A recent report has revealed that in the past two years, 144,000 Canadians have had their personal data compromised by several government departments and agencies.
According to an 800-page document tabled in the House of Commons and filed by Conservative MP Dean Allison, across 10 entities there was a total of 7,992 breaches.
The Canada Revenue Agency (CRA) suffered the most breaches with 3,020 separate incidents, affecting 59,065 Canadians between January 1, 2018 and December 10, 2019. The agency blames the breaches on security incidents, employee misconduct and misdirected mail.
“We consider a single privacy breach to be one too many,” said CRA spokesperson Etienne Biram. “Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents.”
One of the above mentioned cases, a hard drive containing personal information belonging to 11,780 individuals was made accessible to some CRA employees in January 2019. Biram added that there was no evidence indicating the files had been accessed by any unauthorised personnel.
Over the same timer period, Health Canada reported 122 breaches impacting 23,894 Canadians, to which one breach occurred after a government employee had received an email containing personal information.
“The majority of the reported breaches were the result of human error and did not release sensitive personal information,” said Department spokesperson Tammy Jarbeau.
The Canadian Broadcasting Corporation employees experienced 17 breaches affecting 20,129 Canadians, whilst Immigration reported 3,005 breaches impacting 4,268 individuals.
Employment and Social Development Canada saw 1,421 breaches impacting 3,586 individuals, to which the department stated that some of its own information breaches was due to lost or misdirected passports and birth certificates.
The numbers tabled aren’t precise, and therefore the total amount of impacted Canadians, 144,000, could fall short of the real number.
Not all the departments were able to report accurately how many people were affected by individual breaches, or how many victims were subsequently contacted after the breach.
“In the private sector, individuals can choose what businesses they do business with. If they don’t like the privacy practices of a bank, they can go to another,” said Privacy Lawyer, David Fraser.
“But we don’t get to choose as citizens what governments we deal with, and governments are custodians of a significant amount of highly sensitive personal information.”
Many have been pushing for changes to the Privacy Act whereby reporting becomes mandatory. Currently, federal departments only have to notify individuals in the case of “material” breaches – breaches involving sensitive personal information which could cause serious injury or harm to an individual, or breaches impacting large numbers of people.
However, Canada Research Chair in Information Law and Policy at the University of Ottawa, Teresa Scassa explained that by warning Canadians too often of information breaches, there is a risk involved.
“That is the classic conundrum. On the one hand, you don’t want to get people so used to data breaches … so that every time they get a notification they think, ‘Whatever, doesn’t matter.’ You want people to pay attention when it’s necessary to pay attention,” she said.
“At the same time, you don’t want the discretion being exercised on the side of avoiding embarrassment, so that internally the nature of the severity of the breaches is played down because an organization really just doesn’t want to have to own up to the fact that they’ve had a significant data breach.”