Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Letter to the Standing Committee on Access to Information, Privacy and Ethics on study on privacy breaches at the Canada Revenue Agency

December 20, 2024

BY EMAIL

John Brassard, MP
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa ON K1A 0A6

Dear Mr. Chair,

I am writing in follow up to my appearance before the Standing Committee on Access to Information, Privacy and Ethics on December 5, 2024, in relation to your study on privacy breaches at the Canada Revenue Agency. During my appearance, I was asked to provide the Committee with details concerning the levels of assurance that guide departments in determining both identity assurance and credential assurance practices and the associated descriptions of harm for each level, as discussed in my Office’s February 2024 Special Report to Parliament, Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks.

As noted during my testimony, this is a methodology used by the Government of Canada, in accordance with the Treasury Board of Canada Secretariat’s Guideline on Defining Authentication Requirements, relevant portions of which are appended for ease of reference.

Assessing the appropriate level of identity assurance involves determining the required level of confidence that an individual applying for a new account/service or new credentials is who they claim they are. Assessing the appropriate level of credential assurance (that follows the initial identity verification stage) involves determining the required level of confidence that an individual has maintained control over a credential that has been entrusted to them and that the credential has not been compromised.

The Guideline on Defining Authentication Requirements (attached) sets out four “levels of assurance”, considering the harms that would occur as a result of a compromise, to guide departments in determining both identity assurance and credential assurance practices. In terms of potential financial harms, examples of level 2 are described as ones having no impact or only an insignificant material impact on an individual; at level 3, these are described as ones having a “significant material impact”. As relates to psychological distress, examples of level 2 are those not requiring treatment by first-aid personnel or health care professionals; at level 3, these would require some kind of treatment (first-aid or otherwise).

The Guideline on Identity Assurance sets out the minimum requirements for establishing the identity of an individual based on the level of assurance.

Under Government of Canada guidelinesFootnote 1, level 2 credential assurance requires only single factor authentication (e.g., “something you know”—such as passwords), while level 3 credential assurance requires multi-factor authentication (MFA)Footnote 2 (e.g., “something you know” plus “something you have”—like a one-time code sent to a phone number registered to the user).

In our investigation report released in February 2024, we noted that the investigation revealed that CRA had assessed the level of assurance for all affected online services as level 2 and that MFA was therefore not required to access CRA’s portal and services. Given that compromised CRA accounts can result in significant harms, including financial loss and/or psychological distress, we found that level 3 identity and credentials assurance was warranted.

As a final note, I would like to highlight that following the February 2024 Special Report to Parliament on this matter, my Office published in March 2024 Key takeaways from the OPC’s investigation into the GCKey and CRA cyberbreach. The purpose of this document is to highlight lessons learned, best practices and other important privacy protection information gleaned from the investigation and share it with subject matter experts across the federal public sector.

I hope that this information is of assistance to the Committee. Please do not hesitate to contact me should you have any questions or require further information.

Sincerely,

(Original signed by)

Philippe Dufresne
Commissioner

Encl.

c.c.: Nancy Vohl
Clerk of the Committee

Appendix A (from TBS’ Guideline on Defining Authentication Requirements)

Table 1: Assurance Level Framework
Level Identity Assurance Credential Assurance
4

Very high confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause serious to catastrophic harm.

Very high confidence required that an individual has maintained control over a credential that has been entrusted to him or her and that that credential has not been compromised. Compromise could reasonably be expected to cause serious to catastrophic harm.
3

High confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause moderate to serious harm.

High confidence required that an individual has maintained control over a credential that has been entrusted to him or her and that that credential has not been compromised. Compromise could reasonably be expected to cause moderate to serious harm.
2

Some confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause minimal to moderate harm.

Some confidence required that an individual has maintained control over a credential that has been entrusted to him or her and that that credential has not been compromised. Compromise could reasonably be expected to cause minimal to moderate harm.
1

Little confidence required that an individual is who he or she claims to be. Compromise could reasonably be expected to cause minimal to no harm.

Little confidence required that an individual has maintained control over a credential that has been entrusted to him or her and that that credential has not been compromised. Compromise could reasonably be expected to cause minimal to no harm.

Appendix B (from TBS’ Guideline on Defining Authentication Requirements)

Examples of Harm
Category of Harm Level 1 Level 2 Level 3 Level 4
1. Inconvenience, distress, loss of standing or reputation
  • Alternatives are available with little or no delay and no additional costs or degradation of service quality
  • Minor embarrassment
  • Alternatives are readily available
  • Loss of reputation or standing between the principals
  • Loss of trust or confidence between principals
  • Alternatives are not readily available
  • Loss of reputation or standing beyond the principals (including third parties)
  • Loss of trust or confidence beyond the principals (including third parties)
  • Alternatives are not available
  • Wide-scale permanent loss of reputation or standing
  • Wide-scale permanent loss of trust or confidence
2. Financial loss

No financial loss
  • Financial loss that has no impact or only an insignificant material impact on the financial standing of an individual or organization
  • A budgetary impact that may require reallocation of funds but no additional financing
  • Loss of a financial amount that has a significant material impact on the financial standing of an individual or organization
  • A budgetary impact that may require re-allocation of funds and additional financing
  • Loss of a financial amount that severely jeopardizes the financial standing of an individual or organization
  • Financial restructuring may be required
3. Harm to program or to public interest
  • No noticeable reduction in effectiveness of a primary function of an organization
  • No compromise to a critical asset
  • No loss of public confidence
  • Noticeably reduced effectiveness of a primary function of an organization
  • No compromise to a critical asset
  • Temporary loss of public confidence
  • Significantly reduced effectiveness of a primary function of an organization
  • Compromise to a critical asset
  • Long-term loss of public confidence
  • Unable to perform primary function of an organization
  • Major damage to or potential loss of a critical asset
  • Permanent loss of public confidence
4. Unauthorized release of sensitive personal or commercial information
  • No loss of privacy
  • No increase in public scrutiny or media attention
  • Loss of privacy, unwanted surveillance, tracking, monitoring, data profiling or data matching
  • Loss of confidence in the organization compromised business relationships or decreased competitive standing
  • Loss of competitive advantage
  • Potential inability to fulfill legal or contractual obligations
  • Damage to business relationships requiring legal remedies
  • Disruption of social order or civil unrest
  • Loss of business continuity
  • Cessation of business relationships
  • Market volatility
  • Loss of authority (e.g., due to intervention external party)
5. Unauthorized release of sensitive government information (non-personal information)

No increase in public scrutiny or media attention
  • Loss of public confidence
  • Increase of public scrutiny or media attention
  • Diminished program integrity
  • Increased oversight (e.g., increased audits, more stringent approval processes)
  • Temporary revocation of departmental authorities
  • Compromise to critical asset
  • Loss of continuity of critical government services
  • Erosion or loss of departmental authorities
  • Major damage to or potential loss of a critical asset
  • Irreversible damage to public trust
6. Civil or criminal violations

(Any compromise involving a legal violation is assessed at a minimum of Level 2)
  • False claims or wrongful actions having minor financial or legal implications and which pertain to the individual only
  • The violation does not ordinarily require disciplinary, investigative or enforcement action
  • The violation may result in a summary offence
  • False claims or wrongful actions significant financial or legal implications and which may also pertain to third parties (e.g., trustees acting on behalf of the individual)
  • Violation could require disciplinary, investigative or enforcement action
  • The violation may result in an indictable offence (e.g., criminal offence)
  • False claims or inaccurate representations in relation to services or transactions where the safety and well-being of the individual or other affected parties may be jeopardized
  • The violation requires disciplinary, investigative or enforcement action
  • The violation may result in an indictable offence of a serious nature (e.g., terrorism)
7. Personal health and safety

(Any compromise health and safety is assessed at minimum of Level 2)

No physical injury or psychological distress that requires treatment by first-aid personnel or health care professional

A physical injury or psychological distress that requires treatment by first-aid personnel or health care professional

A physical injury or psychological distress that requires an emergency response
8. National interest

(Any compromise involving the national interest is assessed at a minimum of Level 2)

Any issue that may result in a disadvantage to the national interest

Any issue that is reasonably expected to cause injury to the national interest

Any issue that is reasonably expected to cause serious or exceptionally grave injury to the national interest
Date modified: