Thousands of Canadians compromised by government information breaches

Watch Above: Global News has learned there have been nearly 4,000 privacy and data breaches in federal departments over the last year or so. The worst offender was the Canada Revenue Agency. Jacques Bourbeau reports.

OTTAWA – From taxpayers to veterans to inmates, more than 6,400 Canadians were affected by information breaches at federal departments during a 10-month period last year.

Federal departments reported 3,835 data, information or privacy breaches affecting 6,405 people between April 2013 and the end of January 2014, according to the documents, which were tabled in the House of Commons this week.

But the worst offender was the taxman. Breaches at the Canada Revenue Agency impacted 2,249 people.

“The kind of information the Canada Revenue Agency has about you and me is perhaps among the most sensitive information that this government has,” said Murray Rankin, an NDP MP and former privacy lawyer. “You’d hope they would be the most secure about this information. CRA is obviously dropping the ball.”

The government says they take breaches seriously.

“We agree with Canadians who rightfully expect their personal information to be protected,” said Minister of National Revenue Kerry-Lynne Findlay, adding that the agency acts on all recommendations from the federal privacy commissioner, who acts as an independent watchdog.

Findlay also said 95 per cent of the breaches were misdirected mail, including fax and email, a mere 0.001 per cent of the 150 million pieces of mail the agency handles annually.

But the situation is not as benign as Findlay says. Her department admits privacy breaches affecting 479 Canadians were so serious they were reported to the federal privacy commissioner, an independent watchdog.

Rankin believes all of them should have been reported to the commissioner.

“The CRA can’t simply say on its own: ‘This isn’t important what these particular breaches entail,’” he said. “That’s what the privacy commissioner is for.”

Current standards mandate reporting  if the breach involves sensitive personal data like medical or financial information or social insurance numbers; can result in theft or fraud; or, can cause harm or embarrassment to the individual.

CRA wasn’t the only department having to fess up to mishandling information.

Prisoners, immigrants, veterans and students were all among those at risk of having their information end up in the wrong hands.

Breaches at Correctional Service of Canada involved 813 Canadians. At Citizenship and Immigration that number was 244, while at Veterans Affairs information for about 87 people went where it wasn’t supposed to go.

Veterans Affairs said they report everything to the privacy commissioner, “whether the result of a wrong envelope or an error in an address or name.”

Citizenship and Immigration Canada also says it takes privacy seriously during their millions of interactions with people around the world. The department said it tries to inform people immediately and take corrective action where possible in the “rare” cases of data breaches.

Although most of the statistics did not include details of the breach, some examples provided in the 468-page document included client email addresses shared and a lost unencrypted USB with employee information at Statistics Canada.

At National Defence, unnecessary medical information was shared with a commanding officer, a medical file was lost in transit and medical information was sent to someone who didn’t require it.

The Office of Canada’s Privacy Commissioner has a copy of the statistics and is currently reviewing it and says not all of the breaches involve personal information.

“While it’s our view that the federal government generally does a good job of protecting personal information, it is clear that there remains room for improvement,” said Anne-Marie Hayden, a spokeswoman for the commissioner.