CRA Leaks Famous Donors’ Information

By Adrienne Woodyard, Davis LLP

According to a story today from the CBC, it received a comprehensive list of names of Canadian taxpayers who donated artwork to galleries and museums and claimed charitable tax credits for those donations. The list, according to the Canada Revenue Agency, discloses the amounts of the credits that were claimed and the amounts that were granted, along with each donor’s address. It is not clear which taxation year(s) were involved or whether donors’ social insurance numbers were included in the list.
The Toronto Star is reporting that the CBC has said “the information delivered to it in digital format was a mistaken response to a request for other information under the Access to Information Act.”
This suggests that the disclosure wasn’t deliberate, but we may never know exactly what happened, because CRA is bound to keep all taxpayer information confidential and may be prohibited from disclosing further details publicly, even after it completes its internal investigation. Generally speaking, the CRA policy prohibits its employees from using email to transmit confidential information to taxpayers. But if the information was sent via email and intended to be circulated internally and ended up at CBC due to a keying error, that policy, however well-intentioned, wouldn’t have prevented the problem. They may need more security protocols in place to ensure that external emails cannot be sent so easily.
If this was in fact a keying error, the CRA should be grateful that the information didn’t end up in the hands of a less responsible third party than the CBC…though from a damage-control perspective, you could hardly do worse than to send this kind of information accidentally to a major media outlet. But the scope of the breach could easily have been worse. More serious, in my view, is the incident earlier this year in which the CRA website was shut down due to the Heartbleed bug, which, according to reports, allowed a hacker to access the social insurance numbers of 900 taxpayers. It’s a sobering reminder of how vulnerable Canadian taxpayers are, given the vast amounts of confidential data the CRA is responsible for gathering, administering and, ultimately, protecting.
So what, if anything, could these donors do about the leaks?
The donors may not find their options to be very satisfying. Anything the CRA may do for them at this point is tantamount to closing the barn door after the horse has escaped. The CRA should be updating them directly on the steps they are taking to secure their information – and to reassure them that the same document has not also been distributed to others. It may be possible for these donors to bring a civil action in negligence against the CRA, although damages could be difficult to prove. But in terms of formal channels, the CRA’s gathering and retention of information is governed by the federal Privacy Act. That means the donors could file a complaint with the Access to Information and Privacy Directorate, or the Office of the Privacy Commissioner of Canada. They can also file a Service Complaint with the CRA and with the Office of the Taxpayers’ Ombudsman. Depending on what actually happened, the RCMP may even become involved, since it is an offence under the Income Tax Act to “knowingly” provide taxpayer information to a third party. Unfortunately, the ultimate moral of the story for these donors may be “no good deed goes unpunished.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: