2010-2011 Annual Report to Parliament on the Administration of the Privacy Act

Foreword

Each financial year, pursuant to section 72 of the Privacy Act (PA), the head of every government institution is required to prepare and submit to Parliament an annual report on the administration of the PA.

This annual report to Parliament is prepared under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the PA during the period April 1, 2010 to March 31, 2011. It also discusses issues of interest related to program delivery, emerging trends, and areas of focus for the year ahead.

The Privacy Act

The Privacy Act (PA) came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing, and disposing of personal information held by government institutions. It also provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions and with certain rights of correction and/or annotation. Individuals who are dissatisfied with any matter related to a formal request made under the PA are entitled to complain to the Privacy Commissioner of Canada.

The PA's formal processes do not replace other means of getting government information. In accordance with this principle, the CRA encourages individuals and/or their representatives to explore the following informal methods of access (the CRA Web site and CRA toll-free telephone lines) at their disposal:

• The topical indexes on the CRA Web site: www.cra.gc.ca/azindex/menu-eng.html
• Individual income tax enquiries: 1-800-959-8281
• Universal child care benefit, Canada child tax benefit and related provincial and territorial programs, child disability benefit, and children's special allowances: 1-800-387-1193
• Forms and publications: 1-800-959-2221
• TTY (Teletypewriter) for persons who are deaf or hard of hearing or who have a speech impairment: 1-800-665-0354

Table of contents

• Overview of the Canada Revenue Agency
• The Access to Information and Privacy Directorate
• Delegation of responsibilities under the Privacy Act
• Schedule - Privacy Act
• Operational Environment
• Strengthened Governance
• Privacy Impact Assessments
• Conclusion
• Statistical Report – Interpretation and Explanation
• Disclosures under Subsections 8(2)(m) of the Privacy Act
• Complaints, Investigations, and Federal Court Cases
• Appendix A – Statistical Report
• Appendix B – Additional Reporting Requirements for 2010-2011
• Appendix C – Discrepancies

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies—at their request and on a cost-recovery basis—to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all of the CRA's activities, including the administration and enforcement of the Income Tax Act and the Excise Tax Act.

One of the key features of the CRA's innovative structure is its Board of Management, accountable to Parliament through the Minister of National Revenue. The Board of Management is made up of 15 members appointed by the Governor in Council. Eleven of these members have been nominated by the provinces and territories. The Board is responsible for overseeing the organization and management of the CRA, including the development of the Corporate Business Plan and the management of policies related to resources, services, property, and personnel.

As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board of Management for the daily management of the CRA, the supervision of employees, and the implementation of policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA has a presence across the country and is made up of 13 branches and 5 regional offices.

Branches

• Appeals
• Assessment and Benefit Services
• Compliance Programs
• Corporate Audit and Evaluation
• Enterprise Risk Management
• Finance and Administration
• Human Resources
• Information Technology
• Legal Services
• Legislative Policy and Regulatory Affairs
• Public Affairs
• Strategy and Integration
• Taxpayer Services and Debt Management

Regional offices

• Atlantic
• Ontario
• Pacific
• Prairie
• Quebec

The Access to Information and Privacy Directorate

The Access to Information and Privacy (ATIP) Directorate supports the CRA in meeting its requirements relating to the Access to Information Act (ATIA) and the Privacy Act (PA). To fulfill this mandate, the ATIP Directorate:

• responds to requests and enquiries under the ATIA and the PA;
• provides advice to CRA employees about privacy implications, risks, and possible options for avoiding or mitigating risks;
• co-ordinates privacy impact assessment (PIA) processes within the CRA;
• provides awareness sessions and training concerning the ATIA, the PA, and the practices and requirements for handling personal information;
• liaises with the Treasury Board Secretariat (TBS) and the offices of the information and privacy commissioners of Canada with respect to complaints, audits, and policy/legislative requirements; and
• fulfills corporate planning and reporting obligations such as the CRA's annual reports to Parliament on the administration of the ATIA and the PA.

Marie-Claude Juneau is the director of the ATIP Directorate. She reports to the Assistant Commissioner of the Public Affairs Branch.

In 2010-2011, 79 employees were responsible for administering the ATIA and the PA. The ATIP Directorate is made up of two main divisions: 1) production and 2) program support (internal and CRA-wide) and training. In addition to its Headquarters office in Ottawa, the ATIP Directorate has two satellite offices—one in Vancouver and one in Montréal.

Delegation of responsibilities under the Privacy Act

As head of the Canada Revenue Agency (CRA), the Minister of National Revenue is responsible for the CRA's administration of the Privacy Act (PA) and for its compliance with TBS policy instruments. However, pursuant to section 73 of the PA, the Minister of National Revenue has the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the head's powers, duties, and functions under the PA.

The CRA's current Designation Order for the PA was signed by Gail Shea, Minister of National Revenue, on June 8, 2011. The Schedule associated with the Order identifies the specific provisions of the PA and its Regulations that the Minister has delegated to various positions within the CRA.

Generally, the ATIP Director, assistant directors, and managers of the production units sign off on PA and ATIA requests. Delegations are extended to assistant commissioners, although exercised only in exceptional cases, to enable them to make decisions about information under their respective mandates.

Schedule - Privacy Act

Officers authorized to perform the powers, duties, and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations.

Paragraphs 8(2)(j) and (m); subsections 8(5) and 9(1); sections 14 to 16; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; and subsections 33(2), 35(1), and 35(4) of the Privacy Act; as well as section 9; subsections 11(2), 11(4), 13(1); and section 14 of the Privacy Regulations

• Commissioner
• Deputy Commissioner
• Assistant commissioners
• Chief Audit Executive and Director General Program Evaluation, Corporate Audit and Evaluation Branch
• Director, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch
• Managers, ATIP Directorate, Public Affairs Branch

Section 22.3 of the Privacy Act

• Commissioner
• Deputy Commissioner
• Chief Audit Executive and Director General Program Evaluation, Corporate Audit and Evaluation Branch
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Subsections 8(4) and 9(4); section 10; paragraph 51(2)(b); and subsection 51(3) of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant commissioners
• Chief Audit Executive and Director General Program Evaluation, Corporate Audit and Evaluation Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Section 31 and subsections 37(3) and 72(1) of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Operational Environment

The CRA collects extensive volumes of personal information under the Income Tax Act and the Excise Tax Act, as well as under various federal and provincial economic and social benefit programs. In addition, the CRA collects and manages the personal employment information for its more than 44,000 employees. Within this context, the ATIP Directorate must continually strive to keep an appropriate balance between privacy rights and overlapping and potentially conflicting legislation.

The ATIP Directorate is committed to strengthening privacy governance in accordance with the Office of the Privacy Commissioner's recommendations and the Treasury Board Secretariat's Policy Suite Renewal initiative. In 2010-2011, many projects were initiated towards this end:

• A comprehensive plan was developed to address the Directorate's operational challenges through four key activities: communications, training, staffing, and efficiency measures.
• CRA policy instruments were developed to strengthen privacy governance.
• The CRA's privacy impact assessment process was revised to comply with the new TBS requirements.
• An information-sharing protocol agreement was implemented between the CRA's ATIP and Security and Internal Affairs directorates.
• The CRA completed consultations to benchmark its privacy practices against those of other government departments. These consultations highlighted procedural, process, and policy best practices for the CRA's consideration.

Communications

During the fiscal year, a communication strategy was developed to raise awareness about the Privacy Act (PA) throughout the CRA; to outline the role the ATIP Directorate plays in fulfilling the CRA's mandate; and to explain the manner in which key stakeholders can support this function.

Ensuring that Canadians are aware of how to access information and all the channels available to them is an ongoing priority of the ATIP Directorate. This year, in accordance with Management Accountability Framework requirements, the ATIP Directorate developed additional content for the CRA Web site. These Web pages:

• provide the public with general information about formal PA request processes;
• highlight how to request information formally and informally;
• contain information about the CRA's practices for collecting, using, and disclosing personal information; and
• include useful links.

In 2010-2011, the ATIP Directorate also revised the content on the CRA's Intranet site to further support CRA employees in fulfilling their roles and responsibilities related to privacy. Finally, a bi-monthly internal newsletter was launched to enhance horizontal collaboration and awareness among the ATIP Directorate's employees, and employees were encouraged to share ideas and raise questions through an ATIP Innovation mailbox.

Training

The ATIP Directorate recognizes the importance of training and awareness in fulfilling the CRA's obligations related to the PA. Towards this end, during fiscal 2010-2011, the ATIP Directorate created a formal training strategy to provide CRA employees with the training they need to do their job.

Since the beginning of the fiscal year, the ATIP Directorate gave 39 ATIP training and awareness sessions to 1,111 employees across Canada. Another 20 sessions were delivered to 402 managers through the CRA's Management Development Program. This represents a 27% increase for both audiences compared to fiscal 2009-2010. Additionally, the Legal Services Branch gave 4 training sessions to 67 employees on the application of ATIA and PA legislation and jurisprudence.

Staffing

Since ATIP professionals are in high demand across government, recruitment is an ongoing challenge. To build a strong ATIP function and retain ATIP professionals, the CRA recognizes that its ATIP employees must be well-supported and well-equipped to fulfill their roles.

In 2010-2011, the ATIP Directorate staffed numerous positions and reorganized its workload to meet production demands. For example:

• A new unit was created to focus on eliminating backlog.
• Senior analysts and technical reviewers were assigned to the processing units.
• Term positions were converted to indeterminate in Vancouver.
• New employees were staffed in key areas.

These staffing measures enhanced the ATIP Directorate's capacity to maximize its productivity and helped it retain employees. For the first time in four years, the number of requests completed by the ATIP Directorate exceeded the number of requests received, in spite of a notable increase in requests received in 2010-2011. In addition, the processing targets for reducing backlog exceeded the pre-April 2010 processing targets.

Efficiency measures

Key efficiency measures were undertaken in 2010-2011 to make the ATIP Directorate's operations sustainable over the longer term. These measures included:

• implementing a new delegation authority that allowed managers to sign off on privacy requests;
• revising communication tools to clarify the roles and responsibilities of CRA employees tasked with a privacy request;
• developing and implementing an in-house e-redaction software product—a scanning and severing application that complements the ATIP workload tracking system—to reduce manual processes and paper consumption;
• mapping and documenting key production processes to make them more efficient; and
• initiating a pilot project in the Montréal satellite office to build and strengthen partnerships with the regions.

Strengthened Governance

Consultations

In 2009-2010, the ATIP Directorate developed a proposal for implementing a Chief Privacy Officer within the CRA—one that outlined a comprehensive governance structure and identified roles and responsibilities related to privacy management and leadership.

In response to recommendations from senior management, the ATIP Directorate undertook consultations with other government departments (OGDs) in 2010-2011. These consultations revealed that privacy governance structures vary widely among OGDs and highlighted a number of procedural, process, and policy best practices for the CRA to possibly implement.

The best privacy governance structure for the CRA is still being considered, since there are other entities (such as the recently appointed Chief Risk Officer) where evident collaborative opportunities exist. Such opportunities will be complemented by privacy policy instruments that clearly define roles, responsibilities, and accountabilities.

CRA policy instruments

In accordance with the TBS Policy Suite Renewal initiative, a suite of privacy policies was developed in consultation with key stakeholders—CRA branches, TBS, and the Office of the Privacy Commissioner. These policies are currently at the approval stage.

The policy instruments drafted by the CRA during 2010-2011 that set out CRA-wide requirements for compliance with the PA, the Privacy Regulations, and related TBS policy instruments are as follows:

1. CRA Privacy Policy — Ensures that the CRA's privacy practices are fair, consistent with the PA and its regulations, as well as with TBS policy instruments, and managed within a strong privacy governance structure.
   
2. CRA Privacy Practices Directive — Provides direction to CRA employees on the privacy practices that are required to respect privacy rights and properly manage and protect personal information and ensures that the proper framework is in place to allow individuals to exercise their rights of access to personal information.
   
3. CRA Procedures for Privacy Impact Assessments (PIAs) — Describes the steps and actions approved by the CRA Commissioner on behalf of the Minister of National Revenue for the development and approval of PIAs within the CRA.
   
4. CRA Procedures for Privacy Protocol — Describes the steps and actions for a CRA privacy protocol agreement.

Privacy Impact Assessments

During 2010-2011, the ATIP Directorate revised the PIA process in consultation with senior management and devised a PIA determination questionnaire to comply with the new TBS Directive on Privacy Impact Assessment. The new PIA process ensures that privacy considerations are addressed early on in the planning of new and modified programs in accordance with privacy legislation and TBS policy instruments.

Information-sharing protocol

In 2010-2011, the ATIP Directorate and the Security and Internal Affairs Directorate began sharing information on privacy breaches within the CRA in accordance with the information-sharing protocol between these two entities. The protocol outlines how the two areas of the CRA work together to resolve privacy related issues.

Conclusion

The CRA made significant strides in 2010-2011 by streamlining processes, implementing new technology and tools, and increasing workload capacity to meet its obligations and responsibilities under the PA.

Over the next year, the CRA will continue to strengthen its ATIP operations by:

• rolling out communication and training products to increase privacy awareness and compliance;
• expanding informal and proactive disclosure practices;
• continuing to reduce the backlog by staffing in key areas; and
• implementing additional efficiency measures.

Statistical Report – Interpretation and Explanation

Appendix A provides a statistical report on the PA for the 2010-2011 reporting period. The following explains and interprets the statistical information.

Requests under the Privacy Act

During the reporting period—April 1, 2010, to March 31, 2011—the CRA received 2,600 new privacy requests. This represents an increase of 517 requests (24%) over last year. Since 485 requests were carried forward from the 2009-2010 fiscal year, this resulted in a total of 3,085 active requests. The following table shows the number of requests received and completed by the CRA for the past five fiscal years:

The CRA also received and completed 51 PA consultation requests.

In addition, the ATIP Directorate's Program Support and Training Group responded to approximately 800 emails and 876 telephone enquiries from sources both internal and external to the CRA. Responses to enquiries include giving advice and guidance on processes and procedures relating to the PA or the ATIA and providing alternate contact information.

Disposition of requests

During the reporting period, the ATIP Directorate completed 2,767 privacy requests, which included reviewing 725,741 pages of records. The following table represents the disposition of these requests:

Exemptions invoked

The following table identifies the number of requests in which the listed sections under the PA were invoked:

Exclusions cited

Exclusions were invoked 0 times under sections 69 and 70.

Completion time and extensions

The time frames for the 2,767 requests completed in 2010-2011 are shown in the following table:

The ATIP Directorate completed 2,231 (80.6%) requests within the legislated timeframe. This means that responses were provided within 30 calendar days or, where a time extension was claimed, within the extended deadline.

In addition, the ATIP Directorate claimed time extensions on 1,046 requests in 2010-2011. The extensions were claimed because meeting the original 30-day time limit would unreasonably interfere with the operations of the CRA or because consultations with third parties or other government institutions were required.

Translations

No translations were required to respond to requests for personal information during this reporting period.

Method of access

Of the 1,869 requests for which information was disclosed in full or in part, 1,856 of the applicants received copies of the release package. An additional 12 applicants got access by examining the release package and, where desired, got select copies of the releasable records. For more details, please refer to Appendix C.

Corrections and notation

Two requests were received to have personal information held within the CRA corrected.

Costs

During 2010-2011, the ATIP Directorate's estimated total cost to administer the PA was $3,523,579.29, excluding coordination support from the branches. For more details, please refer to Appendix A.

Privacy Impact Assessments

The following privacy impact assessments (PIAs) were submitted to the Office of the Privacy Commissioner through the ATIP Director:

1. Tax-free savings account

The tax-free savings account (TFSA) is a flexible, registered general purpose savings vehicle that allows Canadians to earn tax-free investment income to help meet lifetime savings needs. The PIA summarizes the nature of the program and associated activities, the business process, and the personal information data flows, including the context of applicable privacy policies and legislation and how privacy issues factored into the TFSA program design.

2. Registered disability savings plan

The registered disability savings plan (RDSP) helps Canadians with disabilities, and their families, save for the future. With written permission from the holder, anyone can contribute to an RDSP. The PIA was prepared to ensure that the CRA is complying with privacy requirements as outlined in the PA, the Income Tax Act, and TBS policies.

3. Charities – Public safety and anti-terrorism

The CRA's Review and Analysis Division is responsible for delivering the CRA's mandate under the Anti-Terrorism Act to prevent the abuse of registered charities with respect to financing terrorism. The PIA highlights the key points that demonstrate how privacy considerations have been factored into the development and implementation of the division.

At the link below, you will find summaries of all the PIAs completed by the CRA since the Privacy and Impact Assessment Policy was implemented in May 2002.

www.cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html

Disclosure Under Paragraph 8(2)(m) of the Privacy Act

During the reporting period, there were 30 disclosures made pursuant to subsection 8(2)(m) of the PA.

Complaints, Investigations, and Federal Court Cases

During the reporting period, the CRA received complaints on 34 requests for personal information.

The CRA closed 29 complaints during 2010-2011. Ten of these complaints were not justified and 19 were justified.

The ATIP Directorate also received 8 complaints concerning alleged improper collection, use, and/or disclosure of personal information by the CRA. Details regarding these types of complaints are outlined in the table below:

Appendix A – Statistical report

Appendix B – Additional Reporting Requirements for 2010-2011

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment Policy (which came into effect on May 2, 2002) and the Directive on Privacy Impact Assessment (which took effect on April 1, 2010) through a variety of means. Institutions are therefore required to report the following information for this reporting period:

• Preliminary privacy impact assessments initiated: 6
• Preliminary privacy impact assessments completed: 6
• Privacy impact assessments initiated: 5
• Privacy impact assessments completed: 3
• Privacy impact assessments forwarded to the Office of the Privacy Commissioner: 3

Part III – Exemptions invoked

• Paragraph 19(1)(e): 0
• Paragraph 19(1)(f): 0
• Section 22.1: 0
• Section 22.2: 0
• Section 22.3: 0

Part IV – Exclusions cited

• Section 69.1: 0
• Section 70.1: 0

Appendix C – Discrepencies

There is a discrepancy between the method of access number (1,868) and the number of records that were either disclosed or disclosed in part (1,869). The discrepancy is due to a data entry error in the CRA ATIP case management software. The software has since been updated to respond to the new TBS statistical requirements.

Date modified:

2010-06-17