Canada’s federal government has been seeking to impose better privacy and data protection practices on businesses. Unfortunately, it does not always model such practices even among its own agencies and departments, as responses to recent data breaches show.
Although the government’s own Policy on Privacy Protection requires federal institutions to notify the Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner (OPC) of material privacy breaches within seven days, this deadline is routinely ignored. Reports I obtained under the access to information framework show the intervals between data breach incidents and the date of notification are often weeks or even months longer.
Lags in data breach notifications are bad for Canada and Canadians because they increase vulnerability to fraud and other misuses of sensitive information. They also erode trust in federal institutions to live up to proper operating standards and procedures.
Consider the record:
- The National Film Board: The agency was the target of a malicious data breach in 2019 (the second such incident in recent years). Time to notification: 75 days.
- The Royal Military College: The college’s entire network was hacked in July 2020, which resulted in the theft and dumping of personal information on the dark web. Time to notification: 125 days.
- The Canada Revenue Agency (CRA): The CRA experienced a credential stuffing attack (an attack in which login credentials acquired through a data breach are used to try to access other unrelated services) on July 10, 2020, that affected approximately 13,000 Canadians. Time to notification: 77 days.
- The Royal Canadian Mounted Police (RCMP): RCMP officers’ personal information was hacked in July 2020, an attack that misappropriated more than 260 gigabytes of stolen information. Time to notification: 79 days.
- The National Security and Intelligence Review Agency: This independent government agency, which reviews all national security and intelligence activities carried out by the Government of Canada, was breached by an “unauthorized access” incident on March 9, 2021. Time to notification: 72 days.
Adding to the imprecision, reports of data breaches at federal institutions often redact information about when the incidents occurred. This practice exacerbates what the OPC has already described as the “systemic under-reporting” of breaches.
The federal government also regularly shrugs off cyberattacks, such as the recent attack against the Prime Minister’s Office and another that shut down networks at Global Affairs Canada.
In the face of these malicious activities, the National Research Council (NRC) has called for Canadian governments to “harden” their digital infrastructure against breaches. But the NRC itself has been the victim of repeated breaches.
Another attack, against Canada Post in 2020, saw 954,375 individuals’ personal information stolen. The agency took over six months to provide notification.
How is the federal government responding to such incidents after the fact? Following a spate of recent cyberattacks against the CRA that resulted in it temporarily shutting down its services, the agency inserted a waiver of liability into the terms of service for NETFILE, the electronic tax-filing service for personal income taxes. The waiver states that the CRA has “taken all reasonable steps to ensure the security of this Web site” and “is not responsible for any damages you may experience” due to data breaches.
Last year, more than four in five complaints against federal government institutions for violating privacy rights or failing to take adequate safeguards of personal information were sustained. The OPC found such complaints well-founded in 81 percent of the cases. For the private sector, the rate was 58 percent.
But the OPC does not move quickly to make these findings. Its “early resolution” investigations average 4.5 months, while normal investigations into allegations about the federal government’s collection, retention or disposal, and use or disclosure practices last well over a year.
Obtaining information about privacy and data protection through the access to information system is just as demoralizing. Fewer than half of all requests for access to information are answered within the legislated requirement. For example, a response to my request that supplied the information in the first bullets of this article went seven months beyond the legislated requirement. Requests regularly take years to process.
Complaints about tardy requests must be directed to the Office of the Information Commissioner before federal institutions can be taken to court. As compliance records show, the average length of the information commissioner’s investigations of federal institutions’ practices is anything but hasty:
- Canada Border Services Agency: 205 days.
- Canada Revenue Agency: 219 days.
- Department of Finance Canada: 221 days.
- Global Affairs Canada: 222 days.
- Library and Archives Canada: 265 days.
- Indigenous Services Canada: 290 days.
- Innovation, Science and Economic Development Canada: 311 days.
Moreover, these investigations only commence at the discretion of the commissioner after the request is completed. The entire process can take years.
As I note in a recent brief to Parliament, investigations also occur against a backdrop of many federal institutions’ destruction of completed access to information requests two years after their release. The irreparable loss of such records comes with significant duplication costs that further strain the resources of the system.
A worryingly high degree of non-disclosure is being normalized. The over-redaction of information that is fundamental to civic engagement, such as the amount of public funds spent on government programs, is now common. Similarly, the use of consultants to deliver services has become a cynical way to avoid transparency — as those consultants subcontract work to third parties with agreements shielded as confidential information.
As the federal government accelerates its dependency on digital technologies to deploy goods and services, this architecture of privacy, data protection and access to information is failing to provide basic transparency and accountability. The current frameworks are past their expiry date.
Seeking better privacy and data protection from the private sector is well and good. But the federal government needs to adopt better practices for itself. To do so, it needs more robust legislation, empowered and independent enforcers, and stronger incentives for government employees to do this work.
