It is that time of year where organizations are sending out their official tax statements to facilitate the filing of tax returns. The Office of the Information and Privacy Commissioner (OIPC) recently received three breach reports involving tax statements. These breaches occurred as a result of failed automated processes resulting in tax statements being sent to the wrong individual.
The Personal Information Protection Act (PIPA) requires organizations to make reasonable security measures to prevent unauthorized access to or disclosure of personal information. Organizations that use automated processes to process tax statements need to take steps prior to delivery of the tax statements to ensure the correct tax statement is in the correct envelope or if sent electronically, is sent to the correct email address. Organizations are responsible to ensure service providers retained to process tax statements on their behalf are taking the steps necessary to protect against a breach of personal information given that the organization is ultimately responsible if a breach of personal information occurs.
The OIPC is currently investigating these breaches and individuals will be notified if the Information and Privacy Commissioner finds a real risk of significant harm to an affected individual exists as a result of the breach. Organizations are also reminded they are required by PIPA to report a breach where a real risk of significant harm to an individual exists as a result of the breach.