2013-2014 Annual Report to Parliament on the Administration of the Privacy Act

Foreword

Each fiscal year, the head of every government institution has to prepare and submit to Parliament a report on the administration of the Privacy Act.

This annual report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the Privacy Act during the April 1, 2013, to
March 31, 2014. It also discusses issues of interest related to program delivery, emerging trends, areas of focus for the year ahead.

The Privacy Act

The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing, and disposing of personal information held by government institutions. It also provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions and with rights of correction or annotation or both. Individuals who are dissatisfied with any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other means of obtaining government information. The CRA encourages individuals and their representatives to consider obtaining information through the following informal methods:

• topical indexes on the CRA Web site: www.cra.gc.ca/azindex/menu-eng.html
• individual income tax enquiries (including requests for forms and publications): 1-800-959-8281
• universal child care benefit, Canada child tax benefit and related provincial and territorial programs, child disability benefit, and children's special allowances enquiries: 1-800-387-1193
• TTY (teletypewriter for persons who are deaf or hard of hearing or who have a speech impairment):
  1-800-665-0354

Table of contents

• Overview of the Canada Revenue Agency
• Chief Privacy Officer
• The Access to Information and Privacy Directorate
• The Access to Information and Privacy Oversight Review Committee
• Delegation of responsibilities under the Privacy Act
• Schedule-Privacy Act
• Statistical report (Appendix A) – Interpretation and explanation
• Operational environment
• Monitoring request inventories
• Privacy Breach Management
• Privacy impact assessments
• Policies, guidelines, and procedures
• Complaints and investigations
• Collaboration with oversight bodies
• Conclusion
• Appendix A — Statistical report

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies—at their request and on a cost-recovery basis—to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all of the CRA's activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Canada Revenue Agency Act provides for the establishment of a Board of Management consisting of 15 directors appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the federal government. Under the provisions of the Canada Revenue Agency Act , the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel, and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s operations, fosters sound management practices, and is committed to efficient and effective service delivery.

As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board of Management for managing the CRA, supervising employees, and implementing policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA is made up of 12 branches and 5 regional offices across the country.

Branches

• Appeals
• Assessment and Benefit Services
• Audit, Evaluation, and Risk
• Compliance Programs
• Finance and Administration
• Human Resources
• Information Technology
• Legal Services
• Legislative Policy and Regulatory Affairs
• Public Affairs
• Strategy and Integration
• Taxpayer Services and Debt Management

Regions

• Atlantic
• Ontario
• Pacific
• Prairie
• Quebec

Chief Privacy Officer

In March 2013, the Canada Revenue Agency (CRA) appointed its first chief privacy officer (CPO), a title held by the Assistant Commissioner of the Public Affairs Branch. The CPO has a broad mandate for privacy oversight at the CRA. To fulfill this mandate, the CPO:

• oversees decisions related to privacy, including privacy impact assessments (PIA's);
• champions personal privacy rights in accordance with legislation and policy, including managing internal privacy breaches; and
• reports to the CRA’s senior management on the state of privacy management at the CRA at least twice a year.

The Access to Information and Privacy Directorate

The ATIP Directorate supports the CRA in meeting its requirements under the Access to Information Act and the Privacy Act . To fulfill this mandate, the ATIP Directorate:

• responds to requests and enquiries under the Access to Information Act and the Privacy Act;
• provides advice and guidance to CRA employees on requirements related to requests for, and the proper management and protection of, personal information under the CRA’s control;
• coordinates privacy impact assessment processes within the CRA, including giving expert advice to CRA employees on privacy implications, risks, and options for avoiding or reducing risks;
• gives training and awareness sessions on the Access to Information Act and the Privacy Act and the practices and requirements for managing personal information;
• communicates with the Treasury Board Secretariat and the offices of the information and privacy commissioners of Canada about complaints, audits, and policy or legislative requirements; and
• fulfills corporate planning and reporting obligations such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act.

The Director of the ATIP Directorate has the full delegated authority of the Minister of National Revenue, manages and coordinates the ATIP program, leads strategic planning and development initiatives, and supports the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer.

The ATIP Directorate is made up of two main divisions: processing, and program support and training (within the Directorate and CRA-wide). In addition to its Headquarters office in Ottawa, the ATIP Directorate has an office in Vancouver and an office in Montreal. In 2013-2014, 130 full time employees were responsible for administering the Access to Information Act and the Privacy Act.

The Access to Information and Privacy Oversight Review Committee

The Access to Information and Privacy (ATIP) Oversight Review Committee is an executive-level committee with representatives from all CRA branches and regions. The Committee was established to ensure horizontal consultation, collaboration, and decision-making on emerging ATIP issues at the CRA. Among other responsibilities, the Committee reviews high-risk privacy impact assessments, identifies measures to support more effective administration of ATIP-related matters within the CRA, and champions ATIP-related activities within the CRA.

In 2013–2014, the membership of this committee was raised to assistant commissioner-level and the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer was appointed the Chair. These changes make sure ATIP matters are at the forefront for senior management at the CRA.

Delegation of responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers the Privacy Act and complies with the Privacy Regulations and Treasury Board Secretariat policy instruments. Section 73 of the Privacy Act gives the Minister of National Revenue the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the Minister’s powers, duties, and functions under the Act.

The CRA’s current delegation order for the Privacy Act was signed by the Minister of National Revenue on March 6, 2014. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.

The Access to Information and Privacy Director and assistant directors, as well as the managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, and the Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch.

Schedule-Privacy Act

The positions authorized to perform the powers, duties, and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations.

Commissioner

• Full authority

Deputy Commissioner

• Full authority

Assistant Commissioner, Public Affairs Branch (PAB) and Chief Privacy Officer

• Full authority

Director, Access to Information and Privacy (ATIP) Directorate, PAB

• Full authority

Assistant directors, ATIP Directorate, PAB

• Full authority

Managers, ATIP Directorate, PAB

• Paragraphs 8(2)(j) and (m); subsections 8(5) and 9(1); sections 14 to 16; paragraphs 17(2)(b) and 17(3)(b), subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2), 35(1) and 35(4) of the Privacy Act; and section 9 the Privacy Regulations.

Statistical report (Appendix A) – Interpretation and explanation

Appendix A provides a statistical report on the CRA's activities under the Privacy Act for the 2013-2014 reporting period. The following explains and interprets the statistical information.

Requests under the Privacy Act

During this reporting period (April 1, 2013, to March 31, 2014), the CRA received 1,548 new privacy requests. This represents a decrease of 433 requests (21.8%) from last year’s total of 1,980. Since 228 requests were carried forward from 2012-2013, there was a total of 1,776 active requests.

The following table shows the number of privacy requests the CRA received and completed in the past five fiscal years.

Requests received and completed in the past five fiscal years

Fiscal year	Requests received	Requests completed	Pages processed
2009-2010	2,083	1,973	371,766
2010-2011	2,600	2,767	725,741
2011-2012	1,362	1,497	510,503
2012-2013	1,980	1,936	775,563
2013-2014	1,548	1,553	624,430

Other Requests

In 2013-2014, the ATIP Directorate closed 9 consultation requests from other government institutions and organizations. A total of 557 pages were reviewed to respond to these requests. (For more details on the consultations received from other government institutions and organizations, including disposition and completion times, see Part 6 of Appendix A.)

In addition, the ATIP Directorate’s Program Support and Training Division responded to 2,987 emails and 515 telephone enquiries from inside and outside the CRA. The responses to these enquiries included giving advice and guidance on processes and procedures relating to the Access to Information Act and the Privacy Act and providing alternate contact information.

Completion time and extensions

The chart that follows show the completion time frames for the 1,553 requests completed in 2013-2014. For 561 (36.2%) of these requests, time extensions had been taken, because meeting the original 30-day time limit would have interfered unreasonably with operations, or if there was a need to consult others (for example, other individuals), or to translate information requested.

The ATIP Directorate completed 1,434 (92.3%) requests within the time frame required by law. This means that responses were provided within 30 calendar days or, if a time extension was taken, within the extended deadline.

Deemed refusals and complexities

Of the 1,553 requests closed during the reporting period, 119 were closed past the statutory deadline, resulting in a deemed refusal rate of 7.7%.

Although the CRA continues to strive toward a deemed refusal rate of zero, as has been recommended by the Offices of the Privacy Commissioner and the Information Commissioner, operational pressures make achieving this goal a challenge. Based on complexity criteria developed by the Treasury Board Secretariat, the CRA continues to handle a large number of requests that are considered to be complex based on the volume of pages to be processed. For the requests closed in 2013–2014, the CRA reviewed 624,430 pages. Of the 1,351 requests for which records were disclosed, 756 (55.96%) involved processing 100 pages or more, and 231 of these requests involved processing an average of 1,721 pages. Other requests were deemed complex because of the nature and sensitivity of the subject matter. (See table 2.5 of Appendix A for details.)

Disposition of requests

During the reporting period, the ATIP Directorate completed 1,553 requests following the provisions of the Privacy Act.

• 399 were fully disclosed (25.69%)
• 952 were partially disclosed (61.30%)
• 4 were exempted in their entirety (0.26%)
• 0 were excluded in their entirety (0%)
• 42 resulted in no existing records (2.70%)
• 156 were abandoned by requesters (10.05%)

For more details, see table 2.1 of Appendix A

Exemptions

The Privacy Act allows and sometimes requires the refusal of access to information requested (for example, information about individuals other than the requester if consent is not provided). These types of refusals are called exemptions and they must be limited and specific to sections of the Privacy Act.

In 2013-2014, the CRA used the following sections of the Act to refuse access to information in full or in part for 956 (87%) of the 1,553 requests closed during the reporting period.

• Section 19 – personal information obtained in confidence (applied to 36 requests)
• Section 22 – law enforcement and investigation (applied to 377 requests)
• Section 22.2 – Public Servants Disclosure Protection Act (applied to 1 request)
• Section 25 – safety of individuals (applied to 5 requests)
• Section 26 – information about another individual (applied to 825 requests)
• Section 27 – solicitor-client privilege (applied to 161 requests)

Exclusions

The Privacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences.

There were no consultations on Cabinet confidences in 2013–2014.

Format of information released

The ATIP Directorate allows requesters to choose to receive their response package on CD or DVD. Providing documents electronically significantly reduces manual processes and paper consumption. In 2013–2014, of the 1,351 requests for which information was disclosed in full or in part, 55.7% (752 requests) were released in electronic format. This is a 4% increase over the previous reporting period. In total, 528,847 pages were reviewed, and 460,198 pages were released in electronic rather than paper format in 2013–2014.

The CRA respected the preferences of other requesters by providing 597 (44.2%) responses in paper format and 2 (0.2%) in other ways, such as viewing the information in a CRA reading room.

Requests for translation

The CRA translated records in response to five requests for translation in 2013-2014.

Corrections and notation

The CRA received one request to correct personal information, but this request was denied because no details or documents were provided to support the request.

Costs

During 2013–2014, the ATIP Directorate’s estimated total cost to administer the Privacy Act was $3,001,038, excluding significant coordination support from the branches and regions. For more details, see Appendix A.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the Government of Canada’s largest repositories of personal information, second only to Employment and Social Development Canada. In addition, the CRA collects and manages the personal information for its workforce of approximately 40,000 individuals.

The trust Canadians place in the CRA to safeguard the privacy of their personal information is a cornerstone of the Agency's work. In 2013–2014, many projects were initiated to enhance the CRA’s privacy management framework.

Chief Privacy Officer Action Plan

The Chief Privacy Officer (CPO) acts as a central locus for oversight of privacy management at the CRA.
In 2013–2014, to support the CPO in achieving her mandate, the ATIP Directorate developed a CPO action plan to make sure accountabilities, responsibilities, and activities related to privacy are reinforced and communicated across the CRA.

The CPO action plan recognizes that privacy management is a responsibility shared by all employees in all parts of the organization. It identifies key goals and assigns accountability for achieving these goals to specific areas within the CRA.

In 2014–2015, the ATIP Directorate will continue to work with the branches and regions to establish performance measures that can be used to monitor and report on progress against the goals and initiatives outlined in the action plan. These performance measures will be used to provide the CPO with a performance dashboard to continually assess the state of privacy management at the CRA.

Raising Awareness

The ATIP Directorate took steps to enhance CRA employees’ awareness of their privacy-related roles and responsibilities by participating in two awareness events: Data Privacy Day and Security Awareness Week.

For the third consecutive year, the CRA joined the Office of the Privacy Commissioner and many other institutions across Canada and the world to promote Data Privacy Day. This initiative highlights the effect that technology is having on privacy rights and underlines the importance of valuing and protecting personal information. The CRA’s activities focused on the role all CRA employees play in safeguarding personal information in their day-to-day jobs. Over a week-long period, the ATIP Directorate highlighted these responsibilities across the CRA and promoted the many tools available to support CRA employees in this regard.

The ATIP Directorate also participated in the CRA’s Security Awareness Week activities. Security Awareness Week was originally launched by the Treasury Board Secretariat and has become an annual opportunity for government departments to raise awareness about security topics, including those related to personal privacy (for example, identity theft).

In February 2014 as part of the CRA's particpation in Secuirity Awareness week, the CRA’s Finance and Administration Branch organized activities for CRA employees, including an event at Library and Archives Canada. The ATIP Directorate contributed to this event by setting up an information kiosk on many privacy-related topics such as privacy impact assessments, privacy breaches, and the role of the Chief Privacy Officer at the CRA. The ATIP Director also had an opportunity to address the more than 400 participants who attended the event. Her presentation, “Think Privacy,” was designed to enhance employee understanding of how their everyday actions contribute to sound privacy management at the CRA.

Beyond these engagement opportunities, the ATIP Directorate also developed more targeted communications to support staff in fulfilling their ATIP-related responsibilities.

• ATIP contacts: These are the CRA employees in the branches and regions who are tasked with responding to ATIP requests. They play a significant role in making sure the ATIP Directorate receives all the information it needs to process requests on time. In 2013–2014, the ATIP contacts were given more support to help them carry out this important role. Monthly emails and a quarterly teleconference were launched to share significant information with them and to let them seek clarification, voice their challenges, and share solutions with their colleagues.
• Project managers: Many CRA employees support projects and program activities through planning, monitoring, and reporting. These employees need to be aware of their privacy-related obligations when it comes to project design and implementation. Toward this end, the ATIP Directorate created and promoted the Chief Privacy Officer corner on the CRA intranet. This corner includes a wide range of information, including a privacy toolkit.

Training

The ATIP Directorate provides targeted training to CRA employees about the requirements of, and their responsibilities under, the Access to Information Act and the Privacy Act. This training is tailored to respond to the needs of specific audiences. For instance, ATIP 101 training is given to those who have little or no knowledge of ATIP, and more specific training is given to subject matter experts (for example, training on how to respond to tasking requests for records).

In 2013–2014, ATIP training was given to 1,621 participants in 116 sessions across Canada. An additional 61 managers received training under the CRA’s management learning program. The ATIP Director and the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer also presented ATIP awareness sessions to 11 senior management committees across the CRA during the reporting period.

The CRA’s Legal Services Branch also provided 17 training sessions to 124 CRA employees. These sessions focused on preparing documents for release in CRA reading rooms, on ATIP legal awareness, and on ATIP for information technology specialists.

Privacy projects

In 2013–2014, the ATIP Directorate continued to strengthen privacy management through two projects: one on privacy notices and another concerning investigative body designations.

The Privacy Act requires that institutions use a privacy notice to tell individuals from whom they collect personal information why the information is being collected. The privacy notice must be inserted every time personal information is collected, whether it is on a paper or an electronic form, an online application, or another such medium. Treasury Board Secretariat policies set out the content such notices must contain.

In 2012–2013, the ATIP Directorate began reviewing CRA forms to determine the next steps to make sure the CRA is following all legislative and Treasury Board Secretariat policy requirements. During this reporting period, the ATIP Directorate continued to work with the Electronic and Print Media Directorate (the CRA’s publisher) and with program areas to make sure all CRA published documents contain the required privacy notice. Currently, the ATIP Directorate reviews all forms intended for publication to make sure the personal information bank number is correctly annotated.

The ATIP Directorate also continued its work with stakeholders to review and, if applicable, provide new or revised submissions to the Department of Justice Canada for investigative body designations under Schedules II and III of the Privacy Regulations. These schedules list investigative bodies of the federal government to which personal information may be disclosed for investigative purposes. Final submissions will be provided to the Department of Justice Canada in 2014–2015.

ATIP request and pay online

In 2013–2014, the CRA continued to participate in Treasury Board Secretariat-led discussions on the ATIP request and pay online initiative. This project delivers on a key commitment of the Government of Canada’s Open Government Action Plan: the modernization of access to information. It provides a convenient way for individuals to send and, when applicable, to pay for requests made under the Access to Information Act or the Privacy Act using the Internet.

The first phase of the project was launched in April 2011 with the Treasury Board Secretariat, Citizenship and Immigration Canada, and Shared Services Canada participating. In 2013–2014, the CRA undertook the necessary steps to be included in the next phase of the pilot project to be launched in April 2014. The CRA sees this as an opportunity to give requesters an additional option for making requests that is cost-effective and sustainable.

Monitoring request inventories

The CRA’s ATIP Directorate produces a monthly dashboard report that captures key statistical information about the CRA’s inventory of ATIP requests. This report shows the average times for each of the key phases of request processing (for example, intake, search and locate, and analysis). The report also provides statistical information about the number of time extensions taken, completion times, pages processed, complaints, and complaint disposition.

The ATIP Director uses this report to monitor trends, measure ATIP Directorate performance, and determine any process changes required to improve performance. The inventory is a regular agenda item for senior management meetings within the ATIP Directorate. As well, the ATIP Director keeps the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer informed about the inventory.

The CRA responds to requests for correction within the 30 days stipulated in the Privacy Regulations. The CRA received one request for correction in 2013–2014.

Privacy Breach Management

Effectively managing privacy breach incidents is a responsibility that is shared by the ATIP Directorate and the Security and Internal Affairs Directorate (SIAD) within the Finance and Administration Branch. In 2013–2014, the existing information-sharing protocol between these directorates was revised to clarify responsibilities related to managing privacy breach incidents. This revised protocol responds to a recommendation from the Office of the Privacy Commissioner to enhance the CRA’s privacy breach management process.

Under the revised protocol, SIAD must inform the ATIP Directorate of significant privacy breach incidents through its early notification process (as defined in the protocol). SIAD also must advise the ATIP Directorate that it is launching an investigation into an alleged privacy breach at the outset of investigations of employee misconduct involving privacy breaches, and within 30 days of an investigation being completed.

The Agency Security Officer is responsible for deciding whether affected individuals should be notified, and the ATIP Directorate must confirm that it agrees with this decision. When the ATIP Directorate disagrees with a decision about notifying affected individuals, the ATIP Director has to refer the case to the Chief Privacy Officer for a final decision.

The ATIP Directorate is responsible for notifying the Office of the Privacy Commissioner of CRA privacy breach incidents, and it does so according to the Treasury Board Secretariat’s Guidelines for Privacy Breaches. During 2013–2014, the CRA notified the Office of the Privacy Commissioner of 30 material privacy breach incidents related to unauthorized access and disclosure.

As a result of these incidents, the CRA revised its processes for handling misdirected mail and the Security and Internal Affairs Directorate enhanced communication with the ATIP Directorate on its evaluation of privacy breach incidents. These changes were made to support strengthened privacy breach management at the CRA.

Privacy impact assessments

The CRA’s program areas are required to consult with the ATIP Directorate in the planning stages of new or amended initiatives involving personal information in order to determine if a privacy assessment is necessary. In 2013–2014, the ATIP Directorate reviewed 77 initiatives and, as of March 31, 2014, there were 31 privacy assessments (PIAs or protocol assessments) in various stages of production. Five PIAs were completed and sent to the Office of the Privacy Commissioner for review. In line with the Treasury Board Secretariat’s Directive on Privacy Impact Assessment, the CRA releases summaries of completed PIAs on its website (www.cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html). The following are summaries of the PIAs completed in 2013–2014:

Foreign Income Verification Statement (Form T1135)

The T1135, Foreign Income Verification Statement, filed by Canadian resident taxpayers who held specified foreign property during the year, will be expanded to include additional fields for new information, and as a result, additional data capture will be required for inclusion in the stand-alone Foreign Reporting Requirements Management System (FRRMS).

Personnel Security Screening - Reliability Status +

Personnel Security Screening plays a vital role within the CRA’s security program by ascertaining that all employees are appropriately screened based on the access to information and CRA premises required for the performance of their duties. All CRA employees must undergo security screening and must meet the security requirements of their position prior to being hired. Currently, there are two types of personnel screening: an assessment of reliability (which results in a Reliability Status), and an assessment of loyalty to Canada (which results in a security clearance at the Secret or Top Secret level).

While the CRA’s security screening program is robust and in line with all applicable legislation and Government of Canada policies and standards, an opportunity has been identified to further strengthen the program. As such, in addition to the current reliability status, the CRA’s Security and Internal Affairs Directorate is putting improvements into place through the development of a new level of security screening, Reliability Status +.

Reliability Status + would apply to designated positions, as approved by the Commissioner, demanding a high level of public trust and/or providing significant authority to make decisions or rulings that could impact on the efficiency or integrity of Agency operations and regulation, such as those that involve the performance of duties that relate to the administration or enforcement of tax related legislation (e.g. Income Tax Act)..

A valid Reliability Status would be a pre-requisite to Reliability Status +. The additional verifications are as follows:

• Mandatory Fingerprinting
• Mandatory Credit Check
• Mandatory Law Enforcement Records Check
• Mandatory Tax Compliance Verifications
• Subject Interview, "for cause" in the case that the verifications uncover adverse information

In accordance with Treasury Board Secretariat policy instruments, the CRA initiated a privacy impact assessment (PIA) for the Reliability Status + security screening as its implementation will result in a substantial modification to CRA’s current security screening process.

Identity and Access Management

The CRA’s Security and Internal Affairs Directorate is currently establishing an Identity and Access Management (IAM) Program, and concurrently managing a multi-phased, multi-year project to optimize IAM business processes.

Identity and Access Management will standardize and automate enforcement of the rules and business processes used to manage employee access to CRA data. This will improve monitoring, auditing, and reporting to help ensure compliance with relevant legislation, security-related policies, standards, and best practices.

Contracting Integrity Verification Program

The program will help the CRA to decide whether or not to award or terminate CRA contracts with individual or companies. This will be done through verification checks using the Public Works and Government Service Canada’s integrity assessment database and, in some cases, through criminal record checks with the Royal Canadian Mounted Police.

Offshore Tax Informant Program

The 2013 Budget announced an initiative to encourage individuals to provide relevant information to CRA about instances of international tax evasion and avoidance. Through this new paid informant program, launched in January 2014 as the Offshore Tax Informant Program (OTIP), the CRA will enter into contracts with informants to provide financial rewards when the information that they provide to CRA leads to the assessment and collection of significant additional federal taxes (excluding penalties and interest) arising from international tax non-compliance.

The program’s primary objective is to encourage the participation of the public in the identification of major international tax non-compliance. The program will do this by offering graduated incentive rewards of from 5% to 15% of the federal tax assessed and collected to individuals who come forward with credible information that leads directly to the assessment and collection of additional federal taxes in such cases. Among other requirements, there is a basic threshold; to qualify for a reward, the lead must result in the collection of more than $100,000 in additional taxes.

The PIA for this initiative covers the activities that relate to the collection and assessment of information from informants, eligibility for rewards, and related reviews and monitoring by an Oversight Committee. Information provided by informants under this program may or may not culminate in assessments, appeals, or collection activities.

Policies, guidelines, and procedures

ATIP manual

In October 2013, the ATIP manual was completed and released to employees of the ATIP Directorate. Its release represented the first major update and revision to the manual since 2007. The manual captures all of the major request processes and procedures and includes templates, guidance sheets, and other tools. The primary goal of the manual is to make sure analysts and managers follow a consistent approach when processing ATIP requests. It also supports the quality of processing and reduces the time spent training new employees. The manual is the primary resource tool for all analysts. The manual will be updated formally each year, and supplemented by interim technical bulleting, to make sure it continues to meet the needs of the ATIP Directorate.

Procedures on the disclosure of personal information under subsection 8(2) of the Privacy Act

Subsection 8(2) is the provision of the Privacy Act that outlines circumstances where disclosure of personal information may be made without consent. Recognizing the importance of consistent privacy practices at the CRA, the ATIP Directorate formed a working group to develop procedures for disclosing personal information under subsection 8(2). In 2013–2014, members representing all CRA branches and two CRA regions completed written procedures that outline the steps to follow for disclosing personal information related to employees and to non-tax information. For tax information, employees will be asked to follow the CRA’s existing Guidelines on the Use and Disclosure of Client Information. They will also be reminded that they should take into account general privacy policy principles when they disclose any personal information.

Consultations on the procedures are planned with the Office of the Privacy Commissioner, the Treasury Board Secretariat, and the Department of Justice Canada for 2014-2015. These procedures are expected to be finalized by the Agency in 2014–2015.

CRA Access to Information Policy

In 2012–2013, the ATIP Directorate began work on an access to information policy, as part of the CRA’s information management policy suite renewal strategy led by the Strategy and Integration Branch. In 2013–2014, the ATIP Directorate continued to develop this policy. By clearly outlining roles and responsibilities related to informal disclosure, the policy reinforces and responds to recommendations of the Office of the Information Commissioner and the Office of the Taxpayers’ Ombudsman to enhance and expand the CRA’s use of informal disclosure mechanisms.

During the reporting period, the policy was circulated to the ATIP Oversight Review Committee for feedback, and it was presented to the Public Affairs Advisory Committee in February 2014. In 2014–2015, the ATIP Directorate will continue working on this policy instrument and will work with stakeholders on additional measures that could be taken to support the CRA in fulfilling its obligations related to informal disclosure.

CRA privacy policy suite

The CRA Access to Information Policy will complement the CRA’s privacy policy suite, which has been in effect since April 4, 2012, and includes the CRA Privacy Policy, the CRA Privacy Practices Directive, and the CRA Procedures for Privacy Assessments. This policy suite was established to make sure the CRA’s privacy practices are fair and consistent with the governing requirements set out in the Privacy Act, the Privacy Regulations, and related policies of the Treasury Board Secretariat.

Complaints and investigations

During 2013–2014, the CRA received 21 complaints about requests made under the Privacy Act, which is a reduction of 51 (29.17%) from the 72 complaints received in the previous reporting period. As well, the CRA closed 49 complaints, 11 (28.95%) more than the 38 complaints closed in 2012–2013. The following chart details the disposition of the complaints closed during the fiscal year. (For definitions of the disposition categories, go to www.priv.gc.ca/cf-dc/def2_e.asp.)

The ATIP Directorate also received 125 complaints about alleged improper access, collection, use, or disclosure of personal information by the CRA. A breakdown of these complaints is outlined in the following table.

Outstanding from previous fiscal year	Received during fiscal year	Completed	Closing inventory
36	125	110	50

The CRA is aware that effectively managing privacy breaches is critical in maintaining public confidence in the integrity of the CRA. The CRA takes all breaches very seriously and is strengthening its controls and sanctions for unauthorized access and disclosure. (See “Privacy breach management” for details.)

Collaboration with oversight bodies

The CRA continues to work closely with the Office of the Privacy Commissioner and the Treasury Board Secretariat to strengthen privacy management at the CRA.

Office of the Privacy Commissioner of Canada audit

In 2012–2013, the Office of the Privacy Commissioner completed an audit of access controls at the CRA as a follow up to its February 2009 audit, Privacy Management Frameworks of Selected Federal Institutions

In issuing the report, the Office of the Privacy Commissioner recognized the improvements that the CRA has made over the past five years: “Since our last audit report in 2009, the CRA has made progress to strengthen its privacy and security policies and procedures, and to communicate its expectations to employees about the safeguarding of personal information. Agency plans are also underway to improve access rights management and to more closely monitor employee access to taxpayer information.”

The OPC also issued the following recommendations to continue enhancing the Agency's personal information sharing practices:

1. The Canada Revenue Agency should define fully the role of the Chief Privacy Officer and monitor the implementation of the position’s mandate in terms of employee privacy awareness, privacy risk reduction and overall Agency compliance with the Privacy Act;
   
2. Consistent with the Treasury Board Directive on Privacy Impact Assessments, the CRA should complete, review and approve privacy impact assessments prior to the implementation of any new program or initiative that may raise privacy risks to taxpayer information; and ensure that its ATIP Directorate is notified of all breaches as they are discovered.
   
3. The Canada Revenue Agency should implement a Certification and Accreditation process that clearly assigns accountability and responsibility for the management of the process, as well as oversight to ensure CRA documentation is approve on time.
   
   The Canada revenue Agency should also prioritize critical systems and all related applications to ensure they undergo the Certification and Accreditation process and Treat and Risk Assessments.
   
4. The Canada Revenue Agency should:
   • ensure that its policies, practices and procedures are followed to manage local applications and adequate safeguards are used to protect the taxpayer information they contain;
   • ensure that its Local Application Repository is reviewed regularly for completeness, accuracy and currency; and
   • follow-up at each stage of the review and quality assurance processes and ensure that all local applications are approved by delegated officials before implementation.
     
5. The Canada Revenue Agency should continue to enhance its Identity and Access Management System controls to ensure that employee access is limited to only that information required to carry out their job functions, based on the need-to-know principle.
   
6. The Canada Revenue Agency should review existing generic user IDs, ones shared by several individuals working on the same project or activity, to determine whether they are required, authorized and controlled; and should delete all IDs that are not in use.The Canada Revenue Agency should also ensure that all generic user IDs are subject to established review and approval processes
   
7. The Canada Revenue Agency should continue to strengthen its audit logging system and process and the Agency should incorporate risk assessment tools to flag potentially inappropriate employee activities on its systems.
   
8. The Canada Revenue Agency should ensure adequate measures are in place to mitigate the risks associated with developer access to taxpayer information in test environments. (A non-operational “test environment” is used by information technology staff to develop and test systems before they are used to process tax returns in the regular business or “operational environment”.)
   
   The Canada Revenue Agency should also rigorously control, track and monitor transfers of taxpayer information from operational to test environments.
   
9. Consistent with Treasury Board Guidelines for Privacy Breaches, the Canada Revenue Agency should ensure that the Access to Information and Privacy Directorate is notified of all breaches as they are discovered.

The CRA agreed with all of the Office of the Privacy Commissioner’s recommendations, and created action plans to address each of the recommendations. Many of the initiatives outlined within these plans have already been completed. For instance, the CRA has reviewed its Local Applications Repository, and the procedures and safeguards associated with it, and enhanced controls to reduce the number of generic accounts in the Agency. Privacy breach management has also been enhanced through strengthened communication between the Security and Internal Affairs Directorate and the ATIP Directorate. (See “Privacy breach management” for details.) Overall, the CRA remains on target to complete all activities by 2015-2016.

As part of her reporting requirements, the Chief Privacy Officer will give regular updates on progress against these deliverables in her biannual reports to the Agency Management Committee.

Conclusion

The CRA takes privacy and the safeguarding of personal information very seriously. In 2014–2015, the CRA will continue to strengthen its operations and privacy governance by:

• delivering targeted communications and training to key internal and external audiences with an emphasis on informal and proactive disclosure and privacy management;
• monitoring and evaluating performance to address ATIP challenges promptly;
• implementing the Chief Privacy Officer Action Plan to make sure privacy accountabilities, responsibilities, and activities are formalized and communicated; and
• implementing more efficiency measures.

Appendix A — Statistical report

Name of institution: Canada Revenue Agency

Reporting period: April 1, 2013 to March 31, 2014

Part 1 – Requests under the Privacy Act

Number of requests

Type of Requests	Number of Requests
Received during reporting period	1,548
Outstanding from previous reporting period	228
Total	1,776
Closed during reporting period	1,553
Carried over to next reporting period	223

Part 2 – Requests closed during the reporting period

Disposition and completion time

Disposition of requests	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
All disclosed	86	259	47	3	1	3	0	399
Disclosed in part	44	352	390	112	18	27	9	952
All exempted	0	1	1	1	0	1	0	4
All excluded	0	0	0	0	0	0	0	0
No records exist	15	20	1	2	0	4	0	42
Request abandoned	151	3	1	0	0	1	0	156
Total	296	635	440	118	19	36	9	1,553

Exemptions

Section	Number of requests
18(2)	0
19(1)(a)	9
19(1)(b)	1
19(1)(c)	24
19(1)(d)	2
19(1)(e)	0
19(1)(f)	0
20	0
21	0
22(1)(a)(i)	13
22(1)(a)(ii)	16
22(1)(a)(iii)	0
22(1)(b)	348
22(1)(c)	0
22(2)	0
22.1	0
22.2	0
22.3	1
23(a)	0
23(b)	0
24(a)	0
24(b)	0
25	5
26	825
27	161
28	0

Exclusions

Section	Number of requests
69(1)(a)	0
69(1)(b)	0
69.1	0
70(1)(a)	0
70(1)(b)	0
70(1)(c)	0
70(1)(d)	0
70(1)(e)	0
70(1)(f)	0
70.1	0

Format of information released

Disposition	Paper	Electronic	Other formats
All disclosed	267	131	1
Disclosed in part	330	621	1
Total	597	752	2

2.5 Complexity

Relevant pages processed and disclosed

Disposition of requests	Number of pages processed	Number of pages disclosed	Number of requests
All disclosed	23,834	23,834	399
Disclosed in part	594,626	524,773	952
All exempted	2,482	0	4
All excluded	0	0	0
Request abandoned	5,880	5,877	156
Total	626,822	554,484	1,511

Relevant pages processed and disclosed by size of requests

Disposition	Number of requests with less than 100 of processed pages	Pages disclosed from less than 100 of processed pages	Number of requests with 101-500 of processed pages	Pages disclosed from 101-500 of processed pages	Number of requests with 501-1000 of processed pages	Pages disclosed from 501-1000 of processed pages	Number of requests with 1001-5000 of processed pages	Pages disclosed from 1001-5000 of processed pages	Number of requests with more than 5000 of processed pages	Pages disclosed from more than 5000 processed pages
All disclosed	338	9,291	58	10,971	2	1,511	1	2,061	0	0
Disclosed in part	257	12,510	467	115,825	109	75,062	110	212,064	9	109,312
All exempted	4	0	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0	0	0
Abandoned	152	0	3	901	0	0	1	4,976	0	0
Total	751	21,801	528	127,697	111	76,573	112	219,101	9	109,312

Other complexities

Disposition	Consultation required	Legal Advice Sought	Interwoven Information	Other	Total
All disclosed	1	0	1	0	2
Disclosed in part	1	1	2	8	12
All exempted	1	0	0	0	1
All excluded	0	0	0	0	0
Abandoned	0	0	6	18	24
Total	3	1	9	26	39

2.6 Deemed refusals

Reasons for not meeting statutory deadline

Number of requests closed past the statutory deadline	Workload	External consultation	Internal consultation	Other
119	94	6	3	16

Number of days past deadline

Number of days past deadline	Number of requests past deadline where no extension was taken	Number of requests past deadline where an extension was taken	Total
1 to 15 days	2	22	24
16 to 30 days	1	17	18
31 to 60 days	1	12	13
61 to 120 days	3	16	19
121 to 180 days	1	9	10
181 to 365 days	1	27	28
More than 365 days	4	3	7
Total	13	106	119

Requests for translation

Translation Requests	Accepted	Refused	Total
English to French	4	0	4
French to English	1	0	1
Total	5	0	5

Part 3 – Disclosures under subsection 8(2)

Disclosures under subsection 8(2)

Paragraph 8(2)(e)	Paragraph 8(2)(m)	Total
0	0	0

Part 4 – Requests for correction of personal information and notations

Requests for correction of personal information and notations

Type of Requests	Number
Requests for correction received	1
Requests for correction accepted	0
Requests for correction refused	1
Notations attached	0

Part 5 – Extensions

Disposition of requests where an extension was taken

Disposition of requests where an extension was taken	15(a)(i) Interference with operations	15(a)(ii) Consultation Section 70	15(a)(ii) Consultation Other	15(b) Translation or conversion
All disclosed	45	0	0	0
Disclosed in part	504	0	4	6
All exempted	3	0	0	0
All excluded	0	0	0	0
No records exist	8	0	0	0
Request abandoned	1	0	0	0
Total	561	0	4	6

Length of extensions

Length of extensions	15(a)(i)Interference with operations	15(a)(ii)Consultation Section 70	15(a)(ii)Consultation Other	15(b)Translation purposes
1 to 15 days	19	0	1	0
16 to 30 days	542	0	3	6
Total	561	0	4	6

Part 6 – Consultations received from other institutions and organizations

Consultations received from other government institutions and organizations

Consultations	Other government institutions	Number of pages to review	Other organizations	Number of pages to review
Received during the reporting period	7	314	1	3
Outstanding from the previous reporting period	2	243	0	0
Total	9	557	1	3
Closed during the reporting period	9	557	1	3
Pending at the end of the reporting period	0	0	0	0

Recommendations and completion time for consultations received from other government institutions

Recommendation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclose entirely	1	1	0	0	0	0	0	2
Disclose in part	3	2	0	1	0	0	0	6
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	1	0	0	0	0	1
Total	4	3	1	1	0	0	0	9

Recommendations and completion time for consultations received from other organizations

Recommendation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclose entirely	1	0	0	0	0	0	0	1
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	1	0	0	0	0	0	0	1

Part 7 – Completion time of consultations on Cabinet confidences

Completion time of consultations on Cabinet confidences

Number of days	Number of responses received	Number of responses received past deadline
1 to 15	0	0
16 to 30	0	0
31 to 60	0	0
61 to 120	0	0
121 to 180	0	0
181 to 365	0	0
More than 365	0	0
Total	0	0

Part 8 – Resources related to the Privacy Act

Costs

Expenditures	Amount ($)
Salaries	$2,722,487
Overtime	$24,851
Goods and Services - Contracts for privacy impact assessments	$237,575
Goods and Services - Professional services contracts	$16,125
Goods and Services - Other	$0
Total	$3,001,038

Human Resources

Resources	Dedicated full-time	Dedicated part-time	Total
Full-time employees	45	0	45
Part-time and casual employees	0	0	0
Regional staff	0	0	0
Consultants and agency personnel	2	1	3
Students	0	0	0
Total	47	1	48

Completed Privacy Impact Assessments

Institution	Number of completed privacy impact assessments
Canada Revenue Agency	5

Date modified:

2014-08-21