Special report to Parliament: Investigation of unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency
This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.
- Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
- Timeliness and strength of multi-factor authentication implementation.
- Effectiveness of monitoring and detection mechanisms for UUTPs.
- Coordination and proactivity of the CRA's governance for addressing UUTPs.
Complaint well-founded and conditionally resolved.
The investigation found that the CRA contravened subsections 6(2) and 8(2) of the Privacy Act due to shortcomings in safeguards, leading to unauthorized disclosures and modifications of taxpayer information. However, the outcome is conditionally resolved as the CRA has accepted most of the OPC's recommendations for improvement.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC made 9 recommendations to the CRA, of which 8 were accepted in full and one in part, aimed at improving security measures, monitoring, detection, and governance related to taxpayer information.
- s. 6(2) Privacy Act
- s. 8(2) Privacy Act
This summary is informational only and not legal advice.