Skip to main content

Canada Revenue Agency mailed SIN numbers to wrong people — twice: MP

NDP MP Charlie Angus. Photo by The Canadian Press.

A New Democrat MP says the Canada Revenue Agency twice mailed batches of private information — including names and social insurance numbers — to the wrong people in his riding.

Charlie Angus has asked the office of federal privacy commissioner Daniel Therrien to investigate the apparent violations.

In a letter to the commissioner’s office, Angus says the revenue agency mailed a package April 6 to several constituents in Kirkland Lake, Ont., containing the names, SINs, addresses and phone numbers of five people.

Five days later, the same constituents were mailed a second package with similar personal information about 11 people.

"They were pretty stunned when they received them," said Angus, who has often criticized the federal agency over privacy lapses.

He called the latest incidents completely unacceptable, saying they involved the sort of information that — if it fell into the wrong hands — could lead to fraud and identity theft.

"Why would you be sending this out to anybody? This is the kind of breach that makes no sense," Angus said.

"I think what’s really disturbing is, when it comes to data breaches, CRA is a repeat offender."

The revenue agency had no immediate comment.

In his latest annual report, Therrien urged federal agencies to put more rigorous safeguards in place to protect sensitive personal information.

The commissioner underscored a record−high number of federal government data breaches disclosed to his office.

Federal institutions reported 256 breaches in 2014−2015, up from 228 the year before. It marked the first time institutions were required to report significant data breaches to the commissioner.

As in previous years, the leading cause of breaches was accidental disclosure, a risk Therrien said can often be managed by following proper procedures.

In 2013 the privacy commissioner’s office audited the Canada Revenue Agency, focusing on its access controls to personal information.

The privacy watchdog made 13 recommendations in areas including monitoring of employee access rights, threat and risk assessments for information−technology systems and ensuring the privacy impacts of new programs are assessed.

The agency agreed with the commissioner’s recommendations, and the watchdog made plans to follow up on progress this year.

Angus said the revenue agency needs to implement better training of personnel and impose stricter controls over information.

Comments