How is the Canadian Government Doing on Protecting Personal Information in its Operations?

In the last two weeks, the out-going Privacy Commissioner of Canada, Jennifer Stoddart, has released three reports that provide insight on the current state of Canada’s federal government’s protection of personal information of Canadians in the course of departmental and agency operations.

Yesterday, the Privacy Commissioner tabled her Annual Report on the federal Privacy Act. The Privacy Act governs the collection, use and disclosure of personal information by approximately 250 federal government departments and agencies. The Annual Report is Commissioner Stoddart’s last report before the end of her mandate as Privacy Commissioner.

The Privacy Commissioner’s Annual Report disclosed:

  • Cross-border sharing of data between Canada and the US is expanding and being systematized. The Commissioner has raised concerns that this is a departure from previous practice in which information-sharing has occurred on a carefully considered case-by-case basis.
  • Record numbers of complaints were received by the Office of the Privacy Commissioner of Canada (OPC) from April 2012 to March 2013.
  • In total numbers, the OPC received 2,273 complaints. Even deducting the complaints from two major breaches at what was then known as Human Resources Development Canada and Justice Canada, the total number of complaints would have been a record high.
  • Data breaches are being reported in increasing numbers. 109 breaches were reported to the OPC in 2012-2013.

The Annual Report was accompanied by two other reports in recent weeks. Last week, the Office of the Privacy Commissioner (OPC) released a report on the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Yesterday, the OPC issued a report on an audit of the Canada Revenue Agency (CRA).

The OPC’s report on the CRA audit appears to reveal an organization that has made significant strides in enhancing security but remains slow in responding to some of OPC’s recommendations. In particular, the OPC’s report reveals that:

  • There have been more than 50 cases in 2011 and 2012 of inappropriate access to taxpayer information. Some involved thousands of taxpayer files over an extended period of time.
  • Although the OPC recommended the appointment of a Chief Privacy Officer following a 2009 audit of the CRA (a position not required by the Privacy Act or Treasury Board guidelines), this position was not filled until April 2013. Moreover, the role of the Chief Privacy Officer still had not been fully defined to the satisfaction of the OPC.
  • CRA uses generic User IDs for some functions (that is, User IDs that are used by more than one person).
  • CRA does not always complete Privacy Impact Assessments and Threat and Risk Assessments.
  • CRA’s systems for detecting and preventing inappropriate employee access are inadequate.
  • CRA fails to report privacy breaches and inappropriate access to the Access to Information and Privacy Directorate.

In the FINTRAC Report, the OPC noted:

  • FINTRAC (which receives financial transaction reports on money laundering and terrorist financing) had holds approximately 165 million records.
  • Some of the reports do not clearly demonstrate any reasonable grounds for suspicion. Nevertheless, FINTRAC has retained these reports.
  • Although FINTRAC has accepted the OPC’s recommendations from a previous 2009 audit, it has made limited progress in addressing five issues. With one exception, all of the issues are related to over collection or failure to purge the retention of unnecessary information. The one exception involves the need to revise a consent form for entry into a dwelling to more clearly and transparently address the authority, purposes and uses of the information to be collected.

The Annual Report can found here. The CRA Report and the FINTRAC Report are available here and here.