Canada Revenue Agency launching info line after loss of encrypted data DVD by private courier service

    February 3, 2017

    OTTAWA, ONTARIO--The Canada Revenue Agency (CRA) takes the protection of Canadians' tax information very seriously. The confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada's tax system.

    The CRA has been notified that a DVD containing encrypted taxpayer information, sent by registered courier service and destined for the Government of Yukon, has been lost by the courier service. The DVD contained the tax information of approximately 28,000 taxpayers who were residents of the Yukon Territory in the 2014 tax filing year. The registered courier service has launched a search to locate the missing DVD, and the CRA has notified the Office of the Privacy Commissioner of Canada about the incident.

    At this time, there is no indication that the data has been accessed or used. And given the strong security measures in place, the risk is thought to be very low that the taxpayers' information would be compromised even if an unauthorized individual were to gain possession of the DVD. The information on the DVD is protected using an accredited encryption module that is approved by the Communications Security Establishment for the protection of information of this nature.

    The CRA administers various programs on behalf of the provinces and territories. As a result, we regularly provide provinces and territories with taxpayer data for their jurisdictions. These data transfers are governed by written information-sharing agreements, and strict protocols are in place to ensure that all taxpayer information is appropriately protected at all times.

    The use of encrypted CDs and DVDs is a common practice when it comes to the exchange of information for tax purposes. It is subject to stringent requirements in relation to how storage devices (like encrypted DVDs) and hardcopies of information are handled, including document marking, storage, destruction, erasure, and access. An initial internal investigation indicates that CRA personnel complied with Government and Agency policies that govern physical security, encryption and password protection. As a result of this event, the CRA will continue to work with the Privacy Commissioner of Canada and other stakeholders to whom we normally transfer and receive data to determine whether and how our processes can be strengthened going forward.
    The CRA is one of the largest service organizations in the country, with an employee population that exceeds 40,000. All CRA employees receive mandatory security training, which includes the protection of taxpayer information.

    Although the risk to affected taxpayers is thought to be very low, individuals impacted by this incident will be formally notified by registered letter from the CRA. Anyone with questions about their personal information can call 1-866-426-1527 (Monday to Friday 9-5 PST).