2009-2010 Annual Report to Parliament - The Administration of the Privacy Act

Foreward

Each financial year, pursuant to section 72 of the Privacy Act (PA), the head of every government institution is required to prepare and submit to Parliament an annual report on the administration of the PA.

This annual report to Parliament is prepared under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the PA during the period from April 1, 2009, to March 31, 2010. It also discusses issues of interest to program delivery, emerging trends, and areas of focus for the year ahead.

The Privacy Act

The Privacy Act came into force on July 1, 1983. The PA protects the privacy of individuals by outlining strong requirements for the collection, retention, use, disclosure, and disposal of personal information held by government institutions. It also provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions, and with certain rights of correction and/or annotation. Individuals who are dissatisfied with any matter related to a formal request made under the PA are entitled to complain to the Privacy Commissioner of Canada.

The PA's formal processes do not replace other procedures for obtaining government information. In accordance with this principle, the CRA encourages individuals and/or their representatives to explore the following informal methods of access at their disposal:

• The topical index on the CRA's Internet Web site:
  cra.gc.ca/azindex/menu-eng.html
• Individuals – general enquiries: 1-800-959-8281
• Universal Child Care Benefit, Canada Child Tax Benefit and related provincial and territorial
• Programs, child disability benefit and children's special allowances: 1-800-387-1193
• Forms and publications: 1-800-959-2221
• TTY (Teletypewriter) for persons who are deaf or hard of hearing, or have a speech impairment: 1-800-665-0354

Table of contents

• Overview of the Canada Revenue Agency
• Access to Information and Privacy Directorate
• Delegation of responsibilities under the Privacy Act
• Schedule - Privacy Act
• Operational Environment
• Conclusion
• Statistical Report – Interpretation and Explanation
• Privacy Impact Assessment and Preliminary Privacy Impact Assessments
• Data matching
• Disclosures under Subsections 8(2)(e), (f), (g), and (m) of the Privacy Act
• Complaints, investigations, and federal court cases
• Appendix A – Statistical report
• Appendix B – Supplemental reporting requirements

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies—at their request and on a cost-recovery basis—to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all the CRA's activities, including the administration and enforcement of the Income Tax Act and the Excise Tax Act.

One of the key features of the Canada Revenue Agency's (CRA) innovative structure is a Board of Management, accountable to Parliament through the Minister of National Revenue. The Board of Management consists of 15 members appointed by the Governor in Council. Eleven of these members have been nominated by the provinces and territories. The Board is responsible for overseeing the organization and management of the CRA, including the development of the Corporate Business Plan and the management of policies related to resources, services, property, and personnel.

As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board of Management for the daily management of the CRA, supervision of employees, and implementation of policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA has a presence across the country and is comprised of twelve Branches and five Regional offices.

Branches

• Appeals
• Assessment and Benefit Services
• Compliance Programs
• Corporate Audit and Evaluation
• Corporate Strategies and Business Development
• Finance and Administration
• Human Resources
• Information Technology
• Legal Services
• Legislative Policy and Regulatory Affairs
• Public Affairs
• Taxpayer Services and Debt Management

Regional offices

• Atlantic
• Ontario
• Pacific
• Prairie
• Quebec

Access to Information and Privacy Directorate

The ATIP Directorate supports the Canada Revenue Agency in meeting its legislative requirements related to the Access to Information Act (ATIA) and the Privacy Act (PA). To fulfill this mandate, the ATIP Directorate:

• Responds to requests and enquiries under the ATIA and the PA;
• Provides advice to CRA employees about privacy implications, risks, and possible options for avoiding or mitigating risks;
• Co-ordinates privacy impact assessment processes within the CRA;
• Provides information sessions concerning the ATIA, the PA, and personal information handling practices and requirements;
• Liaises with the Treasury Board Secretariat and the offices of the Information and Privacy Commissioners of Canada with respect to complaints, audits, and policy/legislative requirements; and
• Fulfills corporate planning and reporting obligations such as the CRA's annual reports to Parliament on the administration of the ATIA and the PA.

Marie-Claude Juneau is the Director of the ATIP Directorate; she reports to the Assistant Commissioner of the Public Affairs Branch.

Under the guidance of the Director and three Assistant Directors, 75 employees are responsible for the administration of the ATIA and the PA in 2009-2010. The ATIP Directorate consists of two main divisions: 1) processing and 2) program support (internal and agency-wide) and training. In addition to Headquarters in Ottawa, the ATIP Directorate has two satellite offices—Vancouver and Montreal.

Delegation of responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for the CRA's administration of the PA and compliance with TBS policy instruments. However, pursuant to section 73 of the Privacy Act, the Minister of National Revenue has the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the head's powers, duties, and functions under the PA.

The CRA's current Designation Order for the PA was signed by Keith Ashfield, Minister of National Revenue, Minister of the Atlantic Canada Opportunities Agency, and Minister for the Atlantic Gateway, on April 29, 2010. The Schedule associated with the Order identifies the specific provisions of the PA and its Regulations that the Minister has delegated to various positions within the Agency.

Generally, the ATIP Director, Assistant Directors, and managers of the production units sign off on ATIA and PA requests processed at Headquarters in Ottawa. In the Montreal and Vancouver satellite offices, the managers of the production units and their respective Assistant Commissioners sign off based on their delegated authority. Delegations are extended to the other Assistant Commissioners, but exercised only in exceptional cases, to enable them to make decisions about information under their respective mandates.

Schedule - Privacy Act

Officers authorized to perform the powers, duties, or functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations.

Paragraphs 8(2)(j) and (m); subsections 8(4), 8(5), 9(1) and 9(4); sections 10, 14 to 16; paragraph 17(2)(b), subsections 19(1) and 19(2); sections 20 and 21; subsections 22(1) and 22(2); sections 23 to 28; subsections 33(2), 35(1) and 35(4); and 51 of the Privacy Act; and sections 9, 11, 13 and 14 of the Privacy Regulations.

• Commissioner
• Deputy Commissioner
• Assistant Commissioners
• Chief Audit Executive and Director General Program Evaluation, Corporate Audit and Evaluation Branch
• Director, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch
• Assistant Directors, ATIP Directorate, Public Affairs Branch
• Managers, ATIP Directorate, Public Affairs Branch

Section 22.3 of the Privacy Act

• Commissioner
• Deputy Commissioner
• Chief Audit Executive and Director General Program Evaluation, Corporate Audit and Evaluation Branch
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant Directors, ATIP Directorate, Public Affairs Branch

Section 31, and subsections 37(3) and 72(1) of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant Directors, ATIP Directorate, Public Affairs Branch

Operational Environment

The CRA collects extensive volumes of personal information under the Income Tax Act, the Excise Tax Act, and various federal and provincial economic and social benefit programs. As well, the CRA collects and manages the personal employment information for its more than 44,000 employees. Within this context, the ATIP Directorate must continually strive towards the appropriate balance between privacy rights and other overlapping and potentially conflicting legislation. This level of complexity impacts the ATIP Directorate's ability to meet its legislative obligations.

In 2009-2010, the ATIP Directorate focused on key activities to strengthen governance surrounding privacy issues and to improve operational performance. Over time, these measures are intended to bolster the CRA's ability to meet its obligations in relation to the Privacy Act.

Strengthened Governance

In 2009, the Office of the Privacy Commissioner (OPC) released an audit report entitled Privacy Management Frameworks of Selected Federal Institutions. The audit recommended that the CRA strengthen its privacy governance structure, establish a protocol for privacy breach incidents, and develop a strategic plan for raising privacy awareness. As a result, the ATIP Directorate began to define the role and mandate of a Chief Privacy Officer (CPO).

During 2009-2010, the Directorate drafted an implementation report to establish governance, accountability and processes for a CPO role. This new role would raise employee awareness about privacy matters and better position the CRA to meet its privacy obligations. As a next step, the ATIP Directorate will confirm senior management approval of the proposed governance structure and the funding of resources required for implementing the plan.

As well, the Security, Risk Management and Internal Affairs Directorate and the ATIP Directorate are collaborating on an information-sharing protocol for potential privacy breaches, which is expected to be in effect in 2010-2011. This is a joint initiative to support program delivery, strengthen collaborative efforts, and foster improved communications.

Improved Public Reporting

The CRA is required to inform the public about its information holdings in Info Source, a series of publications which contain information about and/or collected by the Government of Canada. This helps the public formulate access to information requests under the ATIA or PA.

To strengthen its reporting in Info Source, the ATIP Directorate took concrete action to address the deficiencies noted in Round VI of the Management Accountability Framework (MAF). In particular, the ATIP Directorate coordinated the development and registration of approximately seven institution-specific personal information banks, updated classes of records, and further identified and described the CRA's programs, activities, and initiatives.

The changes raised the CRA's rating in the information management category of MAF from "Opportunity for Improvement" (Round VI) to "Acceptable" (Round VII). The latest MAF assessment notes that the CRA has made a significant effort to improve its administration of the assessed statutory and regulatory requirements.

In 2010-2011, the ATIP Directorate will continue to focus to strive towards full compliance with TBS guidelines. The CRA's Info Source Working Group will be used as a vehicle to make any necessary changes.

Proactive/Routine Disclosure

To improve the efficiency of its operations, the ATIP Directorate also began to monitor the CRA's formal ATIA and PA requests to determine whether or not there are opportunities for increasing informal methods of access.

In 2010-2011, ATIP Directorate will continue to work with stakeholders in the CRA to enhance, where possible, existing policies and processes for routinely providing access on an informal basis, while ensuring full protection of personal data.

External and Internal Web pages

Ensuring that Canadians are aware of how to access information and of all the channels available to them is an ongoing priority of the ATIP Directorate. This year, the ATIP Directorate reviewed its existing Internet presence to determine where change was required. In 2010-2011, the Directorate will implement its plan to revamp this page to ensure it:

• Provides the public with general information about formal ATIA and PA request processes;
• Highlights how to request information formally and informally;
• Contains information about the CRA's practices for the collection, use, and disclosure of personal information; and,
• Includes useful links.

This year the ATIP Directorate also began reviewing its existing presence on the CRA's Intranet site.
In 2010-2011, the ATIP Directorate will revamp the content in light of this analysis to strengthen the CRA's awareness of the ATIP Directorate's roles and responsibilities and raise awareness of the legislative requirements of the ATIA and PA, as well as the fair information practices for managing personal information.

Human Resources

CRA recognizes that a strong ATIP function depends on having qualified, well-supported and well-equipped ATIP staff. However, since ATIP professionals are in high demand across government, recruitment and retention remain a challenge for the ATIP Directorate.

In 2009-2010, the Directorate successfully completed several selection processes to hire staff and to create a pool of candidates for future placement. As well, resources were diverted to address findings made by the Office of the Privacy Commissioner and Treasury Board Secretariat regarding privacy matters, including preliminary work on the Chief Privacy Officer (CPO) role.

Education and Training

The ATIP Directorate recognizes the importance of training and awareness for fulfilling CRA obligations related to the Acts. Towards this end, the ATIP Directorate made concerted efforts to bolster information and privacy awareness training among CRA staff this fiscal year. Since June 2009, 23 ATIP awareness sessions were provided to 875 employees across Canada. Another 12 sessions were delivered to 316 managers through the CRA's Management Development Program.

During the next fiscal year, the ATIP Directorate plans to expand its awareness training by adding sessions concerning privacy rights and fair information practices for handling personal information.

The ATIP Directorate also expanded its internal training to ATIP staff to equip staff with the knowledge required for applying the legislation in their day-to-day jobs. This training is particularly critical at this time given the arrival of new, inexperienced ATIP analysts in the current operational environment. In 2009-2010, the Directorate focused on providing training to junior analysts. In Vancouver, for instance, three training sessions were provided to 16 participants during the fall and winter. At Headquarters, new analysts were provided with 3 months of comprehensive training. Feedback from this training will be used to strengthen future training of ATIP staff.

Conclusion

The ATIP Directorate faces ongoing workload, resourcing, and staffing challenges. In 2010-2011, the Directorate will focus attention on streamlining processes, procedures, and practices to meet its obligations and responsibilities under the Privacy Act. Special attention will be devoted to:

• Establishing a strong access to information and privacy governance structure in the CRA;
• Fostering awareness about the PA and policy requirements for the collection, use, disclosure, retention, and disposal of personal information;
• Ensuring the availability of communications products and/or training, advice or support; and
• Striving towards full compliance under the Access to Information and Privacy Acts.

The ATIP Directorate will strengthen its presence on the CRA's external and internal Web sites. As a result, this will increase awareness, streamline formal processes, and position the Directorate to provide timely and relevant services.

Statistical Report – Interpretation and Explanation

Appendix A provides a statistical report on the Privacy Act for the 2009-2010 reporting period. The following provides explanations and interpretations for the statistical information.

Requests under the Privacy Act

During the reporting period, April 1, 2009, to March 31, 2010, the CRA received 2,083 new privacy requests. This represents an increase of 530 requests (34.13%) over last year. Since 386 requests were carried forward from the 2008-2009 fiscal year, this resulted in a total of 2,469 active requests. The following table shows the number of requests received and completed by the CRA for the past five fiscal years:

The CRA also received 125 PA consultation requests, of which it completed 124.

In addition, the ATIP Directorate's Program Support and Training Group responded to approximately 232 emails and 566 telephone enquiries from sources both internal and external to the CRA. Responses to enquiries include advice and guidance on processes and procedures relative to the PA or the Access to Information Act and/or the provision of alternate contact information.

Disposition of requests

During the reporting period, the ATIP Directorate completed 1,973 PA requests, which included the review of 371,766 pages of records. The following table represents the disposition of these requests:

Exemptions invoked

The following table identifies the number of requests in which the listed sections under the ATIA were invoked:

Exclusions cited

Exclusions for confidences of the Queen's Privy Council for Canada were invoked 0 times under section 70.

Completion Time and Extensions

The time frames for the 1,973 requests completed in 2009-2010 are represented in the following table:

Of the 1,973 requests completed:

• Approximately 1,656 (84%) were completed within allowable time limits, which is lower than last year's performance.
• For 733 (37.15%) of the 1,973 requests, the ATIP Directorate claimed time extensions because meeting the original time limit would unreasonably interfere with the operations of the CRA, or because they needed to conduct consultations.

Translations

No translations were required to respond to requests for personal information.

Method of access

Of the 1,530 requests for which information was disclosed in full or in part, approximately 1,455 of the applicants received copies of the release package. The rest obtained access by examining the release package and, where desired, obtained select copies of the releasable records.

Corrections and notation

Two requests were received for correction of personal information held within the CRA.

Costs

During 2009-2010, the ATIP Directorate's estimated total cost to administer the PA was $2,921,747.90, excluding coordination support from branches. For more details, please refer to Appendix A.

Privacy Impact Assessment and Preliminary Privacy Impact Assessments

During the reporting period, 29 Preliminary Privacy Impact Assessments (PPIA's) were initiated, of which 19 were completed and presented at the CRA's Oversight Review Committee (ORC)—a Director General-level committee meeting held quarterly to provide corporate oversight on emerging privacy issues affecting the CRA.

There were 3 Privacy Impact Assessments (PIAs) initiated and 2 were reviewed by the ATIP Oversight Review Committee, and subsequently forwarded to the Strategic Direction Committee (SDC). The following 2 PIAs were submitted to the Office of the Privacy Commissioner through the ATIP Director:

1. Xenon Web Crawling Initiative: The Xenon Web Crawler will be used to identify e-Commerce businesses so that the CRA may detect non-filers and unreported income from Internet sales.

2. Registered Charity Information Return (T3010B): This PIA deals with additional information collected on the T3010B that would constitute "personal information" under the Privacy Act relating to agents/intermediaries, third-party fundraisers, and non-resident donors. The redesigned T3010B(09) will simplify reporting for small charities, while focusing on obtaining information about higher risk activities for compliance and public information purposes.

At the link listed below, you will find the PIA summaries of all PIAs completed by the CRA since the Privacy Impact Assessment Policy was implemented in May 2002.

cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html

Data matching

There were 3 data matching activities undertaken during 2009-2010:

• Automated Offsets SA/T1 – On hold for clarification of data matching
• Security Incident and Event Monitoring – Information may be correlated against employee databases to determine the identity of the individual in the event of a security incident.
• Registered Disability Savings Plan – Data matching is necessary in order to correctly identify the client for whom personal information is being requested from the CRA by Human Resources and Social Development Canada.

Disclosure Under Subsection 8(2)(e), (f), (g) and (m) of the Privacy Act

During the reporting period, there were 39 disclosures made pursuant to subsection 8(2)(e) of the Act and 2 disclosures made pursuant to subsection 8(2)(m) of the Act.

The CRA did not have any disclosures pursuant to subsections 8(2)(f), or (g) of the Act.

Complaints, investigations, and federal court cases

The Office of the Privacy Commissioner received 35 complaints concerning requests for personal information submitted to and/or responded by the CRA during the reporting period.

The CRA closed 39 complaints during 2009-2010 – 29 of them with a disposition of not justified.

As well, the Directorate received 17 complaints concerning alleged improper collection, use, and/or disclosure of personal information by the CRA. Details regarding these types of complaints are outlined in the table below.

Appendix A – Statistical report

Appendix B – Supplemental reporting requirements

Supplemental reporting requirements

Privacy Act

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. As such, the CRA is required to report the following information for the 2009-2010 reporting period.

Preliminary Privacy Impact Assessments initiated: ____17____

Preliminary Privacy Impact Assessments completed: ____17____

Privacy Impact Assessments initiated: ____3____

Privacy Impact Assessments completed: ____2____

Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): ____2____

Date modified:

2010-06-17