From: AlanBaggett@volcanomail.com   
      
   Rogue tax workers snooping on Canadians in larger numbers :CRA SOTW    
      
   CBC News obtains internal CRA reports on workers digging into files on   
   spouses, co-workers, friends   
       
   Dean Beeby • CBC News •    
      
   Workers at the Canada Revenue Agency continue to snoop on the confidential tax   
   files of spouses, parents, friends, neighbours, colleagues, church members and   
   businesses, despite a $10-million project meant to discourage them.   
      
   Ten months of internal reports obtained by CBC News show the files of at least   
   10,000 Canadians were compromised by the agency's employees, who used their   
   privileged access to government databases to make unauthorized forays into   
   taxpayers' private    
   financial affairs.   
      
   One worker in the CRA's Calgary office last year kept a detailed spreadsheet   
   on the financial data of 310 people in his community.   
      
   "[T]he investigation concluded that the employee made unauthorized accesses to   
   his own account, and to a total of 310 other taxpayer accounts, including the   
   employee's spouse, mother, former Team Leader, and two colleagues," says an   
   Oct. 10, 2017 CRA    
   report.   
      
   "The employee kept the information of the 310 individuals on a spreadsheet in   
   his 'H' drive in order to keep track of who lived in his community."   
      
   Another worker at the CRA's Scarborough office in Toronto conducted 49   
   unauthorized data searches to briefly access the files of 3,709 Canadians. She   
   also downloaded detailed tax files on 16 other people, along with her own,   
   without authorization, says    
   an Oct. 31, 2017 CRA report.   
      
   Altogether, CBC News obtained details on 14 significant privacy breaches that   
   were serious enough to be reported to the federal privacy commissioner — 10   
   of which were the work of rogue employees. The other four involved inadvertent   
   disclosures, such    
   as a box of files being sent to the wrong address.   
      
   Bad behaviour   
   Dozens of federal institutions report significant privacy breaches each year   
   to the privacy commissioner, as required — and the CRA is usually among the   
   top offenders. But unlike other departments, the tax agency's breaches are   
   most often the result of    
   bad behaviour by employees rather than accidents involving, for example, mail   
   sent to the wrong address.   
      
   The official case reports, released under the Access to Information Act, refer   
   vaguely to "disciplinary" or "administrative" measures applied to the workers,   
   but offer no specifics.   
      
   None of the cases were referred to police. The files routinely assess the risk   
   of news media learning about the breaches.   
      
   The released material, covering investigations that concluded between   
   September 2017 and June 2018, suggests employee misbehaviour is on the rise.   
      
   Statistics published by the privacy commissioner support that view. Major   
   privacy breaches reported by the CRA fell from 38 in 2014-2015 to 10 in   
   2016-2017 — but spiked to 25 in 2017-2018. (The privacy commissioner's   
   published statistics contain no    
   information about the nature of the breaches.)   
      
   The CRA completed a $10.2-million technology project on March 31, 2017 —   
   called the Enterprise Fraud Management Solution — to better track and deter   
   employees' unauthorized snooping.   
      
   A report to Parliament earlier this year said there had been more than 2,000   
   privacy incidents at CRA between mid-September 2016 and June 2018 — but they   
   usually involved misdirected mail and were considered so minor that the agency   
   felt it did not    
   need to report them to the privacy commissioner.   
      
   The largest employee-initiated breach ever discovered at the agency occurred   
   in March of this year, when a worker briefly accessed the files of 11,745   
   individuals. CRA never reported it to the privacy commissioner because the   
   access was considered too    
   fleeting to be significant.   
      
   The 14 CRA incident reports obtained by CBC News, on the other hand, contain   
   cases of "material" breaches, defined as those "involving sensitive personal   
   information … that could reasonably be expected to cause serious injury or   
   harm to the individual    
   and/or [involve] a large number of affected individuals." All of those had to   
   be disclosed to the privacy commissioner.   
      
   Typical was the 2017 case of a female employee at a Vancouver CRA office.   
   "[T]he employee made unauthorized accesses to her own taxpayer information and   
   to a total of 38 accounts: four family members, nine friends, four taxpayers,   
   four neighbours, three    
   CRA employees, three local churches and 11 of the churches' members."   
      
   None of these reports attribute any clear motivation to the rogue employees,   
   who are never identified in the documents (although general information about   
   their targets is given). The material also notes how many taxpayers were   
   notified of the breaches    
   in each case.   
      
   The breaches usually involved disclosures of social insurance numbers,   
   addresses, phone numbers, dates of birth, marital status, income and   
   deductions as well as employment information — all standard information on   
   annual tax forms.   
      
   New system   
   A CRA spokesperson said the sharp increase in the number of breaches reported   
   to the privacy commissioner in 2017-2018 was the direct result of the   
   effectiveness of the new Enterprise Fraud Management system in catching   
   snooping employees.   
      
   Etienne Biram declined to indicate how the agency disciplined the workers,   
   saying only that "the most extreme cases of misconduct attract the most severe   
   measures of discipline, up to and including termination of employment."   
      
   About 60 per cent of CRA's roughly 40,000 employees have access to taxpayer   
   files. Biram said the agency has been stepping up monitoring of staffers and   
   limiting their ability to see data that is not relevant to their work.   
      
   Last year, a courier hired by the CRA lost a DVD containing the confidential   
   2014 files of 28,000 taxpayers in Yukon — about three-quarters of the   
   population. The information was encrypted and organized to be resistant to   
   unauthorized access, officials    
   said.   
      
   Follow @DeanBeeby on Twitter   
      
    -----------------------------------------------------------    
   Miss a Tax Tale Miss a lot!    
   Pop the link below into your browser to view the entire CRA SOTW Library!    
   http://canada.revenue.agency.angelfire.com    
   ------------------------------------------------------------    
   Alan Baggett - http://www.taxcollectorsbible.com/ - Tax Collector's Bible    
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)