According to a story today from the CBC, it received a
comprehensive list of names of Canadian taxpayers who donated
artwork to galleries and museums and claimed charitable tax credits
for those donations. The list, according to the Canada Revenue
Agency, discloses the amounts of the credits that were claimed and
the amounts that were granted, along with each donor's address.
It is not clear which taxation year(s) were involved or whether
donors' social insurance numbers were included in the list.
The Toronto Star is reporting that the CBC has said "the
information delivered to it in digital format was a mistaken
response to a request for other information under the Access to
This suggests that the disclosure wasn't deliberate, but we
may never know exactly what happened, because CRA is bound to keep
all taxpayer information confidential and may be prohibited from
disclosing further details publicly, even after it completes its
internal investigation. Generally speaking, the CRA policy
prohibits its employees from using email to transmit confidential
information to taxpayers. But if the information was sent via email
and intended to be circulated internally and ended up at CBC due to
a keying error, that policy, however well-intentioned, wouldn't
have prevented the problem. They may need more security protocols
in place to ensure that external emails cannot be sent so
If this was in fact a keying error, the CRA should be grateful
that the information didn't end up in the hands of a less
responsible third party than the CBC...though from a damage-control
perspective, you could hardly do worse than to send this kind of
information accidentally to a major media outlet. But the scope of
the breach could easily have been worse. More serious, in my view,
is the incident earlier this year in which the CRA website was shut
down due to the Heartbleed bug, which, according to reports,
allowed a hacker to access the social insurance numbers of 900
taxpayers. It's a sobering reminder of how vulnerable Canadian
taxpayers are, given the vast amounts of confidential data the CRA
is responsible for gathering, administering and, ultimately,
So what, if anything, could these donors do about the leaks?
The donors may not find their options to be very satisfying.
Anything the CRA may do for them at this point is tantamount to
closing the barn door after the horse has escaped. The CRA should
be updating them directly on the steps they are taking to secure
their information – and to reassure them that the same
document has not also been distributed to others. It may be
possible for these donors to bring a civil action in negligence
against the CRA, although damages could be difficult to prove. But
in terms of formal channels, the CRA's gathering and retention
of information is governed by the federal Privacy Act. That means
the donors could file a complaint with the Access to Information
and Privacy Directorate, or the Office of the Privacy Commissioner
of Canada. They can also file a Service Complaint with the CRA and
with the Office of the Taxpayers' Ombudsman. Depending on what
actually happened, the RCMP may even become involved, since it is
an offence under the Income Tax Act to "knowingly"
provide taxpayer information to a third party. Unfortunately, the
ultimate moral of the story for these donors may be "no good
deed goes unpunished."
Previosly published on Lexpert Blog
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).