Security of taxpayer information

Table of contents

• Safeguards
• Legislative framework
• Related topics

The Canada Revenue Agency (CRA) takes the security of all taxpayer information very seriously. The CRA keeps a close watch on internal processes to prevent unlawful attempts to obtain tax information and to make sure that taxpayers’ rights are protected.

Safeguards

For the security of taxpayer information, the following policies and procedures are in place:

• Personnel screening – All prospective CRA employees are screened for security before employment.
• Employee awareness of their responsibilities – New employees are trained on their security obligations and security awareness information is regularly communicated to all employees. All CRA employees are subject to strict standards of conduct as defined in the CRA's Code of Ethics and Conduct.
• All taxpayer information is protected – Taxpayer information must be kept physically secure. Employees may not send taxpayer information by email or leave voice messages containing taxpayer information. Employees have to make sure information is shared only with the taxpayer concerned or with a third party only after the taxpayer has given written consent, except where the disclosure is authorized by law.
• Security markings on forms and documents – All CRA forms and documents containing taxpayer information are marked Protected. These markings help CRA employees make sure sensitive information is handled securely.
• Access to taxpayer information is on a need-to-know basis – CRA employees, such as taxpayer services personnel, auditors, investigators, and those handling income tax files, have only the levels of access to taxpayer information required to do their jobs.
• Regular risk assessment – The CRA performs regular risk assessments and internal audits to ensure its internal processes are secure.
• Suspected breaches of confidentiality of taxpayer information – If a taxpayer tells the CRA about a suspected breach of confidentiality of his or her personal information, the Agency can protect that taxpayer's account by disabling all online access whether it is My Account for Individuals, My Business Account, Represent a Client, NETFILE, or EFILE. Online access can later be restored at the taxpayer's request by calling the e-Services Helpdesk at 1-800-959-8281.
• Investigating possible breaches – CRA officers immediately and thoroughly investigate any security breach or allegation of unauthorized access or disclosure of taxpayer information. Any employee found to have acted inappropriately is subject to disciplinary action, up to and including the end of employment. Potential criminal acts are referred to the RCMP for investigation.

Legislative framework

The CRA’s legal obligation to safeguard the confidentiality and integrity of taxpayer information for which the CRA is responsible is stated in the following legislation:

• Income Tax Act
• Excise Tax Act
• Excise Act, 2001
• Privacy Act
• Access to Information Act

Under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, an employee may disclose taxpayer or confidential information to the person about whom the information relates. However, no employee can give that information to a third party without the written consent of the taxpayer, except where authorized by law to do so. Similarly, both the Privacy Act and the Access to Information Act do not allow the disclosure of personal information, except under circumstances as stated in the legislation.

Related topics

• Integrity and security at the CRA: Keeping taxpayer information safe
• Protect yourself against fraud
• Access online services safely

Date modified:

2017-05-04