OTTAWA – The Canada Revenue Agency has offered credit-protection services to several people after their private information — including social insurance numbers and addresses — was mailed to others.
The federal privacy commissioner’s office says it is investigating the violations, first flagged by constituents of New Democrat MP Charlie Angus.
Angus says the revenue agency twice sent batches of personal data to the wrong people in his northern Ontario riding.
READ MORE: CRA sent out SIN numbers to wrong people, MP says
In a letter to the commissioner’s office, Angus says the revenue agency mailed a package April 6 to several constituents in Kirkland Lake, Ont., containing the names, SINs, addresses and phone numbers of five people.
Five days later, the same constituents were mailed a second package with similar personal information about 11 people, the April 20 letter said.
“The gravity of this breach is completely unacceptable and I ask that you immediately investigate the matter,” Angus wrote.
In an interview, he said the constituents who received the mailings “were very, very upset to see this information.”
Federal agencies are required under the Privacy Act to report significant breaches to the privacy commissioner.
Canada Revenue Agency spokesman Philippe Brideau said Tuesday the agency contacted the commissioner after confirming the breach, informed the affected people and made no-cost credit protection services available to them.
WATCH: Can the Canada Revenue Agency crack down on tax evaders?
“The CRA takes the protection of taxpayers’ information very seriously,” Brideau said.
The revenue agency has launched its own investigation into the matter and continues to work closely with the privacy commissioner on it, he added.
Valerie Lawton, a spokeswoman for the commissioner, confirmed that the revenue agency reported the breach. She said no other details could be provided at this time, adding only that “we received a complaint about this matter and have opened an investigation.”
In 2013 the privacy commissioner’s office audited the revenue agency, focusing on how it controlled access to personal information.
The privacy watchdog made 13 recommendations in areas including monitoring of employee access rights, threat and risk assessments for information-technology systems and ensuring the privacy impacts of new programs are evaluated.
The agency agreed with the commissioner’s recommendations, and the watchdog made plans to follow up on progress this year.