The personal information of 144,000 Canadians was mishandled over the last two years by several of Canada’s federal departments and agencies, the House of Commons has confirmed.
This figure was revealed in an 800-page report that was requested by Conservative MP Dean Allison in late January.
While the government did not provide an explanation for these data breaches, it did confirm just how widespread they were.
The Canada Revenue Agency (CRA), in particular, was the biggest offender, accounting for more than 3,005 separate incidents affecting close to 60,000 Canadians between January 1st, 2018 and December 10th, 2019. The CRA attributed these issues to security incidents, employee misconduct and misdirected mail.
Other government bodies responsible for mishandling the information of Canadian citizens between January 1st, 2018 and December 10th, 2019 include:
- Health Canada (reported 122 breaches affecting 24,000 people)
- Employment and Social Development Canada (had more than 2,000 breaches)
- The Canadian Security Intelligence Service (unspecified number of breaches)
- Communications Security Establishment (unspecified number of breaches)
- RCMP (unspecified number of breaches)
Many departments — such as the Canadian Security Intelligence Service, Communications Security Establishment and
RCMP — said they don’t know how many Canadians were affected. Further, as the CBC notes, the report’s figures are only estimates, so the actual number of affected Canadians could exceed 144,000.
Speaking to the CBC, a spokesperson for the Office of the Privacy Commissioner (OPC) said the ombudsman is looking into the report. The spokesperson noted that historically, there have been issues in the way this information has been compiled, prompting the OPC to conduct a thorough review.
Over the past few years, Privacy Commissioner Daniel Therrien has called for Canada’s Privacy Act to make breach reporting mandatory in the public sector. Currently, the government only needs to alert affected individuals of “material” breaches wherein leaked personal information could reasonably be expected to seriously harm an individual or groups of people.
Even if Canadians are informed that their information has been compromised, there are only a limited number of next steps available to them. They can either file a complaint to the OPC, which will then investigate their claim and provide suggestions. Alternatively, they can file a lawsuit, although lengthy legal disputes could end up costing them more money in the long run.
It’s currently unclear when the OPC expects to complete its review of the House of Commons report.
In related news, a Brampton couple has been arrested in connection to the infamous CRA telephone scam. According to the RCMP, the two Bramptonians are “Canadian-based co-conspirators” in a larger phone and internet scam operated primarily out of India.