CRA sent out SIN numbers to wrong people, MP says

Ontario MP Charlie Angus says the CRA sent out SIN information to the wrong people, twice. The Canadian Press Images-Mario Beauregard

OTTAWA – A New Democrat MP says the Canada Revenue Agency twice mailed batches of private information — including names and social insurance numbers — to the wrong people in his riding.

Charlie Angus has asked the office of federal privacy commissioner Daniel Therrien to investigate the apparent violations.

READ MORE: 900 SINs stolen due to Heartbleed bug: Canada Revenue Agency

In a letter to the commissioner’s office, Angus says the revenue agency mailed a package April 6 to several constituents in Kirkland Lake, Ont., containing the names, SINs, addresses and phone numbers of five people.

Five days later, the same constituents were mailed a second package with similar personal information about 11 people.

“They were pretty stunned when they received them,” said Angus, who has often criticized the federal agency over privacy lapses.

Story continues below advertisement

WATCH: Scammers net $50,000 in just over a week through fake Canada Revenue Agency calls

He called the latest incidents completely unacceptable, saying they involved the sort of information that — if it fell into the wrong hands — could lead to fraud and identity theft.

“Why would you be sending this out to anybody? This is the kind of breach that makes no sense,” Angus said.

“I think what’s really disturbing is, when it comes to data breaches, CRA is a repeat offender.”

The revenue agency had no immediate comment.

In his latest annual report, Therrien urged federal agencies to put more rigorous safeguards in place to protect sensitive personal information.

The commissioner underscored a record-high number of federal government data breaches disclosed to his office.

Story continues below advertisement

READ MORE: $6,600 to get SIN? Arctic dwellers fight social insurance number changes

Federal institutions reported 256 breaches in 2014-2015, up from 228 the year before. It marked the first time institutions were required to report significant data breaches to the commissioner.

As in previous years, the leading cause of breaches was accidental disclosure, a risk Therrien said can often be managed by following proper procedures.

In 2013 the privacy commissioner’s office audited the Canada Revenue Agency, focusing on its access controls to personal information.

The privacy watchdog made 13 recommendations in areas including monitoring of employee access rights, threat and risk assessments for information-technology systems and ensuring the privacy impacts of new programs are assessed.

The agency agreed with the commissioner’s recommendations, and the watchdog made plans to follow up on progress this year.

Angus said the revenue agency needs to implement better training of personnel and impose stricter controls over information.

Follow @JimBronskill on Twitter

Sponsored content