ORDER/ADDRESS OF THE HOUSE OF COMMONS ORDRE/ADRESSE DE LA
CHAMBRE DES COMMUNESBY IDE DATE
Mr. Angus (Timmins - James Bay)
March 6, 2013/6
mars 2013
RETURN BY THE LEADER OF THE GOVERNMENT IN THE HOUSE OF COMMONS
DEPOT DU LEADER DU GOUVERNEMENT A LA CHAMBRE DES COMMUNES
Signed by Mr. Tom LukiwskiPRINT NAME OF SIGNATORY INSCRIRE LE
NOM DU SIGNATAIRE SIGNATURE MINISTER OR PARLIAMENTARY SECRETARY
MINISTRE OU SECRETAIRE PARLEMENTAIRE
~~~ 2 2 2013(TABLED FORTHWITH / DEPOSE AUSSITOT)
INSTRUCTIONS FROM THE PRIVY COUNCIL OFFICE (OFFICE FOR THE
COORDINATION OF PARLIAMENTARY RETURNS) TO ORGANIZATIONS WITH
RESPECT TO WRITTEN QUESTION Q-12172 - MR. ANGUS (TIMMINS-. JAMES
BAY)Q-1217' - March 6, 2013 - Mr. Angus (Timmins-James Bay) - With
respect to data, infonnation or privacy breaches at government
departments, institutions and agencies, for each year fi:om 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office ofthe
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?
Organizations must obtain the information from their Access to
Information and Privacy (ATIP) Coordinator and their Departmental
Security Officer (DSO), and any other area responsible for
compiling information regarding breaches. Once the information is
compiled organizations are reminded to apply the principles of the
Access to Information Act and the Privacy Act to ensure that the
information contained in their response can be disclosed.
Organizations are required to enumerate each breach by fiscal
year and include other requested information on the attached
template.
Data, information or privacy breach: involves improper or
unauthorized collection, use, disclosure, retention and/or disposal
of protected personal and/or classified information including hard
copies and electronic data.
Guidelines for Privacy Breaches:
http://www.tbs-sct.gc.ca/pol/doceng.aspx?id=26154§ion=text
Personal Information Protection and Electronic Documents Act
(PIPEDA) - http://lawsIois. justice. gc. ca/eng/acts/P-8. 6/index.
htm I
Policy on Privacy Protection:
http://www.tbs-sct.gc.ca/pol/doceng.aspx?section=text&id=12510
Privacy and Your Business - Privacy Breach Handbook:
http://www.priv.gc.ca/resource/pb-avp/pb hb e.pdf
0-1217 - March 6,2013 - Mr. Angus (Timmins-James Bay) - With
respect to data, information or privacy breaches at government
departments, institutions and agencies, for each year from 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
TOTALS a) Total number of breaches
I
a)(ii) Total number of individuals affected by all breaches
enumerated in part a) b) Total number of breaches reported to the
OPC b)(ii) Total number of individual affected by breaches reported
to the OCP c) Total number of breaches known to have led to
criminal activity
CLARIFICATION Q-12172-
MR. ANGUS (TIMMINS-JAMES
BAY)
Q-1217' - March 6, 2013 - Mr. Angus (Timmins-James Bay) - With
respect to data, infonnation or privacy breaches at government
departments, institutions and agencies, for each year from 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?
In cases of lost or stolen blackberries, organizations should
only report on instances where these devices were authorized to
carry classified information (protected, secret, or higher).
INQUIRY OF MINISTRY DEMAN DE DE RENSEIGNEMENT AU
GOUVERNEMENTPREPARE IN ENGLISH AND FRENCH MARKING "ORIGINAL TEXT"
OR "TRANSLATION" PREP ARER EN ANGLAIS ET EN FRANc;AIS EN INDIQUANT
"TEXTE ORIGINAL" OU "TRADUCTION"
QUESTION NO./N DE LA QUESTION
BY I DE
DATE
0-1217
2
Mr. Angus (Timmins-James
Bay)
March 6, 2013
REPLY BY THE MINISTER OF ABORIGINAL AFFAIRS AND NORTHERN
DEVELOPMENT REPONSE DU MINISTRE DES AFFAIRES AUTOCHTONES ET DU
DEVELOPPEMENT DU NORD CANADIEN
PRINT NAME OF SIGNATORY INSCRIRE LE NOM DU SIGNATAIRE
SIGNATURE MINISTER OR PARLIAMENT ARY SECRETARY MINISTRE OU
SECRETAIRE PARLEMENTAIRE
With respect to data, information or privacy breaches at
government departments, institutions and agencies, for each year
from 2002 to 2012: (a) how many breaches have occurred in total and
broken down by (i) department, institution or agency, (ii) the
number of individuals affected by the breach; and (b) of those
breaches, how many have been reported to the Office of the Privacy
Commissioner, broken down by (i) department, institution or agency,
(ii) the number of individuals affected by the breach; and (c) how
many breaches are known to have led to criminal activity such as
fraud or identity theft, broken down by department, institution or
agency?
ORIGINAL TEXT TEXTE ORIGINAL
TRANSLATION TRADUCTION
D
Insofar as Aboriginal Affairs and Northern Development Canada is
concerned, our response is attached.
0-1217 - March 6, 2013 - Mr. Angus (Timmins-James Bay) - With
respect to data, information or privacy breaches at government
departments, institutions and agencies, for each year from 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
2002-2003 - 2009-2010N/A*
2010-20111 1 1 2
x x x x x x
x x xx
2011-20121 .
x x
1TOTALS a) Total number of breaches
I6 7 6 70
a)(ii) Total number of individuals affected by all breaches
enumerated in part a) b) Total number of breaches reported to the
OPC b)(ii) Total number of individual affected by breaches reported
to the OCP c) Total number of breaches known to have led to
criminal actiVity
*AANDC does not keep any privacy breach records beyond their
appropriate retention and disposition schedule (set out in the
Library and Archives Canada Multi-Institutional Disposition
Authority 98/001) and as such, this response only includes breaches
dating back to April 1, 2010.
INQUIRY OF MINISTRY DEMANDE DE RENSEIGNEMENT AU
GOUVERNEMENTPREPARE IN ENGLISH AND FRENCH MARKING "ORIGINAL TEXT"
OR "TRANSLATION" PREPARER EN ANGLAIS ET EN FRAN(AIS EN INDIQLJANT
"TEXTE ORIGINAL" OU "TRADUCTION" QUESTION NO.lN0 DE LA QUESTION BY
I DE DATE
Q-12172
Mr. Angus (Timmins-James
Bay)
March 6, 2013
REPL Y BY THE MINISTER OF AGRICULTURE AND AGRI-FOOD R~PONSE DU
MINJSTRE DE L'AGRICUL TURE ET DE L'AGROALIMENTAIRE
signed by Gerry Ritz, PC, MPPRINT NAME OF SIGNATORY INSCRIRE LE
NOM DU SIGNATAIRE SIGNATURE MINISTER OR PARLIAMENTARY SECRETARY
MINISTRE OU SECRETAIRE PARLEMENTAIRE
With respect to data, information or privacy breaches at
government departments, institutions and agencies, for each year
from 2002 to 2012: (a) how many breaches have occurred in total,
broken down by (i) department, institution or agency, (ii) the
number of individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?ORIGINAL TEXT TEXTE ORIGINAL TRANSlATION
TRADUCTION
D
The Canadian Grain Commission did not have any information or
privacy breaches from fiscal year 2002 and up to 2012.
The Farm Products Council of Canada did not have any information
or privacy breaches from fiscal year 2002 and up to 2012.
0-1217 - March 6,2013 -
Mr. Angus (Timmins-James Bay) - With respect to data,
information or privacy breaches at government departments,
institutions and agencies, for each year from 2002 to 2012: (a) how
many breaches have occurred in total, broken down by (i)
department, institution or agency, (ii) the number of individuals
affected by the breach; (b) of those breaches identified in (a),
how many have been reported to the Office of the Privacy
Commissioner, broken down by (i) department, institution or agency,
(ii) the number of individuals affected by the breach; and (c) how
many breaches are known to have led to criminal activity such as
fraud or identity theft, broken down by department, institution or
agency?
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO X X X X X X X X X X X X X X X
X
c) Indicate if the breach led to criminal activity YES NO X X X
X X X X X X X X X X X X X UNKNOWN
2007 -2008 - breach 1 2008-2009 - breach 1 2008-2009 - breach 2
2008-2009 - breach 3 2008-2009 - breach 4 2008-2009 - breach 5
2008-2009 - breach 6 2008-2009 - breach 7 2008-2009 - breach 8
2008-2009 - breach 9 2008-2009 - breach 10 2008-2009 - breach 11
2008-2009 - breach 12 2008-2009 - breach 13 2009-2010 - breach 1
2009-2010 - breach 2
4 32,000 44 2 1 60,000 1 273 1 1 1 1 1 1 1 1
a) Enumerate each breach by fiscal year 2009-2010breach 3
a)(ii) & b)(ii) Number of individuals affected by the breach
1 1 1 1 1 1 1 1 1 16 1 1 1 1 1 1 1 40 1 1 1 1 1 1
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
X X X X X X X X X X X X X X X X X X X X X X X X
X X X X X X X X X X X X X X X X X X X X X X X X
2009-2010 - breach 4 2009-2010 - breach 5 2009-2010 - breach 6
2009-2010 - breach 7 2009-2010 - breach 8 2009-2010 - breach 9
2009-2010 - breach 10 2009-2010 - breach 11 2009-2010 - breach 12
2009-2010 - breach 13 2009-2010 - breach 14 2009-2010 - breach 15
2009-2010 - breach 16 2010-2011 - breach 1 2010-2011 - breach 2
2010-2011 - breach 3 2010-2011 - breach 4 2010-2011 - breach 5
2010-2011 - breach 6 2010-2011 - breach 7 2010-2011 - breach 8
2010-2011 - breach 9 2010-2011 - breach 10
a) Enumerate each breach by fiscal year 2011-2012-breach 1
a)(ii) & b)(ii) Number of individuals affected by the breach
1 1 1 1 1 1 1 1 1 1 1
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
X X X X X X X X X X X
X X X X X X X X XX
2011-2012 - breach 2 2012-2013 - breach 1 2012-2013 - breach 2
2012-2013 - breach 3 2012-2013- breach 4 2012-2013 - breach 5
2012-2013 - breach 6 2012-2013 - breach 7 2012-2013 - breach 8
2012-2013 - breach 9
X
TOTALS a) Total number of breaches
I51 92,422 5 92,357 0
a)(ii) Total number of individuals affected by all breaches
enumerated in part a) b) Total number of breaches reported to the
OPC b)(ii) Total number of individual affected by breaches reported
to the OCP c) Total number of breaches known to have led to
criminal activity
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES
c) Indicate if the breach led to criminal activity YES
I
NO
I
NO
I UNKNOWN
*** Note: data on privacy breaches that occurred during the
period of April 1, 2002 to March 31, 2006 were not tracked in the
ATI P System that existed at that time. Any hard copy files that
may of existed were destroyed as they had met their retention
period.
0-1217 -
March 6,2013 - Mr. Angus (Timmins-James Bay) - With respect to
data, information or privacy breaches at government departments,
institutions and agencies, for each year from 2002 to 2012: (a) how
many breaches have occurred in total, broken down by (i)
department, institution or agency, (ii) the number of individuals
affected by the breach; (b) of those breaches identified in (a),
how many have been reported to the Office of the Privacy
Commissioner, broken down by (i) department, institution or agency,
(ii) the number of individuals affected by the breach; and (c) how
many breaches are known to have led to criminal activity such as
fraud or identity theft, broken down by department, institution or
agency?
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) N umber of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO X X X X X X X X
c) Indicate if the breach led to criminal activity YES NO X X X
X X X X X UNKNOWN
2002 - breach #1 2002 - breach #2 2003 - breach #1 2011 - breach
#1 2011 - breach #2 2012 - breach #1 2012 - breach #2 2012 - breach
#3
1 1 1 1 1 1 1 1
TOTALS a) Total number of breaches
I8 8 3 3 0
a)(ii) Total number of individuals affected by all breaches
enumerated in part a) b) Total number of breaches reported to the
OPC b)(ii) Total number of individual affected by breaches reported
to the OPC c) Total number of breaches known to have led to
criminal activity
INQUIRY OF MINISTRY DEMANDE DE RENSEIGNEMENT AU
GOUVERNEMENTPREPARE IN ENGLISH AND FRENCH MARKING "ORIGINAL TEXT"
OR "TRANSLATION" PREP ARER EN ANGLAIS ET EN FRANC;;AISEN INDIQUANT
"TEXTE ORIGINAL" OU "TRADUCTION"QUESTION NO.lNo DE LA QUESTION BY I
DE DATE
0-1217
Mr. Angus (Timmins-James
Bay)
March 6, 2013
REPLY BY THE MINISTER OF NATIONAL REVENUE AND MINISTER FOR THE
ATLANTIC CANADA OPPORTUNITIES AGENCY REPONSE DE LA MINISTRE DU
REVENU NATIONAL ET MINISTRE DE L'AGENCE DE PROMOTION ECONOMIQUE DU
CANADA ATLANTIQUE
Signed by the Honourable Gail SheaPRINT NAME OF SIGNATORY
INSCRIRE LE NOM DU SIGNATAIRE
.dLth~REMINISTER OR PARLIAMENTARY SECRETARY MINISTRE au
SECRETAIRE PARLEMENTAIRE
With respect to data, information or privacy breaches at
government departments, institutions and agencies, for each year
from 2002 to 2012: (a) how many breaches have occurred in total,
broken down by (i) department, institution or agency, (ii) the
number of individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?ORIGINAL TEXT TEXTE ORIGINAL
D
Insofar as the Atlantic Canada Opportunities Agency is
concerned, with respect to data, information or privacy breaches at
government departments, institutions and agencies, for each year
from 2002 to 2012, the answers to (a), (b), and (c) can be found in
the attached table.
Q-1217 TEMPLATE
0-1217 - March 6, 2013 - Mr. Angus (Timmins-James Bay) - With
respect to data, information or privacy breaches at government
departments, institutions and agencies, for each year from 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?a)i} & b}(i} NAME OF ORGANIZATION:
Atlantic Canada Opportunities Agency
a) Enumerate each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the
breach
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
2003-2004 2007-2008 2008-2009 2012-2013 2012-2013 2012-2013
2012-2013 2012-2013TOTALS a) Total number of breaches
1 0 0 0 0 0 0 6521
x x x x x x x x
x x x x x x x x
I8 653 0 0 0
a)(ii) Total number of individuals affected by all breaches
enumerated in part a) b) Total number of breaches reported to the
OPC b)(ii) Total number of individuals affected by breaches
reported to the OPC c) Total number of breaches known to have led
to criminal activity
1. This incident resulted from a form containing employee
information temporarily being posted to an internal server. The
form was not easily accessible and the person who saw it may not
have had a "need to know" but did have the security clearance
required to access the information.
INQUIRY OF MINISTRY DEMANDE DE RENSEIGNEMENT AU
GOUVERNEMENTPREPARE IN ENGLISH AND FRENCH MARKING "ORIGINAL TEXT"
OR "TRANSLATION" PREPARER EN ANGLAIS ET EN FRANCAIS EN INDIQUANT
"TEXTE ORIGINAL" OU "TRADUCTION"QUESTIONNO.lN DE lJ\ QUESTION BY/
DE DATE
0-1217
Mr. Angus (Timmins-james
Bay)
March 6, 2013
REPLY BY THE MINISTER OF NATIONAL REVENUE AND MINISTER FOR THE
ATLANTIC CANADA OPPORTUNITIES AGENCY REPONSE DE LA MIN ISTRE DU
REVENU NATIONAL ET MINISTRE DE L'AGENCEDE PROMOTION ECONOMIQUE DU
CANADA ATLANTIQUE
Signed by the Honourable Gail SheaPRINT NAME OF SIGNATORY
INSCRIRE LE NOM DU SIGNATAIRE
e;d~~
(SfGNATlJRE
MINISTER OR PARLIAMENTARY SECRETARY MINISTRE OU SECRtTAIRE
PARLEMENTAIRE
With respect to data, information or privacy breaches at
government departments, institutions and agencies, for each year
from 2002 to 2012: (a) how many breaches have occurred in total,
broken down by (i) department, institution or agency, (ii) the
number of individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(c) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?ORIGINAL TEXT TEXTE ORIGINAL TRANSLATION
TRADUCTION
D
In 2012, the CRA put into place an updated information-sharing
protocol between the CRA's areas responsible for security and
privacy to ensure that information on privacy breaches were flagged
to the CRA's ATIP Directorate, which is responsible for liaising
with the Office of the Privacy Commissioner of Canada. The 2012
protocol strengthened the procedures and protections included in
the previous 2010 information-sharing protocol. While the CRA
captures the number of internal affairs investigations (Le., of
data, information, and privacy breaches) and captures the
information related to the number of security incidents (not
related to employee misconduct) involVing the theft, loss, or
compromise of information, and also the number of misdirected mail
incidents it does not capture the information by breach in the
manner requested. In order to produce the response for 2002-2012, a
manual search of records would need to be undertaken to extract the
data which is not possible within the prescribed timeline.
Q-1217 - March 6, 2013 - Mr. Angus (Timmins--James Bay) - With
respect to data, information or privacy breaches at government
departments, institutions and agencies, for each year from 2002 to
2012: (a) how many breaches have occurred in total, broken down by
(i) department, institution or agency, (ii) the number of
individuals affected by the breach; (b) of those breaches
identified in (a), how many have been reported to the Office of the
Privacy Commissioner, broken down by (i) department, institution or
agency, (ii) the number of individuals affected by the breach; and
(C) how many breaches are known to have led to criminal activity
such as fraud or identity theft, broken down by department,
institution or agency?
a) Enumerate
each breach by fiscal year
a)(ii) & b)(ii) Number of individuals affected by the breach
Not extractable. Please see Inquiry of Ministry.
b) Indicate if the breach was reported to the Office of the
Privacy Commissioner (OPC) YES NO
c) Indicate if the breach led to criminal activity YES NO
UNKNOWN
Not extractable.
Please see InqUiry of Ministry.
TOTALSa) Total number of breaches a)(ii) Total number of
individuals b) Total number of breaches c) Total number of breaches
b )(ii) Total number of individuals
Iaffected by all breaches enumerated affected by breaches in
part a) reported to the OPC reported to the OPC known to have led
to criminal activity
Q-1217Organization: Canada Revenue Agency
INQUIRY OF MINISTRY DEMAN DE DE RENSEIGNEMENT AU
GOUVERNEMENTPREPARE IN ENGLISH AND l;RENCH MARKING "ORIGINAL TEXT"
OR "TRANSLATION" PREPARER EN ANGLAlS ET EN FRAN