacy breaches. In terms of how many, I wasn't sure that—

Information & Ethics committee  I can come at your question a couple of different ways. What we've done in the last couple of years is we've started to centrally manage the reporting of misdirected mail so that we are able to better manage it. When we do hear of cases of misdirected mail, we can contain it, we don't send any more mail to that address.

Information & Ethics committee  When you talk about whether it's an internal process, what I can say is that we did review our risk assessment tool that we use with the Office of the Privacy Commissioner to make sure it follows the spirit of the guidelines that come from Treasury Board. I also want to clarify that there are two things that we assess.

Information & Ethics committee  I was just thinking about all the things that we do in CRA, and my colleague alluded to them in her opening remarks, about outreach to try to warn people of the risks to their privacy. On our website we give them tips on what to do to help guard against identity theft.

Information & Ethics committee  If I may start, I'm sure that my colleague will continue with the answer, but I just want to make one point of clarification. Of the 2,983 breaches that we reported on, there were only 46% that were actually privacy breaches. The rest were information breaches. So in terms of your numbers, I just want to make sure that's what that—

Information & Ethics committee  No, my understanding is that just recently Treasury Board has put in a framework for us to report to them, but up until this time, it's been the OPC that we deal with on these matters.

Information & Ethics committee  Again, it's a little bit outside of our area of expertise, but CRA obviously needs to hold the information if it's to do with the CRA and to do with our taxes. I imagine the preparer would also need to have some record. I'm not sure if that answers your question.

Information & Ethics committee  Perhaps I can answer that. Private information is about an individual. We were distinguishing between that and breaches that could be information about a business, for example, a piece of mail with the business name and address, which is public information. We would have considered that a breach of information but not necessarily a breach of privacy.

Information & Ethics committee  No.

Information & Ethics committee  To elaborate on what my colleague just said, there's a strong group of departmental security officers around town who have frequent meetings to share best practices, Actually, the CRA is one of the groups that shares our best practices with others, because we're seen as a leader.

Information & Ethics committee  We have a discipline grid at CRA that tries to ensure that there is consistency in application, because we're such a large organization with approximately 40,000 employees. The grid will say what kind of misconduct has occurred and then what kind of discipline should be given.

Information & Ethics committee  Thank you for your question. It's a very important issue. Our goal would be to have no misdirected mail, if that were possible, and we've put many steps in place.... I don't know when your situation occurred personally, but what we've put in place in the last year is a protocol whereby as soon someone advises us that there has been misdirected mail, our security people get back to them within a day and we find a way to retrieve the misdirected mail.