Skip to Content

CRA fired 8 employees in last fiscal year for improperly accessing taxpayer information

Topics: - Privacy
Jurisdiction: - Canada/Federal

The Canada Revenue Agency terminated the employment of eight employees between April 2016 and March 2017 for accessing taxpayers' personal information without authorization.

This according to an article that ran today by the Canadian Press and that was carried by several media outlets, including the Globe and Mail and the Financial Post, and an article by the CBC. 

Other information of note from the articles (in some cases directly taken from the articles) is:

  • One incident, involved an employee improperly accessing the accounts of 38 taxpayers in detail, and briefly accessing another 1,264 accounts using a search function to find surnames and postal codes. The incident happened in a CRA office in the Prairie region some time before March 23, 2016. The internal investigation into the breach concluded November 16, 2016, with a decision to notify the 38 individuals that their accounts had been improperly scrutinized. The CRA is calling this its largest privacy breach in history when measured by number of accounts. 
  • All of the incidents were reported to the federal privacy commissioner as required on federal government policy because they involve sensitive personal information that could be used to cause "serious injury or harm" to the individual, or involved a large number of affected individuals.
  • In 2013, the federal privacy commissioner released a critical audit of how the CRA controlled access to personal information and made 13 recommendations in areas including monitoring of employee access rights, threat and risk assessments for information-technology systems and ensuring the privacy impacts of new programs get evaluated.
  • The CRA is typically among the top five privacy offenders of some 240 federal institutions subject to the Privacy Act.
  • About 40,000 people work for the CRA.
  • On March 31, 2017 the CRA completed a $10.2-million technology project that it says will more closely will monitor employee accesses to taxpayer information and will flag accesses that appear inconsistent with the employees' assigned workloads or duties.
  • The annual number of CRA-reported breaches has been falling, from 34 in 2014 to 27 in 2015 and to 10 since January 1, 2016.