Personal information of 144,000 Canadians mishandled by federal bureaucracies

The personal information of 144,000 Canadians has been mishandled by federal departments and agencies over the last two years according to the House of Commons figures.

CBC News reported that the Privacy Commissioner’s office noted that they saw “strong indications of systemic under-reporting.”

Many people who were affected by the privacy breaches were not notified.

The breaches were not explained by the federal government when they received an order paper question from Conservative MP Dean Allison. The errors were anywhere from small mistakes to large breaches that included sensitive and personal information.

David Fraser, a Halifax lawyer at McInnes Cooper said, “There’s a significant problem with the way that the government protects personal information.”

“The numbers that we’re consistently seeing reported out of the federal government are higher than they should be and significantly higher in my view.”

Most of the breaches involved the Canadian Revenue Agency with over 3,005 different incidents that ultimately affected around 60,000 Canadians. The breaches took place between Jan 1 2018 and Dec 10, 2019.

The reasons the department gives for these errors are security occurrences, misdirected mail and employee misconduct.

CRA spokesperson, Etienne Biram said, “We consider a single privacy breach to be one too many. Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents.”

In January 2019, the personal information of 11,780 people was accidentally made accessible to employees of the CRA.

Another incident involved one CRA employee who was able to view the information of 11,745 people by accessing certain accounts.

“These individuals are not notified since the risk to them is deemed to be extremely low,” said Biram.

Throughout the same time period, Health Canada saw 122 breaches which affected about 24,000 people.

CBC had 17 breaches resulting in the information of over 20,000 employees being at risk.

There were over 2,000 combined breaches within Refugees and Citizenship Canada and Employment and Social Development Canada.

Some of the breaches at Employment and Social Development Canada included birth certificates and passports being mishandled and sometimes lost.

Errors were also reported by the RCMP, the Communications Security Establishment, Canadian Security Intelligence Service and the Department of National Defence.

Fraser noted that private sector firms follow strict rules by the Personal Information Protection and Electronic Documents Act and the government should have higher standards for breaches and the protection on personal information.

“In the private sector, individuals can choose what businesses they do business with. If they don’t like the privacy practices of a bank, they can go to another,” Fraser told CBC News.

“But we don’t get to choose as citizens what governments we deal with, and governments are custodians of a significant amount of highly sensitive personal information.”

An Office of the Privacy Commissioner spokesperson noted that the order paper question is still being reviewed.

Vito Pilieci said, “We have raised concerns about strong indications of systemic under-reporting of certain types of breaches across government.”

Canada Research Chair in Information Law and Policy at University of Ottawa, Teresa Scassa said that when the government makes errors like this, they can not be trusted to always report their mistakes.

“That is the classic conundrum. On the one hand, you don’t want to get people so used to data breaches … so that every time they get a notification they think, ‘Whatever, doesn’t matter.’ You want people to pay attention when it’s necessary to pay attention,” said. Scassa

“At the same time, you don’t want the discretion being exercised on the side of avoiding embarrassment, so that internally the nature of the severity of the breaches is played down because an organization really just doesn’t want to have to own up to the fact that they’ve had a significant data breach.”