CRA gets flack for Netfile changes

Share this article:

The Canada Revenue Agency (CRA) has unnerved privacy experts with a change to its electronic tax-filing policy: It has removed several authentication requirements for electronic filers.

In the past, the CRA asked those filing via its NETFILE web-based tax-filing service for a personal code and PIN number. Last month, however, it said that taxpayers would only require a Social Insurance Number and a birth date to file online from now on.

"By reducing the effort they put into verifying a person's identity, they are making it easier for someone to make a fraudulent submission with my identity," said Brian Bourne, a security consultant and founder of the SecTor security conference in Toronto. "It's odd that while most of the industry is trying to increase identity validation through mechanisms like multifactor authentication, the CRA is going the opposite way."

The CRA said that it applied Treasury Board Secretariat guidelines on privacy impact assessments before implementing this change, but did not believe a privacy impact assessment was required, as it does not affect privacy or security of taxpayer information.

"It seems that they made the change and are trying to tell everyone that it's safe, but it doesn't seem to me that they did the privacy impact analysis that they should have done at the outset," said Kris Klein, a partner and expert in privacy law at nNovation LLP.

"The CRA takes the privacy and security of taxpayer information very seriously," the CRA said in its statement.


Share this article:
You must be a registered member of SC Magazine to post a comment.

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

More in SC Canada

Childrens' Hospital apologizes for rogue employee breach

Alberta Health Services is apologizing following a data breach at Alberta Children's Hospital.

Canadian launches $500m class action against Home Depot

A Canadian is leading a $500 million class-action lawsuit against Home Depot following its data breach in which up to 56 million US and Canadian credit cards were stolen.

Faulty UBC software exposed student financial information

Students at the University of British Columbia have been warned that their personal information may have been exposed thanks to a software bug.