Poor security leads to improper tax info disclosure, watchdog says

OTTAWA—The federal privacy watchdog says weak security practices at the federal tax office led to thousands of files being inappropriately accessed for years without detection.

Privacy commissioner Jennifer Stoddart has more than a dozen recommendations—including better monitoring of employee access rights—to ensure the Canada Revenue Agency protects sensitive information.

“Canadians deserve to have their personal information protected, particularly when they provide it to the government under legal compulsion,” Stoddart said in a news release.

She tabled a special audit of the revenue agency along with her annual report on compliance with the Privacy Act, the law that governs how federal agencies handle personal information.

For the second year in a row, all-time highs were set for both privacy complaints about federal organizations as well as data breaches reported by departments and agencies.

From April 2012 to the end of March, Stoddart received 2,273 complaints from the public, up from 986 over the same period a year before.

Much of the increase stemmed from two highly publicized data breaches involving Employment and Social Development Canada and the Justice Department.

Stoddart also flagged elements of the Canada-United States perimeter security pact, intended to smooth the passage of goods and people across the 49th parallel while beefing up continental defences.

She expressed concern about plans to keep information for 75 years once it’s collected by border officials under a new entry-exit system that will track the movements of travellers.

Stoddart also objected to an absence of signs informing people they might be subject to detention, questioning or searches in areas including departure lounges or shipping terminals—part of a plan to extend the powers of Canada Border Services Agency officers.

“Perimeter security is and will remain an important priority for the government,” Stoddart said in the release. “Our office has joined with our provincial and territorial colleagues in raising the need to ensure that the standards and values behind our privacy laws are not diminished.”

Stoddart leaves the privacy commissioner’s post later this year.

A successor has not been named.