Re: Unauthorized Accesses

I ask that this Bulletin receive the widest circulation among the membership. Please seek permission from your local Management to post and distribute on site.

Unauthorized accesses are any system accesses that do not relate specifically to the job you are paid to perform. The CCRA Code of Ethics and Standards states, “Accessing information that the CCRA collects is strictly prohibited unless specifically required by your work.” It then goes on to state “Accessing information which is not part of your official duties and providing such information to an unauthorized person for an unauthorized purpose would be examples of serious misconduct.” In addition to the Code, the Finance and Administration Manual clearly illustrates the issues with access violations. Chapter 16 states “ The objective of this policy is to ensure each authorized user is granted minimum access privileges to access departmental IT systems and information resources to perform assigned work related activities.” and in Chapter 25 it reads “ The objective of this policy is to ensure that departmental employees do not access their own personal tax and customs information nor that of relatives or acquaintances under any circumstance. Access to tax and custom information shall only be granted to employees with the appropriate level of security screening and a specific requirement for the information to perform the tasks assigned to them. This excludes accessing their own tax and customs information and that of their relatives and acquaintances.”

Over the past few years there has been a marked increase in the number of disciplinary measures initiated against our members for unauthorized access. A significant number of these disciplinary measures were assessed against members as a result of their inadvertently accessing accounts that they were not specifically authorized to check. The CCRA educates their employees, our members, on the most significant unauthorized accesses but they do not educate them on potential violations as a result of their actions.

When our members are hired they are informed of the obvious potential violations; “do not access Wayne Gretzky’s account, do not check on your ex-spouse, do not access your own account and do not release any information to the general public”. The one area that seems to create the most concern, in the Agency’s view, is when a member views a situation as Service to the Public and accesses an account that is not within the confines of their assigned duties. UTE members are being disciplined as a result of accessing accounts to provide information to the public that under their job descriptions they should neither be accessing nor providing this information. 

For example, if a Rulings Officer receives a phone call from a family member, acquaintance or former client requesting refund information, they are creating an unauthorized access, subject to discipline, if they access the account and release the refund information. A collector checking on the status of a filed tax return for an individual not in their inventory is also committing a violation and they too can be disciplined. This is due to the fact that it is not the job of a Rulings Officer to provide refund information nor is it the job of a collector to check on tax file information for someone not in his or her inventory.

The members of UTE must recognize that Service to the Public does not translate into the providing of all services or information regardless of assigned duties. As much as we all believe that checking a refund is a simple task that we can all perform, one must remember that this may not be the job that we are paid to perform. There are specific CCRA Employees that are authorized to perform this specific task. One must look at the extreme. We would never contemplate checking on a corporate reassessment and explaining the significance to the taxpayer/client if that is not our job. That would be the job of the auditor who did the reassessment. A Client Service Agent would never explain why a Requirement to Pay was issued nor release it, again, because it is not the job that they are paid to perform.

UTE recommends that you ask yourself two very simple questions, “Is the information that I am being asked to provide part of my regular duties?” or “Is what I am about to do an assigned work activity?” If you answer “no” to either question then you are committing an unauthorized access violation if you provide the requested information and/or access the account. 

Unauthorized access violations can result in disciplinary actions ranging from an oral reprimand to dismissal. If you, as a CCRA employee, are asked to provide information from any source that is not an integral part of your assigned duties then you should redirect the enquiry to the appropriate person. Service to the Public does not mean you are required to provide all levels of service. It does mean, that you are expected to direct enquiries to the appropriate area or employee, whose job it is to provide the requested information.

An unauthorized access could mean your job. UTE has been working with the CCRA to try and obtain information sessions on what is an unauthorized access. We hope to see these sessions provided to all our members in the near future. Until such time as these sessions are available UTE is requesting that all members error on the side of caution and only access information that is specifically related to the job you are paid to perform.

In Solidarity,

Betty Bannon
National President