A weekend Toronto Star article reported that employees at the Canada Revenue Agency are improperly reviewing the private financial affairs of taxpayers. Some are using agency computers to give favoured treatment to colleagues, friends, family—and themselves.
CRA records for 2008–09 show 29 cases in which workers were caught accessing taxpayer records without authorization; that’s about average for the last five years. And there were a dozen instances in which tax records were improperly disclosed to third parties.
For example:
“In one egregious breach last October, a woman accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians. She downloaded the files onto 17 compact discs for her personal use, inexplicably helped by agency technicians.”
Also:
“13 other employees of the same office made unauthorized accesses to taxpayer information. Of the 13 employees, 10 provided preferential treatment to taxpayers, five accessed their own tax information, four received preferential treatment…
“Another worker peeked at secret agency information about two companies she operated on the side—while those firms were undergoing tax audits.
“In addition, the employee made extensive unauthorized accesses to the taxpayer information of friends and family members and hundreds of other individuals.”
These examples are clear breaches of privacy legislation, violations of ethical codes of conduct, and potential public relations nightmares, demonstrating that the possibilities for infringing on privacy might be greater than ever before.
The proper treatment of personal information is crucial: it helps to maintain a business’s image; gains and retains the trust of employees and customers; assures that there is accurate information for business purposes; and ultimately gives the business a competitive advantage in the marketplace.
So how do you protect customers’ personal information?
When organizations collect personal information from customers, they must ensure that the customers understand the purpose for collecting the information and obtain consent in advance. A privacy policy is the usual way to inform your customers. The policy will outline why and how you collect information and how you will use it, and this will help put your customers at ease.
Organizations must educate their employees about their privacy practices and policies and ensure the employees understand their role in implementing them and communicating them to customers. This includes ensuring that employees are aware of the circumstances under which they may or may not collect, use, disclose or access customer information, and the reasons for collecting such information.
It’s a good idea to establish an in-house training program for employees. Train them on their legal obligations under applicable privacy legislation, the common law right to privacy and your privacy policy.
Other privacy requirements to consider
Your policy must indicate how you will adequately protect and safeguard customers’ personal information. This includes limiting access to personal information to a need-to-know basis. Prepare a list of employees who really need to use private customer information to do their job. If they do not need it, make sure they do not see it.
Identify and assess the risks to customer information in each relevant area of the company’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks. Also, implement a safeguard program, and regularly monitor and test it. This program should include a system that will record whoever accesses the stored personal information, when and for what purpose.
Use locked cabinets and restrict access to offices where personal information is stored. Protect digital information with passwords, encryption and firewalls. Retailers and other points of sales should have cash registers that truncate (X out) payment card numbers on customer receipts.
In addition, organizations must make sure they do not collect information for one purpose and use it for another without informing their customer or obtaining prior permission to do so. Only collect personal information that your business actually needs. For example, businesses need to collect certain personal information to manage a commercial relationship and provide ongoing service, to bill and collect for products and services, to market to individuals, and to meet legal and regulatory requirements.
Businesses may not pass their customer lists on to third parties without consent. However, if you do for viable purposes, your policy must indicate how you intend to disclose customer information to the third party. You do not need to name them, but you need to give the customer a general idea of the types of companies in question. You must also provide the opportunity for consent. Also, inform your customer if their personal information that is under your control will be disclosed or stored outside of Canada.
Indicate how long customer information will be retained to fulfill your business purposes and how that information will be disposed of when the retention period has elapsed. You must not keep the contents longer than necessary.
Your policy should be clear, concise and written in plain language so that your customers and employees can easily understand how you manage their information. That policy and all related documents should also meet accessibility standards found under the Accessibility for Ontarians with Disabilities Act (AODA).
Review and update the customer privacy policy yearly and ensure you have the latest technology for protecting and safeguarding such information.
Make yourself available for questions. Indicate who in your organization handles privacy information either through email or a toll-free number. Ensure your customers know they can contact the Office of the Information and Privacy Commissioner if they are unsatisfied with your response to their privacy concern.
Establishing a privacy program is not an easy task. It requires thorough investigation and analysis of what personal information currently exists under the control of the organization. Companies should implement safeguards appropriate to their own circumstances. Regularly remind all employees of your company’s privacy policy—and the legal requirement—to keep customer information secure and confidential. For example, consider posting reminders for employees about their responsibility for security in areas where customer information is stored, like file rooms or electronic files.
Unfortunately, in the case of the CRA, Canadians can’t take their business elsewhere. But with private organizations, they can. That’s the main reason training employees to take basic steps to maintain the security, confidentiality and integrity of customer information makes good business sense. If you treat your customers’ information in a cavalier way, you shouldn’t be surprised if the authorities come knocking, and your customers run away to more secure businesses.
Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor
- First Reference annual holiday donation, season’s greetings, and holiday break - December 22, 2023
- Top 10+ First Reference Talks blog posts for 2023 - December 22, 2023
- A new version of form T3010 is coming in January 2024 - November 24, 2023