The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months, according to government documents made public last week.
But while the number of potential privacy breaches may be eye-popping, the CRA is downplaying the seriousness of most of them.
WATCH: Ex-privacy commissioner says protecting personal data protects democracy
Government documents tabled last Friday in the House of Commons outline privacy breaches across all government departments and agencies since mid-September 2016.
While almost every department has had problems (from stolen laptops to misfiled victim impact statements to employees accessing vacation schedules without permission), the CRA has experienced the most privacy breaches, recording a total of 2,338 in the 21-month time span.
“It is important to note that a privacy breach does not necessarily mean that an individual’s personal information has been compromised, but that the information was accessed without authorization,” said CRA spokesperson Etienne Biram.
The most recent major breach at the agency occurred just two months ago, on April 14, when an employee conducted an unauthorized search of the CRA’s database. No individual personal accounts were actually opened, Biram said, but the results did include two taxpayers “known to the employee.”
For that reason, those two taxpayers will be notified by the CRA of the breach, he added. The 11,744 other people who were included in the search results will not.
WATCH: Auditor general says CRA blocked Canadians calling help line
But only a handful affected a large number of Canadians. On May 12, 2017, for example, nearly 6,000 people were affected by an unauthorized database search by an employee. According to Biram, 17 individual files were actually opened during that incident.
READ MORE: It’s June – where’s my tax refund?
Then, on Nov 8, 2017, about 3,700 more Canadians were affected by another unauthorized search, with 124 files accessed.
The CRA would not provide any information about the possible motivations behind these searches. This type of forbidden accessing of files is not a new problem at the agency, however.
“Allegations or suspicions of employee misconduct are taken seriously, are thoroughly investigated and, when wrongdoing or misconduct is founded, appropriate measures are taken,” Biram said.
Between the start of 2016 and the end of 2017, a total of 25 CRA employees lost their jobs “due to failure to secure personal information or due to unauthorized access or disclosure of personal information.”
As recently reported by CBC News, hundreds more have been disciplined in other ways. It’s unclear if there have been any firings so far in 2018. About 44,000 people work for the agency, and they all receive mandatory and ongoing security training.
WATCH: Google, Goodale react to possible CSIS breach
That may not be enough, said Pat Kelly, Conservative critic for national revenue.
“(Unauthorized access) is certainly a cause for concern for Canadians and something that the minister, we hope, would take very seriously and get involved in directly.”
Kelly said he doesn’t think more funding is the answer, and “it’s probably more a matter of culture.”
“Canadians need to have confidence that information at the agency is held in the strictest confidence, and that no information is accessed inappropriately,” he said. “If there are instances of unauthorized accessing of information, they must be dealt with seriously.”
Thefts and losses on the rise
The types of privacy breaches the CRA sees has also been shifting since 2015.
The number of “security incidents” (theft or loss of information) has gone up slightly, for example, rising to 183 in 2017-18 from 158 in the 2015-2016 fiscal year. The number of internal investigations has doubled in the same span, to 168 from 79.
“This is directly correlated to the significant investment made by the CRA to detect and monitor unauthorized access by employees,” Biram said.
In March 2017, the CRA completed a $10.2-million technology upgrade that was designed, in part, to monitor workers more carefully.
Overall, however, over 80 per cent of the potential privacy breaches over the last two years may not have involved the digital realm at all. They are what the CRA classifies as “misdirected mail.”
WATCH: Confusion over Europe’s new Internet privacy laws
The number of wayward CRA letters or other documents ending up in the wrong homes has been dropping steadily since 2015, although it’s important to note that many Canadians have moved to online correspondence with the agency, which could account for some of that reduction.
Misdirected mail incidents represent a tiny fraction, just 0.003 per cent, of all mail sent by the CRA in a given year, Biram said.
Any privacy breaches that involve a large number of people or involve sensitive personal information that “could reasonably be expected to cause serious injury or harm to the individual” must be reported to the Office of the Privacy Commissioner.
Of the 2,338 potential privacy breaches at the CRA since late 2016, 33 incidents met that threshold.