New figures tabled in Canada’s House of Commons have revealed that at least 144,000 Canadians have had their personal information mishandled by federal departments and agencies over the past two years.
The figures were part of an 800-page document written in response to an Order Paper question filed last month by Conservative MP Dean Allison. No information as to how the data came to be mishandled was included in the federal government’s lengthy answer.
In total, 7,992 breaches were found to have occurred at 10 different agencies and departments. The errors range in severity from minor infractions to serious data breaches that resulted in the exposure of sensitive personal information.
The Canada Revenue Agency (CRA) was the worst offender, with 3,020 breaches affecting 60,000 Canadians recorded between January 1, 2018, and December 10, 2019.
A spokesperson for the CRA, Etienne Biram, said: “Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents.”
One of those three major incidents occurred when some CRA employees were accidentally given access to a hard drive containing personal information belonging to 11,780 individuals in January 2019.
Biram said that no evidence had been uncovered that indicated the files had actually been accessed by any unauthorized personnel.
Over the same time period, 122 breaches affecting 24,000 people were reported by Health Canada. In one breach, a government employee received an email containing personal information.
Health Canada spokesperson Tammy Jarbeau said: “The majority of the reported breaches were the result of human error and did not release sensitive personal information.”
The figure of 144,000 tabled in the House was based on estimates, meaning the real number of breaches could be higher. Not all the departments were able to state with accuracy how many people were affected by individual breaches or how many breach victims were contacted after a particular breach had occurred.
Under current law, federal departments are only obliged to notify individuals in the event of a breach affecting large numbers of people or in the event of “material” breaches, in which sensitive personal information that could reasonably be expected to cause serious injury or harm to an individual is exposed.