Investigation into the steps the Canada Revenue Agency took to ensure the accuracy of a taxpayer’s personal information that it used to make an administrative decision about them
The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.
- Adequacy of safeguards to protect against unauthorized access and modification of personal information.
- Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
- Timeliness of notification and privacy breach reporting.
- Impact of identity theft on tax reassessments.
Complaint well-founded and conditionally resolved.
The investigation determined that the CRA did not take all reasonable steps to ensure the accuracy of the complainant's personal information, as required by section 6(2) of the Privacy Act, due to inadequate safeguards against unauthorized access and modification. The CRA has committed to implementing corrective measures.
AI-generated summary for reference only. Always verify against the official decision ↗
The CRA has implemented enhanced security measures for its authentication request processes and for high-impact modifications to personal information, and has committed to further changes.
- section 6(2) of the Privacy Act
This summary is informational only and not legal advice.