OTTAWA – The Canada Revenue Agency says eight of its employees were fired in the last fiscal year after violating taxpayers’ privacy.
Previously, the agency has not always confirmed if an employee was fired or shuffled out of the CRA for being part of a privacy breach, often citing the employee’s privacy.
A spokesman for the agency says the employees in each case were found to have had unauthorized access to taxpayer information, including one incident that the CRA calls the largest such breach in the agency’s history.
In that case, one employee improperly accessed the accounts of 1,264 taxpayers.
All of the firings took place between April 2016 and March 2017, the federal government’s fiscal year.
All of the incidents were also reported to the federal privacy commissioner as required on federal government policy because they involve sensitive personal information that could be used to cause “serious injury or harm” to the individual, or involved a large number of affected individuals.
“The CRA takes the protection of Canadians’ tax information very seriously. The confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada’s tax system,” agency spokesman Patrick Samson said in an email.
The agency has looked to crack down on internal privacy breaches years after Canada’s privacy watchdog released a critical audit of how the CRA controlled access to personal information.
The privacy watchdog made 13 recommendations in 2013 in areas including monitoring of employee access rights, threat and risk assessments for information-technology systems and ensuring the privacy impacts of new programs are evaluated.
Still, privacy violations have dogged the CRA.
In February, the CRA reported that it had lost a DVD containing information on about 28,000 Yukon taxpayers. The information from the 2014 tax year, hasn’t been recovered, Samson said.
The DVD was encrypted and the data stored in a way that it would be difficult to read even if the encryption were broken.
Samson said there is no evidence that the personal information on the DVD has been compromised.