Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80 per cent of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than one per cent of its 3,868 breaches to Privacy Commissioner Daniel Therrien’s office.
While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3 per cent of the 5,853 privacy breaches discovered by departments.
Those breaches – everything from tax information or passports being sent to the wrong address to lost memory sticks, e-mails accidentally disclosed or unauthorized access to files – affected more than 45,894 Canadians.
While departments did not report any known cases of criminal activity as a result of the breaches, in several cases departments like the RCMP and the Canada Border Services Agency qualified that by saying they could not know if the private information or documents involved in the breach were used in a crime.
Tobi Cohen, spokeswoman for the privacy commissioner’s office, said Therrien is concerned about the breaches of privacy by federal government departments and has called for Parliament to give reporting requirements more teeth.
“The Commissioner recently appeared before Parliament to discuss Privacy Act reform. Among our recommendations is that breach reporting be required by law, not simply by way of a directive from the Treasury Board Secretariat,” she said. “We’ve also recommended that the Privacy Act require federal organizations to safeguard the personal information in their care – currently it does not.”
What does – or doesn’t – have to be reported to the Office of the Privacy Commission (OPC) has changed significantly over the years.
In the past, Treasury Board policy said “it is strongly recommended that institutions notify the OPC and of the mitigation measures being implemented” if the breach involved sensitive personal data, can result in identity theft or related fraud or “can otherwise cause harm or embarrassment which would have detrimental effects on the individual’s career, reputation, financial position, safety, health or wellbeing.”
In 2014, however, Prime Minister Stephen Harper’s government changed the reporting requirement to require departments only report “material privacy breaches” that “involves sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.”
Examples given of sensitive information are medical, psychiatric or psychological information; information compiled and identifiable as part of an investigation into a possible violation of law; criminal history; information on the eligibility for social benefits; information concerning an individual’s racial or ethnic origin, religious or political beliefs, associations or lifestyle or information describing an individual’s finances such as financial history or tax returns.
Examples of serious injury or harm to an individual under the guidelines include identity theft or related fraud; material loss to the individual; or “lasting harm or embarrassment that will have direct negative effects on a litigation involving the individual or on an individual’s career, reputation, financial position, safety, health or well-being.”
In both cases, departments are required to document decisions not to notify the privacy commissioner of a breach.
In some cases, departments had privacy breaches involving large numbers of Canadians but did not notify the privacy commissioner’s office, according to documents tabled in the House of Commons last week in response to a question from NDP MP Alexandre Boulerice.
Canada Post had one breach that affected 1,330 individuals but did not report it to the Privacy Commissioner. The Correctional Service of Canada had one breach that affected 545 people and another that touched 506 but neither of them were among the 55 breaches it reported to the privacy commissioner out of a total of 169 breaches that affected 1,480 people.
Employment and Social Development Canada, which runs the Service Canada offices, reported 596 breaches that affected 1,585 people but blamed nearly half of them on Canada Post.
“Out of the 596 breaches, 243 were caused by the Canada Post Corporation (CPC)(passport lost in mail)” it wrote.
Employment and Social Development Canada only reported 12 breaches to the privacy commissioner even though lost passports could potentially be used to commit identity theft.
Although it is charged with safeguarding some of Canadians most sensitive information — their tax returns — the Canada Revenue Agency once again topped the list with 3,868 privacy breaches affecting 13,665 individuals. The vast majority of those breaches (3,842) were not reported to the privacy commissioner although one incident affected 8,451 people.
“In the last years, we have seen the number of breaches going up. Canadians trust the government with very personal financial information. They rightfully expect that it will be kept safe. It is even more true in breaches at the CRA where it exposes law abiding Canadians to thieves and fraudsters,” said Boulerice, the NDP Ethics criic, in a statement.
In an explanation it included with its statistics, the CRA said 91.6 per cent of its information and privacy breaches involved misdirected mail, 6.3 per cent relate to the theft, loss or compromise of information and 2.1 per cent represent administrative investigations. The agency estimates 10-15 per cent of the misdirected mail was the result of taxpayer error.
In some cases, departments admitted that they really don’t know how many people were affected by a privacy breach.
Immigration, Refugees and Citizenship Canada reported it had 304 breaches affecting 2,354 individuals. However, there are 50 other breaches where it has not yet determined the number of individuals who might have been affected.
The Department of National Defence also admitted it only supplied partial numbers, saying the Director General of Defence Security’s databank only track incidents of high or very high severity and does not keep track of the number of people affected. The partial records showed 101 breaches affecting 384 individuals, including the accidental dissemination of a database with personal information on more than 100 people to individuals who should not have received it. None of the incidents were reported to the privacy commissioner.
One of the single largest breaches occurred at Public Services and Procurement Canada where one incident affected 10,308 individuals. It was one of the four incidents out of 121 that made it to the privacy commissioner’s office.
While many departments gave little or no information about the type of incident that caused the privacy breach, Statistics Canada outlined its 36 incidents affecting 5,287 people in great detail from child immunizations and parental attitude data that was not suppressed when sent to another government department to a list of 1,006 business and household addresses that was lost.
The Canadian Security Intelligence Service refused to disclose whether it had any privacy breaches, citing national security. However, its sister agency, the Communications Security Establishment, acknowledged it had 13 breaches affecting 630 people, including one that touched 465 people. None of the incidents were reported to Therrien’s office.
Author: Elizabeth Thompson