2008-2009 Annual Report to Parliament - The Administration of the Privacy Act
Disclaimer
We do not guarantee the accuracy of this copy of the CRA website.
Scraped Page Content
2008-2009 Annual Report to Parliament - The Administration of the Privacy Act
Foreward
This Annual Report to Parliament is prepared under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered the Privacy Act (PA) for the 2008–2009 fiscal year.
Section 72 of the PA requires that the head of every government institution prepare and submit a report to Parliament, each year, on the administration of the PA.
This report details how the CRA carried out and fulfilled its obligations under the PA during the period April 1, 2008, to March 31, 2009. It also includes information on changes to program delivery and emerging issues that will require particular focus during the year ahead.
Privacy Act
The PA was proclaimed on July 1, 1983. The PA protects the privacy of individuals with respect to their personal information held by government institutions and provides individuals with a right of access to such information.
The “Code of Fair Information Practices” is based on the principle that every individual should have the right to know what information is being collected about him or her; how the information will be used, or to whom it will be disclosed; when and how the information will be disposed of; and how to get access to, and/or correct, personal information already on file. The CRA is committed to adhering to this code. The PA is intended to complement existing procedures for obtaining personal information. In accordance with this principle, the CRA encourages individuals to address informal requests for information directly to the appropriate branch, or regional office, or to the general enquiries line at 1-800-959-8281.
Table of contents
- Overview of the Canada Revenue Agency
- Access to Information and Privacy Directorate
- Delegation of responsibilities under the Privacy Act
- Statistical Report – Interpretation and Explanation
- Privacy Impact Assessment and Preliminary Privacy Impact Assessments
- Disclosures under Subsections 8(2)(e), (f), (g), and (m) of the Privacy Act
- Data matching
- Education and training
- Program development
- Complaints, investigations, and federal court cases
- Conclusion
- Appendix A – Statistical report
- Appendix B – Supplemental reporting requirements
Overview of the Canada Revenue Agency
The Canada Revenue Agency (CRA) is responsible for the administration of tax programs, as well as the delivery of economic and social benefits. It also administers certain provincial and territorial tax programs. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies to administer non-harmonized taxes and other services, at their request and on a cost-recovery basis. The CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.
The Minister of National Revenue is accountable to Parliament for all the CRA's activities, including the administration and enforcement of the Income Tax Act and the Excise Tax Act.
One of the key features of the CRA's innovative structure is a Board of Management, which is accountable to Parliament through the Minister of National Revenue. The Board consists of 15 members appointed by the Governor in Council, eleven of which have been nominated by the provinces and territories. The Board has the responsibility of overseeing the organization and management of the CRA, including the development of the Corporate Business Plan, and the management of policies related to resources, services, property, and personnel.
As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board for the daily management of the CRA.
The CRA has a presence across the country. It is comprised of twelve Headquarters branches and five regional offices.
Headquarters branches
- Appeals
- Assessment and Benefit Services
- Compliance Programs
- Corporate Audit and Evaluation
- Corporate Strategies and Business Development
- Finance and Administration
- Human Resources
- Information Technology
- Legislative Policy and Regulatory Affairs
- Legal Services
- Taxpayer Services and Debt Management
- Public Affairs
Regional offices
- Atlantic
- Ontario
- Pacific
- Prairie
- Quebec
Access to Information and Privacy Directorate
The primary responsibility of the Access to Information and Privacy (ATIP) Directorate is to fulfill all legislative requirements of the Access to Information Act (ATIA) and the Privacy Act (PA) for the CRA. In addition, the Directorate provides policy advice and training to CRA employees with respect to their responsibilities and obligations under the ATIA and the PA.
Reporting to the Assistant Commissioner of the Public Affairs Branch, the Director of the ATIP Directorate, Marie-Claude Juneau, is the ATIP coordinator for the CRA. The Directorate has a total of 74 employees and consists of three main units—two responsible for production and quality assurance and the other a Program Support and Training Group providing strategic planning and corporate support. Each production unit has a satellite office in its reporting structure—one in Vancouver, the other in Montréal.
The responsibilities of the ATIP Directorate include, but are not limited to, providing services to the public, CRA officials, and other federal institutions and liaising with the Treasury Board Secretariat and the offices of the Information and Privacy Commissioners of Canada. Additionally, CRA ATIP officials provide guidance, policy advice, and training to CRA employees with respect to their obligations and duties under the ATIA and the PA.
- provides guidance on filing a formal request and explains the ATIP process;
- delivers a timely and complete response to each request;
- gives notice of the right of complaint regarding any matter related to the processing of a request;
- exercises leadership and direction in the execution and application of the ATIA and the PA;
- promotes awareness and provides training regarding the ATIA and the PA;
- gives advice regarding the release of records for an informal request;
- provides policy advice on ATIP-related CRA initiatives;
- develops corporate-wide ATIP-related policies and practices to guide access to information and records held by the CRA; and
- prepares the annual reports to Parliament on the CRA's administration of the ATIA and the PA.
Delegation of responsibilities under the Privacy Act
The President of the Treasury Board is a member of the Ministry responsible for the government-wide administration of the PA. The Minister of National Revenue, as the head of the CRA, is responsible for the administration of the PA. The Minister is allowed, under section 73 of the PA, to use a Designation Order to delegate responsibilities under the PA to other officials of the CRA.
The Minister must sign the Designation Order, which authorizes certain officials to exercise the powers, duties, and functions on the Minister's behalf. The current Designation Order gives signing authority for all relevant sections of the PA and its Regulations to the Commissioner, Deputy Commissioner, Assistant Commissioners, Deputy Assistant Commissioners, Chief Audit Executive and Director General Program Evaluation, and the Director and Assistant Directors of the ATIP Directorate. The managers within the ATIP Directorate also have signing authority for the release of all documents to which access has been requested, except those on which discretionary exemptions of the PA have been applied. It should be noted that the current practice within the CRA is to have the ATIP Director, Assistant Directors, and the managers of the Production Quality Assurance Units in Ottawa sign off on the majority of ATIA and PA requests processed in Headquarters. However, in the Montréal and Vancouver satellite offices, the managers of the Production Assurance Units and their respective Assistant Commissioners will sign off based on their delegated authority.
Statistical Report – Interpretation and Explanation
Appendix A provides a summarized statistical report on the PA for the 2008–2009 reporting period. The following is an explanation and interpretation of the statistical information.
Requests under the Privacy Act
During the reporting period April 1, 2008, to March 31, 2009, the CRA received a total of 1,553 new privacy requests. This represents an increase of 147 requests (10.4%) from last year, when we received 1,406 requests. Altogether 281 requests were carried forward from the 2007–2008 fiscal year, giving us a total of 1,834 active requests. The following shows the number of requests received and completed by the CRA for the past five fiscal years:
| Fiscal Year | Requests Received | Requests Completed | Pages Reviewed |
|---|---|---|---|
| 2004–2005 | 2,882 | 2,877 | 406,088 |
| 2005–2006 | 2,928 | 2,957 | 340,505 |
| 2006–2007 | 1,912 | 1,971 | 314,374 |
| 2007–2008 | 1,406 | 1,355 | 340,217 |
| 2008–2009 | 1,553 | 1,447 | 392,173 |
The CRA also received 100 PA consultation requests, of which it completed 98.
In addition, the Program Support and Training Group within the ATIP Directorate responded to approximately 700 email enquiries and 600 telephone enquiries from its various stakeholders, both internal and external to the CRA, concerning the ATIA and the PA. The group provides advice and guidance on ATIP processes and procedures as well as on the provision of appropriate alternate contact information.
Disposition of requests
Of the total inventory, the Directorate completed 1,447 PA requests during the reporting period, with 392,173 pages of documents reviewed. Disposition of the completed requests was as follows:
| Source | Number of Requests | Percentage (%) |
|---|---|---|
| Fully disclosed | 283 | 19.6 |
| Partially disclosed | 893 | 61.7 |
| Excluded in their entirety | 10 | 0.7 |
| Exempted in their entirety | 15 | 1.0 |
| Transferred to another institution | 4 | 0.3 |
| Unable to process | 107 | 7.4 |
| Abandoned by applicant | 131 | 9.0 |
| Treated informally | 4 | 0.3 |
Exemptions invoked
The ATIP Directorate invoked exemptions under the PA a total of 1,612 times, as follows:
| Sections | Description | Number of Requests | Percentage (%) |
|---|---|---|---|
| 18 | Records contained in an exempt bank | 544 | 33.7 |
| 19 | Records obtained in confidence from other levels of government | 52 | 3.2 |
| 21 | Records expected to be injurious to the conduct of international affairs and the defence of Canada or pertaining to subversive activities | 1 | 0.1 |
| 22 | Records containing law enforcement and investigation information or security of institutions | 298 | 18.5 |
| 24 | Records related to an individual sentenced for an offence | 1 | 0.1 |
| 26 | Records containing personal information | 644 | 39.9 |
| 27 | Records related to solicitor-client privilege | 72 | 4.5 |
Exclusions cited
Exclusions were invoked once under section 69 for confidences of the Queen's Privy Council for Canada.
Completion time and extensions
The 1,447 requests completed in 2008–2009 were completed in the following time frames:
| Completion Time | Number of Requests | Percentage (%) |
|---|---|---|
| Completion Time | Number of Requests | Percentage (%) |
| 30 days or less | 680 | 47.0 |
| 31 to 60 days | 508 | 35.1 |
| 61 to 120 days | 191 | 13.2 |
| 121 days or more | 68 | 4.7 |
The Directorate sought an extension to the prescribed time limit in 512 instances in order to consult with other government institutions or if meeting the original time limit would unreasonably interfere with the operations of the CRA.
Translation
No translations were required to respond to requests for personal information.
Method of access
Statistics compiled for this section are based solely on those 1,176 requests for which information was fully or partially disclosed. In six cases, applicants obtained access through a combination of copies and examination. In 1,170 cases, applicants received copies of the records they had requested.
Corrections and notation
No requests were received for correction of personal information held within the CRA.
Costs
During 2008–2009, the ATIP Directorate's estimated total cost to administer the PA was $1,903,405. For more details, please refer to Appendix A.
Privacy Impact Assessment and Preliminary Privacy Impact Assessments
This year, we used our tracking system to identify the CRA's proposed initiatives that could potentially result in a need for a Preliminary Privacy Impact Assessment (PPIA) and/or a Privacy Impact Assessment (PIA), for a total of 31 for this fiscal year.
During the reporting period, 15 PPIAs were initiated, 13 of which were completed and presented at the CRA's Oversight Review Committee (ORC), a Director General-level committee meeting held quarterly to provide corporate oversight on emerging privacy issues affecting the CRA. One PPIA was forwarded to the Office of the Privacy Commissioner (OPC) as a result of ongoing discussions between the responsible program branch and the OPC, resulting in the recommendation that a PIA be completed.
There were four PIAs initiated and reviewed by the ATIP ORC, but they have yet to be reviewed by the Strategic Development Committee (SDC). This new review process was implemented following recommendations from the Audit Report of the Privacy Commissioner of Canada. The SDC consists of 12 Assistant Commissioners of the Headquarters branches of the CRA; they meet quarterly. Part of their mandate is to review and approve PIAs before they are submitted to the OPC through the ATIP Director.
No new PIA summaries have been added to the CRA Web site as none were finalized during the reporting period. However, four are in the final metadata phase necessary for posting on the Web site, per the Treasury Board Secretariat Common Look and Feel Standards.
A summary of the results of a PIA conducted by the CRA since the PIA Policy was implemented in May 2002, is available at http://www.cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html
Disclosures under Subsections 8(2)(e), (f), (g), and (m) of the Privacy Act
During the reporting period, there were 62 disclosures made pursuant to subsection 8(2)(e) of the PA.
The CRA did not have any disclosures pursuant to subsections 8(2)(f), (g), or (m) of the PA.
Data matching
There were 11 data-matching activities undertaken during 2008–2009, as follows:
- CRA Internal Disclosures
Data Matching: Validate/substantiate a disclosure of possible wrongdoing - Standard Payment System Conversion to Web Version
Data Matching: Verification/confirmation for payments and refunds - Nova Scotia Low Income Pharmacare for Children (NSLIPC)
Data Matching: Two-way data exchange process to identify successful matches for NSLIPC - Form T2050, Application to Register a Charity Under the Income Tax Act
Data Matching: To validate and confirm eligibility for granting charity status - eBay (Auction Web site Analysis System)
Data Matching: With taxpayer data to validate reported income - Secure Remote Access to Ontario Ministry of Revenue (OMoR) Systems
Data Matching: OMoR corporate taxpayer information with information filed federally - Views of T1 and Audit Information Pilot Project – Office Audit Program
Data Matching: Tax return, T-slips filed by third parties are matched to the information reported by the taxpayer - Trust Exam and Audit System
Data Matching: Information from various CRA source systems - T1 Data Mart – Database Version 2/Universal Database on Electronic Business Computing Infrastructure
Data Matching: Data validation and verification enquiries - Automated Benefits Application
Data Matching: Verification/confirmation for benefits - Laval Tax Services Office (Jacques Laroche Recherche Immobilière Inc.) Real Estate Transaction Database Initiative
Data Matching: Database from third-party service providers of real estate transactions in Quebec with CRA data
Education and training
During the 2008–2009 fiscal year, the ATIP Directorate continued to conduct training and awareness sessions for ATIP staff, CRA personnel, and representatives from other government departments. There were 20 training sessions delivered by the satellite offices in Montréal and Vancouver, with 400 participants. Headquarters staff conducted seven in-house ATIP training sessions for new and existing analysts and continued to deliver training to participants of the CRA's Management Group Learning Program, providing 10 sessions to 200 participants. Informal ATIP-related training was also given throughout the year.
Program development
Following recommendations from the Audit Report of the Privacy Commissioner of Canada, the ATIP Directorate began the process of defining the role and mandate of the Chief Privacy Officer for the CRA. Recommendations on the creation of this position will be forthcoming.
The ATIP Directorate continuously strives to adjust and re-align its structure to ensure the provision of an efficient and effective service to its stakeholders. One of the changes in the Directorate's structure underway in the 2008–2009 reporting period was the development of an Intake Unit. Full implementation of this unit is expected in the new fiscal year.
The Directorate also undertook an extensive review of its priorities, with a focus on an enhanced delivery of ATIP Awareness Training within the CRA. It has also made progress on improving the information-sharing protocol between the Security, Risk Management, and Internal Affairs Directorate and the ATIP Directorate.
Overview
As experienced by many other members of the ATIP community, the Directorate is constantly faced with the challenge of retaining experienced employees with significant corporate knowledge. The 2008–2009 fiscal year saw a significant turnover of key members of the ATIP Directorate. Following a successful hiring process, 10 new analysts (13.5% of the total ATIP staff) joined the Directorate and were provided with in-house training and courses offered by the Treasury Board Secretariat. Formal training was followed by a period of mentoring by experienced Directorate staff. An additional selection process for junior analyst positions was launched to address the Directorate's staff shortage.
Complaints, investigations, and federal court cases
The Office of the Privacy Commissioner (OPC) received 31 complaints concerning requests for personal information submitted and/or responded to by the CRA during the reporting period. Of that total, 15 complaints were closed during 2008–2009, resulting in 10 of them having a disposition of not justified.
The following shows the number of new complaints the Directorate received during the fiscal year from the OPC concerning alleged improper collection, use, and/or disclosure of personal information by the CRA.
| Outstanding From Previous Fiscal Period | Received During Fiscal Year | Completed | Closing Inventory |
|---|---|---|---|
| 33 | 7 | 16 | 24 |
Conclusion
The CRA's goal for fiscal year 2009–2010 is to continue to improve upon its processes and procedures in order to meet its obligations and responsibilities under the Access to Information Act and the Privacy Act.
To achieve this goal, we will further expand on our ATIP training function so that an increased number of CRA personnel can enhance their understanding of their responsibilities inherent under these acts. In addition, procedural and structural changes will be implemented in the ATIP Directorate to ensure that the CRA is positioned to maximize its opportunities to meet existing demands and to effectively manage future challenges.
Appendix A – Statistical report
Appendix B – Supplemental reporting requirements
Supplemental reporting requirements
Privacy Act
Treasury Board Secretariat is using a variety of means to monitor compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002). As such, the CRA is required to report the following information for the 2008–2009 reporting period.
Indicate the number of:
Preliminary Privacy Impact Assessments initiated: ____15____
Preliminary Privacy Impact Assessments completed: ____13____
Privacy Impact Assessments initiated: ____4____
Privacy Impact Assessments completed: ____0____
Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): ____1**____
**One PPIA was forwarded to the Office of the Privacy Commissioner. From that PPIA, a PIA was initiated.
If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.
- Date modified:
- 2009-09-15