Federal departments or agencies have mishandled personal information belonging to 144,000 Canadians over the past two years, according to new figures tabled in the House of Commons — and not everyone who was swept up in a privacy breach was told about it.
The new figures were included in the federal government's answer to an order paper question filed by Conservative MP Dean Allison late last month. The nearly 800-page response didn't offer an explanation for the errors, which range in seriousness from minor hiccups to serious breaches involving sensitive personal information.
"There's a significant problem with the way that the government protects personal information," said David Fraser, a privacy lawyer at McInnes Cooper in Halifax.
"The numbers that we're consistently seeing reported out of the federal government are higher than they should be and significantly higher in my view."
The Canada Revenue Agency leads the pack in breaches, with more than 3,005 separate incidents affecting close to 60,000 Canadians between Jan. 1, 2018 and Dec. 10, 2019.
The department blames the breaches on misdirected mail, security incidents and employee misconduct.
"We consider a single privacy breach to be one too many," said CRA spokesperson Etienne Biram. "Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents."
In one of those cases, a protected hard drive containing personal information belonging to 11,780 individuals was inadvertently made accessible to some CRA employees in January 2019. There's no evidence that any of the exposed files were accessed by people who weren't entitled to see them, said Biram.
In another case, a CRA employee accessed accounts belonging to two individuals and briefly viewed information belonging to another 11,745 individuals.
"These individuals are not notified since the risk to them is deemed to be extremely low," Biram said.
Health Canada reported 122 breaches affecting close to 24,000 people over the same time period. In the most serious breach, the agency said, a government employee mistakenly received an email containing personal information. That person immediately notified the appropriate officials at Health Canada and deleted the email, said department spokesperson Tammy Jarbeau.
"The majority of the reported breaches were the result of human error and did not release sensitive personal information," she said.
More than 20,000 Canadian Broadcasting Corporation employees saw their information breached in 17 separate instances — the most serious involving the theft of computer equipment containing confidential information in May, 2018.
A handful of departments holding confidential information, like Employment and Social Development Canada and Immigration, Refugees and Citizenship Canada, also saw more than 2,000 breaches.
Employment and Social Development Canada said some of its own information breaches involved lost or misdirected passports and birth certificates.
'We don't get to choose as citizens what governments we deal with, and governments are custodians of a significant amount of highly sensitive personal information.' - Privacy lawyer David Fraser
Even the keepers of Canada's official secrets aren't immune. The Canadian Security Intelligence Service, the Communications Security Establishment and the RCMP all reported missteps as well.
The Department of National Defence said most of its 170 breaches, which affected more than 2,000 people, were due to inappropriate access to, or use or disclosure of, personal information.
The numbers tabled in the House aren't precise, so the 144,000 figure could fall short of the real number.
Many departments reported they didn't know how many people were affected by individual information breaches, or how many were subsequently contacted and warned.
For example, the Correctional Service of Canada, which holds personal information on federal inmates, was responsible for more than 300 breaches — but didn't provide statistics on how many individuals were affected.
Figures likely higher
Fraser said the government's standards for protecting personal information and reporting breaches should be higher than those in private sector firms, which have to follow strict reporting rules under the Personal Information Protection and Electronic Documents Act.
"In the private sector, individuals can choose what businesses they do business with. If they don't like the privacy practices of a bank, they can go to another," he said.
"But we don't get to choose as citizens what governments we deal with, and governments are custodians of a significant amount of highly sensitive personal information."
A spokesperson for the Office of the Privacy Commissioner said it's still reviewing the order paper question, adding the office has highlighted gaps with the reporting system in the past.
"We have raised concerns about strong indications of systemic under-reporting of certain types of breaches across government," said Vito Pilieci in an email to CBC.
Privacy Commissioner Daniel Therrien has been pushing for changes to the Privacy Act to make breach reporting mandatory. As it stands, federal departments only have to alert affected individuals in the event of "material" breaches — cases involving sensitive personal information which reasonably could be expected to cause serious injury or harm to an individual, or ones affecting large numbers of people.
Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa, said that while there's a risk involved in warning Canadians too often of information breaches, government departments can't always be trusted to come clean when they make mistakes.
"That is the classic conundrum. On the one hand, you don't want to get people so used to data breaches ... so that every time they get a notification they think, 'Whatever, doesn't matter.' You want people to pay attention when it's necessary to pay attention," she said.
"At the same time, you don't want the discretion being exercised on the side of avoiding embarrassment, so that internally the nature of the severity of the breaches is played down because an organization really just doesn't want to have to own up to the fact that they've had a significant data breach."
Victims have limited options
There's not much in the way of recourse available to victims. They can file complaints under the Privacy Act with the commissioner, who can investigate and make recommendations.
"But in terms of actual recourse that compensates an individual for whatever harm they might have suffered, or for any lost time, frustration, anxiety that they may have suffered ... that's not provided for in the legislation," said Scassa.
She said more people are turning to class-action lawsuits for financial satisfaction in these cases. In 2017, the government agreed to pay at least $17.5 million to settle a class action lawsuit filed after a major privacy breach involving about 583,000 student loan recipients.
Scassa said that while lawsuits can be the only option for information breach victims "frustrated with government," fighting those lawsuits in court ends up costing taxpayers money.
"The ideal is for the government to find and implement measures that substantially improve data protection within government without making it ... a financial money pit," she said.
All the departments that responded to CBC's requests for comment insisted that they take security seriously and offer their staff training to prevent breaches.