Workers at the Canada Revenue Agency continue to snoop on the confidential tax files of spouses, parents, friends, neighbours, colleagues, church members and businesses, despite a $10-million project meant to discourage them.
Ten months of internal reports obtained by CBC News show the files of at least 10,000 Canadians were compromised by the agency’s employees, who used their privileged access to government databases to make unauthorized forays into taxpayers’ private financial affairs.
One worker in the CRA’s Calgary office last year kept a detailed spreadsheet on the financial data of 310 people in his community.
“[T]he investigation concluded that the employee made unauthorized accesses to his own account, and to a total of 310 other taxpayer accounts, including the employee’s spouse, mother, former Team Leader, and two colleagues,” says an Oct. 10, 2017 CRA report.
“The employee kept the information of the 310 individuals on a spreadsheet in his ‘H’ drive in order to keep track of who lived in his community.”
Another worker at the CRA’s Scarborough office in Toronto conducted 49 unauthorized data searches to briefly access the files of 3,709 Canadians. She also downloaded detailed tax files on 16 other people, along with her own, without authorization, says an Oct. 31, 2017 CRA report.
Altogether, CBC News obtained details on 14 significant privacy breaches that were serious enough to be reported to the federal privacy commissioner — 10 of which were the work of rogue employees. The other four involved inadvertent disclosures, such as a box of files being sent to the wrong address.
Dozens of federal institutions report significant privacy breaches each year to the privacy commissioner, as required — and the CRA is usually among the top offenders. But unlike other departments, the tax agency’s breaches are most often the result of bad behaviour by employees rather than accidents involving, for example, mail sent to the wrong address.
The official case reports, released under the Access to Information Act, refer vaguely to “disciplinary” or “administrative” measures applied to the workers, but offer no specifics.
None of the cases were referred to police. The files routinely assess the risk of news media learning about the breaches.
The released material, covering investigations that concluded between September 2017 and June 2018, suggests employee misbehaviour is on the rise.
Statistics published by the privacy commissioner support that view. Major privacy breaches reported by the CRA fell from 38 in 2014-2015 to 10 in 2016-2017 — but spiked to 25 in 2017-2018. (The privacy commissioner’s published statistics contain no information about the nature of the breaches.)
The CRA completed a $10.2-million technology project on March 31, 2017 — called the Enterprise Fraud Management Solution — to better track and deter employees’ unauthorized snooping.
The most extreme cases of misconduct attract the most severe measures of discipline, up to and including termination of employment.– CRA spokesperson on snooping tax workers
A report to Parliament earlier this year said there had been more than 2,000 privacy incidents at CRA between mid-September 2016 and June 2018 — but they usually involved misdirected mail and were considered so minor that the agency felt it did not need to report them to the privacy commissioner.
The largest employee-initiated breach ever discovered at the agency occurred in March of this year, when a Toronto worker briefly accessed the files of 11,745 individuals. CRA never reported it to the privacy commissioner because the access was considered too fleeting to be significant.
The 14 CRA incident reports obtained by CBC News, on the other hand, contain cases of “material” breaches, defined as those “involving sensitive personal information … that could reasonably be expected to cause serious injury or harm to the individual and/or [involve] a large number of affected individuals.” All of those had to be disclosed to the privacy commissioner.
Typical was the 2017 case of a female employee at a Vancouver CRA office. “[T]he employee made unauthorized accesses to her own taxpayer information and to a total of 38 accounts: four family members, nine friends, four taxpayers, four neighbours, three CRA employees, three local churches and 11 of the churches’ members.”
None of these reports attribute any clear motivation to the rogue employees, who are never identified in the documents (although general information about their targets is given). The material also notes how many taxpayers were notified of the breaches in each case.
The breaches usually involved disclosures of social insurance numbers, addresses, phone numbers, dates of birth, marital status, income and deductions as well as employment information — all standard information on annual tax forms.
A CRA spokesperson said the sharp increase in the number of breaches reported to the privacy commissioner in 2017-2018 was the direct result of the effectiveness of the new Enterprise Fraud Management system in catching snooping employees.
Etienne Biram declined to indicate how the agency disciplined the workers, saying only that “the most extreme cases of misconduct attract the most severe measures of discipline, up to and including termination of employment.”
About 60 per cent of CRA’s roughly 40,000 employees have access to taxpayer files. Biram said the agency has been stepping up monitoring of staffers and limiting their ability to see data that is not relevant to their work.
Last year, a courier hired by the CRA lost a DVD containing the confidential 2014 files of 28,000 taxpayers in Yukon — about three-quarters of the population. The information was encrypted and organized to be resistant to unauthorized access, officials said.