Canada Revenue Agency and the Canadian Broadcasting Corporation (CRA)

Complaint under the Privacy Act (the Act)

Introduction

1. This Report of Findings relates to complaints against the Canada Revenue Agency (CRA) in relation to a privacy breach wherein the personal information of approximately 1,000 individuals was inadvertently mailed to the Canadian Broadcasting Corporation (CBC).

Background

2. On November 25, 2014, the CRA verbally notified the Office of the Privacy Commissioner of Canada (the "OPC") of the privacy breach. Formal written notification was subsequently received from the CRA on November 26, 2014.
3. The CRA confirmed that the personal information compromised by the breach included the affected individual's name, address, a description of their donation(s), the donation's proposed fair market value, and the donation's fair market value as determined by the Canadian Cultural Property Export Review Board.
4. Between December 3, 2014 and the date of this Report, nine individuals filed complaints with the Privacy Commissioner in relation to the incident.
5. The complainants allege that the CRA is in contravention of the Privacy Act for disclosing their personal information to the CBC without consent. In addition, concerns were raised that this breach may have an adverse impact on the ability of designated organizations to attract donations of cultural property, and that overall, it has shaken individuals' faith in the government's ability to protect personal information.

Summary of Investigation

6. Our investigation confirmed that in preparing a consultation package related to a review by the Administrative Tribunals Support Service of Canada (ATSSC), and simultaneously preparing a response package to an Access to Information request from the media, a CRA Access to Information and Privacy (ATIP) clerk inadvertently switched the cover letters accompanying the response packages for these two requests. Both packages were sent to the CRA mailroom on November 20, 2014.
7. The ATIP manager who processed the media request received a call from the ATSSC and was informed that they had received the wrong package. The ATIP manager was unaware that the ATSSC had received the right response package but the wrong cover letter, and therefore advised the ATSSC to return the entire package to the CRA.
8. As a result of this information, the package destined to the media requester was retrieved from the CRA's mail room, the correct cover letter was added, and the package was re-mailed to the media requester.
9. On November 24, 2014, the CRA received the package that was returned by the ATSSC. Both the ATIP manager and clerk who had previously processed these packages were away from the office. A second ATIP clerk received the package, but was not aware that the media request had already been fulfilled and therefore sought advice from the ATIP analyst who processed the request. The second ATIP clerk was advised that they should reroute the entire package initially sent to the ATSSC to the media requester via courier.
10. As a result, the incorrect package that had been recovered from the ATSSC was couriered to the media requester. The CRA confirmed that the media requester received the package mailed on November 20, 2014, as well as the ATSSC package that was couriered on November 24, 2014.
11. On November 25, 2014, the clerk who had originally been responsible for the ATSSC package returned to work and double-checked the system to see if everything was done correctly. It was at this point that the CRA realized that the ATSSC consultation package had been inadvertently disclosed to the media requester.
12. Our investigation confirmed that the media requester was a CBC journalist. As a result of the incident, an article was published by the CBC on November 25, 2014, wherein details of the breach were reported publicly, including the names and photographs of some of the individuals affected by the breach.

CRA’s Actions Following the Incident

13. Upon learning of the error, we confirmed that the CRA immediately made several attempts to retrieve the package, including contacting the courier company, contacting the media requester by e-mail and telephone, as well as the CBC mailroom.
14. The CRA subsequently contacted the ATIP Coordinator at the CBC and was advised that an attempt would be made to retrieve and secure the material. The CBC followed-up and advised that it was unsuccessful in reaching the media requester.
15. Following this, we confirmed that the Commissioner of the CRA sent an electronic letter to the President of the CBC requesting the return of the information mailed in error to the media requester. The letter was subsequently hand-delivered on November 26, 2014.
16. The CRA confirmed that the CBC refused its requests to return the information in question. Consequently, the CRA has initiated legal action against the CBC to recover the information. The CRA posted a Statement on its website on May 15, 2015 regarding the final notice sent to the CBC.
17. Further to paragraph 2 of this Report, the CRA notified this Office of the incident verbally on November 25, 2014, and its formal breach notification was received on November 26, 2014.
18. According to representations received from the CRA, an internal investigation was immediately launched by its Security and Internal Affairs Directorate following the incident. We confirmed that the investigation concluded on December 29, 2014.
19. Following the CRA's internal investigation of the breach, the CRA reported that it conducted a review of the incident according to its Discipline Policy, the Code of Ethics and Conduct, and the Procedures for addressing employee misconduct.
20. Further to its internal investigation, the CRA confirmed that a total of 1,029 individuals and businesses were affected by the incident.
21. The CRA notified the affected individuals of the disclosure of their personal information via registered letter. The letters were mailed in two batches - the first letters were dated November 29, 2014; and the second letters were dated December 11, 2014.
22. The CRA advised affected individuals that the personal information compromised included their name, address, a description of their donation(s), the donation's proposed fair market value, and the donation's fair market value as determined by the Canadian Cultural Property Export Review Board. In addition, the CRA established a dedicated 1-800 number for affected individuals to obtain additional information in relation to the incident.
23. On December 2, 2014, the CRA also provided this Office with a copy of its "Plan to Enhance Protection of Taxpayer Information and Privacy in the CRA" (the "Action Plan"), which outlined the immediate and short-term measures to be implemented within the CRA to enhance the protection of taxpayer information and privacy. The Action Plan relates to three broad areas - including, operational processes, communications/training, and accountabilities.
24. The CRA provided this Office with an updated version of its Action Plan on January 28, 2015, and advised that it continues to review its privacy management practices. The updated Plan outlines the activities undertaken by the CRA to strengthen the safeguarding of personal information under its control.
25. TheCRA reported that many of the proposed activities have already been completed, including:
    • Privacy breach notifications: The ATIP Director sent an email to staff on December 1, 2014 informing employees that any cases of apparent and/or confirmed privacy breaches (including misdirected mail) must be brought to the immediate attention of the assistant director of the area in the ATIP Directorate where the breach occurred.
    • Revised mail out process: All mail out packages are now subject to additional quality assurance to ensure that the label on the release package and accompanying letter matches the label on the mailing envelope. A technical bulletin and checklist were distributed to all ATIP staff on December 12, 2014 to reinforce this mail out practice.
    • Revised consultations process: All DVDs and CDs (regardless of content) sent to other government departments for consultations must be password protected. A technical bulletin was sent to ATIP staff on January 6, 2015 outlining the process.
    • Training: ATIP Directorate Assistant Directors were asked to review their employees training histories to ensure that they had taken the CRA's mandatory security training module: Security - It's Everyone's Business! Those who had not taken the training were required to complete the training by January 1, 2015.
26. The CRA further submits that over the coming months, additional enhancements will be made to ATIP's privacy management practices. For instance, consultations are currently underway with other Government departments to review and implement best practices in place elsewhere.
27. In addition, the CRA launched an independent third party review of ATIP's privacy management control framework. At the time of this Report, the CRA confirmed that it was assessing a draft of the report prepared by the independent third party following its review.

Application

28. In making our determination, we considered sections 3, 7 and 8 of the Privacy Act.
29. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
30. Paragraph 7(a) of the Act states that personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.
31. The Act states that personal information can only be disclosed with an individual's consent - subsection 8(1) - or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.

Analysis

32. Our investigation confirmed that on November 25, 2014, the personal information of 1,029 individuals and businesses was inadvertently mailed by the CRA to a CBC journalist. Specifically, we confirmed that in preparing a package to respond to an ATIP request, and simultaneously preparing a consultation review package for the ATSSC, the consultation package was provided to the ATIP requester, confirmed to be a CBC journalist.
33. The information mailed in error to the CBC journalist - including the name, address, description of donation(s), the donation's proposed fair market value, and the donation's fair market value as determined by the Canadian Cultural Property Export Review Board of these individuals - is clearly personal information as defined under section 3 of the Act.
34. The CRA is required under the Privacy Act to protect the personal information under its control from unauthorized access, use or disclosure. In this case, the investigation confirmed that the above-noted personal information was disclosed by the CRA without consent to a CBC journalist.
35. In our view, there was clearly a lack of communication that led to the mailing error in this case and which resulted in the unauthorized disclosure of personal information.
36. While we are satisfied that the remedial action taken by the CRA will mitigate the risk of a similar incident recurring, this disclosure of personal information does not meet the requirements of the disclosure provisions under section 8 of the Act.

Findings

37. Based on the above, we have concluded that the matter is well-founded.
38. We now take this opportunity to offer our observations to the CRA.
39. Privacy is a fundamental value to Canadians and it is an essential element in maintaining public trust in government. We remind the CRA that it needs to continually be aware of the personal information under its control, and its associated sensitivity and criticality.
40. The protection of personal information must be properly integrated in all CRA departmental functions, which requires the establishment of policies and procedures that support the effective management and protection of taxpayer information.
41. This is also highlighted in our 2013 Audit Report of the CRA^{Footnote 1}. While the scope and findings of the Audit related specifically to access controls and the monitoring processes of the CRA in relation to taxpayer information, the overall conclusions of the Audit are nevertheless relevant. In all Departmental functions that relate to the protection of taxpayer information, which includes the ATIP function, the CRA should ensure that policies and procedures are in place and followed to manage and safeguard taxpayer information.
42. In this case, our investigation identified a gap in the implementation of quality assurance procedures and a lack of employee communication which resulted in the mailing error and the unauthorized disclosure of personal information. We highlight that the translation of Departmental policies and procedures to the day-to-day business operations of the CRA requires ongoing employee awareness which is accomplished through training, effective management, leadership and supervision of employees.
43. We note that the CRA took immediate action to implement a number of activities to strengthen its personal information handling practices. The CRA has developed an Action Plan which outlines a number of immediate and short-term activities to mitigate the risk of a similar incident recurring, and to strengthen the safeguarding of the personal information under its control.
44. Given that many of these activities have already been completed by the CRA, we are satisfied that no further action is required by our Office at this time. Nevertheless, we encourage the CRA to continue with the implementation of its Action Plan to enhance its governance and accountability framework for the management and protection of taxpayer information and privacy. To this end, we will continue to monitor the CRA's review and implementation of the recommendations made as a result of the third party review of ATIP's privacy management control framework.
45. We also encourage the CRA to incorporate regular quality assurance monitoring and inspections into its day-to-day business operations in order to enhance mitigation of the potential future loss of control of personal information. It is the implementation of these very controls that will assist the CRA to adequately protect the personal information that Canadians entrust to it.