The federal revenue agency says it doesn’t know what sort of taxpayer information a rogue employee improperly shared with the Canadian Security Intelligence Service because CSIS has wiped the files from its database.
CRA told The Canadian Press that the employee who handed over the sensitive data — doing so even though CSIS lacked a judicial warrant — is no longer with the department.
The agency refused to disclose whether the person was fired or left voluntarily, citing privacy reasons. And it is not clear if the taxpayers whose information was compromised were ever notified of the improper sharing.
The Security Intelligence Review Committee, the watchdog that keeps an eye on CSIS, revealed last week in its annual report that the spy and revenue agencies repeatedly breached the rules.
Questions were first raised by the Federal Court, prompting CSIS to ask the review committee to look into the matter.
After concerns emerged, there were assurances the sensitive revenue agency information had been purged from a CSIS database when, in fact, it was still there, the review committee’s report says.
CSIS spokeswoman Tahera Mufti says the information is now “deleted from CSIS databases. It should be noted that none of the information received from CRA was shared beyond CSIS.”
As a result, revenue agency spokesman Philippe Brideau says, it is unclear what was passed to the spy agency in the first place. “The CRA is unable to determine the details of the information that was shared with CSIS, as it was removed permanently and in its entirety from CSIS systems.”
Brideau suggests the deletion also made it impossible to notify taxpayers.
Mufti declined to say whether CSIS had done so. She also would not reveal what sort of information the spy service got from the revenue agency.
The review committee report says CSIS management issued a “stern reminder” to employees of the need for a warrant to collect taxpayer data, but the committee concluded that may not be sufficient.
Mufti says while she could not confirm or deny any “internal disciplinary measures that might have been taken,” CSIS maintains “robust policies and procedures, clearly defining our roles and responsibilities. We continue to actively educate and train our staff on the latest updates on our policies.”
The federal privacy commissioner is looking into the improper sharing.
“What we can tell you at this time is that we were aware of this issue and we have been examining it,” says spokeswoman Valerie Lawton, who was not in a position to provide more details.