10/29/2013 10:38 EDT | Updated 01/23/2014 06:58 EST

Poor tax office security leads to improper info disclosure: privacy watchdog

OTTAWA - Weak security practices at the federal tax office led to thousands of files being inappropriately accessed for years without detection, says the privacy watchdog.

Privacy Commissioner Jennifer Stoddart has more than a dozen recommendations — including better monitoring of employee access to databases — to ensure the Canada Revenue Agency protects sensitive information.

She tabled a special audit of the revenue agency Tuesday along with her annual report on compliance with the Privacy Act, the law that governs how federal agencies handle personal data.

"Canadians surrender their personal information to government out of necessity, often under legal compulsion," Stoddart said in the annual report.

"In return, people justly expect that the government will exercise effective stewardship over such information."

Stoddart says a breach involving inappropriate access to — or disclosure of — taxpayer information can have serious effects, including identity theft, financial fraud and personal embarrassment.

The Canada Revenue Agency has a culture of security and confidentiality through its integrity framework, policies and training, but there are "marked weaknesses" in making key practices work, Stoddart found.

One problem was the lack of an automated tool to identify and flag potentially inappropriate access to taxpayer information. Stoddart called for stronger tools to remedy the gap.

The revenue agency accepted all of Stoddart's recommendations and drafted an improvement plan.

For the second year in a row, all-time highs were set for both privacy complaints about federal organizations as well as data breaches reported by departments and agencies.

From April 2012 to the end of March, Stoddart received 2,273 complaints from the public, up from 986 over the same period a year before.

Much of the increase stemmed from two highly publicized data breaches involving Employment and Social Development Canada and the Justice Department.

In addition, the number of data breaches that federal institutions reported to Stoddart climbed to 109 from 80 during the same period a year ago, though it was unclear whether this was due to more diligent reporting or an actual jump in incidents, Stoddart said.

She also flagged elements of the Canada-U.S. perimeter security pact, intended to smooth the passage of goods and people across the 49th parallel while beefing up continental defences.

The commissioner expressed worries about a plan to keep information for 75 years once it's collected by border officials under a new entry-exit system that will track the movements of travellers.

"We are concerned that, as the initiative evolves in future phases, additional data elements such as fingerprints or photos may be included," says her report.

Under another project, Canada will require the fingerprints and photographs of foreign nationals from certain countries who apply to visit, study or work in Canada. Stoddart noted the RCMP will be allowed to keep the fingerprints of these visa applicants for 15 years and use them in routine investigations.

"We are concerned about the lengthy retention and uses of fingerprints of individuals who have not been charged with, or convicted of, any criminal offence."

Stoddart also objected to an absence of signs informing people they might be subject to detention, questioning or searches in areas including departure lounges or shipping terminals — part of a plan to extend the powers of Canada Border Services Agency officers.

Overall, she stressed that while Canada and the U.S. are similar in many ways, the two countries have very different privacy regimes.

"Perimeter security is and will remain an important priority for the government," Stoddart said in a news release. "Our office has joined with our provincial and territorial colleagues in raising the need to ensure that the standards and values behind our privacy laws are not diminished."

Stoddart leaves the privacy commissioner's post later this year. A successor has not been named.

She has often called for modernization of the Privacy Act — a law drafted long before memory sticks and smartphones — and she reiterated her concern about the government's "troubling" lack of action on updating the legislation.http://www.twitter.com/JimBronskill