OTTAWA–The federal government reported more than 200 significant privacy breaches affecting the personal information of thousands of Canadians and Canadian businesses, a number that Ottawa’s privacy watchdog suggests is the “tip of the iceberg.”
The Star obtained documents under access to information law detailing every privacy breach reported by federal departments and agencies in 2017. Over 600 pages, government employees describe breaches ranging from misplaced student loan documents to outing confidential RCMP drug informants.
But privacy commissioner Daniel Therrien’s office suggested the official numbers likely mask the scope of privacy violations at federal departments and agencies.
“Given the sheer volume of personal data that is collected and used by government institutions, we believe many material breaches likely go unreported, if not undetected,” wrote spokesperson Tobi Cohen in a statement to the Star.
In 2014 Treasury Board, the department that handles most internal government rules and regulations, required all federal departments and agencies to report any “material privacy breaches” to the privacy commissioner.
But what amounts to a “material” breach is somewhat open to interpretation. According to Treasury Board rules, a breach is “material” if it involved sensitive personal information and could “reasonably be expected to cause serious injury or harm to the individual” or involves a large number of people.
In 2017, only 27 federal departments and agencies reported a material breach to Therrien’s office. Most of the violations, some 113, were reported by Employment and Social Development Canada. But many of ESDC’s breaches were relatively minor, and most involved single student loan applications.
There were, however, more serious incidents:
- Public Prosecution Service of Canada (seven breaches): On Jan. 9, 2017, a lawyer with the service provided defence counsel in a drug case with disclosure for the trial. About 30 “Information to Obtain” warrants were included on a CD, related to search warrants granted to police in Atlantic Canada.
The defence lawyer gave a copy of the documents to his client. The problem was that, while the prosecution service “vetted” the documents, it failed to properly censor information about four confidential police informants — meaning the person up on drug charges could see information about four people, including two names, who talked to police about the case.
The police alerted two of the informants whose names had been revealed, but felt the other two were unlikely to be fingered by the information in the documents.
- Canada Border Services Agency (one breach): In April 2017, Calgary police sent a copy of a “Wanted Bulletin” to CBSA employees at the airport and in the intelligence division. That bulletin was forwarded to the CBSA’s main Calgary email list.
According to the documents, a CBSA employee snapped a cellphone picture of the bulletin and forwarded it to a third party. That person then forwarded the picture to the Calgary police and the person who was wanted by police, who expressed “concerns about the content.”
- RCMP (11 breaches): In May 2017, the name of an RCMP employee accused of harassment was mistakenly sent to an email list of 73 co-workers. It took the employee’s manager a full day to ask to recall the email, and an undisclosed number of recipients had already opened it.
The RCMP asked the recipients to delete the email from their inboxes.
- Royal Canadian Mint (one breach): As a sales rep was preparing to leave the Mint, they forwarded information about 705 Mint customers — including 14 customers’ credit card information — to their personal email account.
“This information was used by the individual post-Mint employment to contact Mint customers … to solicit their business in his new professional capacity,” the documents read.
After an investigation, the Mint sent a cease-and-desist letter to the former employee, who agreed to delete all the information purloined from the Mint’s databases.
- Canada Revenue Agency (24 breaches): Between 2005 and March 2017, employees at one of CRA’s Ontario offices had been uploading social insurance numbers and business numbers to the Electronic Land Registration Database — apparently without knowing that media, lawyers, and financial institutions regularly use the database.
A total of 2,921 individuals and businesses were affected by the breach.
Of all the departments reporting privacy breaches, CRA has likely received the most attention. The 2017 documents show that the agency is still grappling with the problem of employees improperly looking up the tax information of friends, family, colleagues and others.
The largest breach reported by the agency in 2017 appears to be a single employee looking up the tax information of 5,935 Canadians.
A spokesperson for the agency said CRA has cracked down on employees improperly accessing taxpayer information since 2013, including limiting tax workers’ access to just the files they require to do their work. In 2017, the agency brought in a fraud management program that allows the agency to “proactively monitor and detect” unauthorized access.
“When misconduct has been established, the employee is disciplined in keeping with the seriousness of the misconduct and the circumstances of the case,” wrote CRA spokesperson Dany Morin.
Still, Therrien’s office notes that cracking down on unauthorized access at CRA has been a priority for almost five years.
“The fact that unauthorized/inappropriate access by employees is still happening at all, despite the measures CRA has taken, remains an ongoing concern,” wrote spokesperson Cohen.
Cohen said the privacy watchdog’s office is still pushing the government to require all privacy breaches to be reported by law, rather than simply Treasury Board rules.
Alex Boutilier is an Ottawa-based reporter covering national politics. Follow him on Twitter: @alexboutilier