The Canada Revenue Agency (CRA) is steadfast in its commitment to protecting taxpayer personal information and managing privacy breaches with transparency and in line with its responsibilities. The CRA manages all privacy breaches in accordance with the Treasury Board of Canada Secretariat’s (TBS) privacy policies.

Understanding privacy breaches

A privacy breach occurs when personal information is accessed, used, disclosed, created, or collected without proper authorization. Breaches can result from unauthorized access, accidental disclosures, security incidents (loss/theft, misdirected mail), cyber incidents, or the improper handling of data. The CRA takes all privacy breaches seriously, recognizing the potential harm they can cause to individuals and their trust in the Agency.

Defining material breaches and reporting standards

Material breaches involve sensitive personal information and pose a real risk of significant harm to affected individuals. This includes financial loss, identity theft, or damage to reputation.

When the CRA confirms a privacy breach, a dedicated team assesses the incident to determine if the breach is material. If the breach is deemed material, the CRA is obligated to report it to TBS and the Office of the Privacy Commissioner of Canada (OPC), in accordance with the mandatory reporting requirement in the TBS Policy on Privacy Protection.

As soon as the CRA becomes aware of an alleged incident of identity theft, or suspects an account could be the target of a threat actor, it takes swift and immediate precautionary measures on the client’s account, such as locking it to prevent transactions, and conducting an in-depth review. The CRA notifies affected individuals to ensure they can also take steps to protect themselves.

Immediate containment and review

Upon detecting a privacy breach, the CRA acts swiftly to contain the incident; this may include securing affected accounts to prevent further breaches. An extensive review is also undertaken to determine the scope and cause of the breach, ensuring appropriate measures are implemented to address the incident and prevent recurrence. For more information see Info Sheet: How the CRA supports victims of identity theft.

Transparency and reporting

The CRA is committed to full transparency when addressing privacy breaches. In our response to the OPC’s February 2024 report, we committed to becoming fully compliant with the TBS mandatory reporting requirements and retroactively reporting all confirmed privacy breaches to both their office and TBS; this has been completed.

In addition, the CRA reports on the total number of privacy breaches, including non‑material breaches, in its Annual Report to Parliament on the administration of the Privacy Act, each fiscal year.