Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies—at their request and on a cost-recovery basis—to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all of the CRA's activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Canada Revenue Agency Act provides for the establishment of a Board of Management consisting of 15 directors appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the federal government. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel, and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s operations, fosters sound management practices, and is committed to efficient and effective service delivery.

As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board of Management for managing the CRA, supervising employees, and implementing policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA is made up of 12 branches and 5 regional offices across the country.

Branches

• Appeals
• Assessment and Benefit Services
• Audit, Evaluation, and Risk
• Compliance Programs
• Finance and Administration
• Human Resources
• Information Technology
• Legal Services
• Legislative Policy and Regulatory Affairs
• Public Affairs
• Strategy and Integration
• Taxpayer Services and Debt Management

Regions

• Atlantic
• Ontario
• Pacific
• Prairie
• Quebec

The Access to Information and Privacy Directorate

The Access to Information and Privacy (ATIP) Directorate supports the CRA in meeting its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the ATIP Directorate:

• responds to requests and enquiries under the Access to Information Act and the Privacy Act;
• provides advice and guidance to CRA employees on requirements related to requests for, and the proper management and protection of, personal information under the CRA’s control;
• coordinates privacy impact assessment processes within the CRA, including giving expert advice to CRA employees on privacy implications, risks, and options for avoiding or reducing risks;
• gives training and awareness sessions on the Access to Information Act and the Privacy Act and the practices and requirements for managing personal information;
• communicates with the Treasury Board Secretariat and the offices of the information and privacy commissioners of Canada about complaints, audits, and policy or legislative requirements; and
• fulfills corporate planning and reporting obligations such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act.

Marie-Claude Juneau is the Director of the ATIP Directorate. She reports to the Assistant Commissioner of the Public Affairs Branch.

In 2012-2013, 124 full-time employees were responsible for administering the Access to Information Act and the Privacy Act. The ATIP Directorate is made up of two main divisions: production, and program support and training (within the Directorate and CRA-wide). In addition to its Headquarters office in Ottawa, the ATIP Directorate has an office in Vancouver and an office in Montréal.

The Access to Information and Privacy Oversight Review Committee

The Access to Information and Privacy Oversight Review Committee is an executive-level committee with representatives from CRA branches. The Committee leads the senior horizontal review of emerging access to information and privacy issues that could affect the CRA. The Committee reviews privacy impact assessments and examines federal government policies and initiatives that pertain to access to information and privacy at the CRA. In 2012-2013, the terms of reference for the Committee were revised.

Delegation of responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers the Privacy Act and complies with Treasury Board Secretariat policy instruments. Section 73 of the Privacy Act gives the Minister of National Revenue the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the Minister’s powers, duties, and functions under the Act.

The CRA’s current delegation order for the Privacy Act was signed by Gail Shea, Minister of National Revenue, on March 28, 2013. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.

The Privacy Act delegation order was revised in 2012-2013 to be consistent with changes made to the Access to Information Act delegation order as per the Office of the Information Commissioner of Canada’s recommendation to “Ensure that the Minister of National Revenue further amend the delegation order to ensure greater autonomy of the access to information coordinator.” The change involved removing delegated authority from all assistant commissioners with the exception of the Assistant Commissioner of the Public Affairs Branch.

The Access to Information and Privacy director and assistant directors, as well as the managers of the production units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, and the Assistant Commissioner, Public Affairs Branch.

Schedule – Privacy Act

Officers authorized to perform the powers, duties, and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations.

Paragraphs 8(2)(j) and (m); subsections 8(5) and 9(1); sections 14 to 16; paragraphs 17(2)(b) and 17(3)(b), subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2), 35(1) and 35(4) of the Privacy Act; and section 9; subsection 11(2), 11(4), 13(1); and section 14 of the Privacy Regulations

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch
• Managers, ATIP Directorate, Public Affairs Branch

Section 22.3 of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Subsections 8(4) and 9(4); section 10; paragraph 51(2)(b) and subsection 51(3) of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Section 31, subsections 37(3) and 72(1) of the Privacy Act

• Commissioner
• Deputy Commissioner
• Assistant Commissioner, Public Affairs Branch
• Director, ATIP Directorate, Public Affairs Branch
• Assistant directors, ATIP Directorate, Public Affairs Branch

Statistical report – Interpretation and explanation

Appendix A provides a statistical report on the Privacy Act for the 2012‑2013 reporting period. The following explains and interprets the statistical information.

Requests under the Privacy Act

During the period April 1, 2012, to March 31, 2013, the CRA received 1,980 new privacy requests. This represents an increase of 618 requests (45%) over the previous year. Since 184 requests were carried forward from 2011‑2012, there was a total of 2,164 active requests.

The following table shows the number of privacy requests the CRA received and completed in the past five fiscal years.

Requests received and completed in the past five fiscal years

Fiscal year	Requests received	Requests completed	Pages processed
2008-2009	1,553	1,447	392,173
2009-2010	2,083	1,973	371,766
2010-2011	2,600	2,767	725,741
2011-2012	1,362	1,497	510,503
2012-2013	1,980	1,936	775,563

In addition, the ATIP Directorate’s Program Support and Training Division responded to 1,146 emails and 664 telephone enquiries from inside and outside the CRA. The responses to these enquiries included giving advice and guidance on processes and procedures relating to the Access to Information Act and the Privacy Act and providing alternate contact information.

Disposition of requests

During the reporting period, the ATIP Directorate completed 1,936 privacy requests, which included reviewing 775,563 pages of records. The following table shows the disposition of the requests.

Disposition of requests

Disposition	Number of requests	Percentage
All disclosed	396	20.45%
Disclosed in part	1,143	59.04%
All exempted	7	0.36%
All excluded	0	0%
No records exist	167	8.63%
Request abandoned	223	11.52%

For more details, including completion times, see Appendix A.

Exemptions

The following table shows the number of requests in which the listed sections under the Privacy Act were invoked. The percentage refers to the frequency with which a specific exemption was applied to files. The total percentage exceeds one-hundred percent, because more than one exemption may be applied to individual files.

Exemptions

Section	Description	Number of requests	Percentage
19	Personal information obtained in confidence	29	2.11%
22	Law enforcement and investigation	567	41.30%
25	Safety of individuals	1	0.07%
26	Information about another individul	902	65.70%
27	Solicitor-client privilege	131	9.54%

Exclusions

There were no exclusions cited.

Format of information released

In 2011-2012, the Montréal ATIP office launched a pilot project that gave requesters the choice of receiving their response package on CD or DVD. In 2012-2013, this project was extended to the Ottawa and Vancouver ATIP offices. Providing documents electronically significantly reduced manual processes and paper consumption. Of the 1,539 privacy requests for which information was disclosed in full or in part, 52% had the information released electronically and 47% had the information released on paper. Another 1% was released through other formats, for example, through public viewing of the material in a CRA reading room.

Complexity of requests

The Treasury Board Secretariat has developed criteria to determine the level of complexity associated with privacy requests. Based on these criteria, privacy requests that require large page volumes (more than 100 pages) to be processed and those that involve sensitive subject matter to be analyzed are considered more complex to process.

Of the privacy requests for which records were disclosed during 2012-2013, 55% involved processing 100 pages or more, and 11 of these requests involved processing an average of 13,794 pages. Moreover, many requests involving 100 pages or less were also considered complex because of the subject matter and sensitivity of the file. For more details, see Appendix A.

Deemed refusals

Of the 1,936 requests that were closed during 2012-2013, 144 (or 7%) were closed past the statutory deadline for reasons including workload capacity and external and internal consultations.

Requests for translation

No translations were needed to respond to privacy requests during the fiscal year.

Completion time and extensions

The following chart outlines the completion time frames for the 1,936 requests processed in 2012-2013.

The ATIP Directorate completed 1,792 (93%) privacy requests within the time frame required by law. This means that responses were provided within 30 calendar days or, when an extension was claimed, within the extended deadline.

The ATIP Directorate claimed extensions on 868 privacy requests in2012-2013. Extensions were applied because meeting the original 30-day time limit would have interfered unreasonably with operations or because the CRA needed to consult with third parties or other government institutions.

Corrections and notation

The CRA received two requests to correct personal information. Both requests were refused because the personal information originated from another institution.

Consultations

During 2012-2013, the ATIP Directorate closed 29 consultation requests from other government institutions and organizations. A total of 908 pages were reviewed to respond to these requests. Another 2 consultation requests were carried forward to the 2013-2014 fiscal year.

For more details on the consultations received from other government institutions and organizations, including disposition and completion times, see Appendix A.

Completion time of consultations on Cabinet confidences

There were no consultations on Cabinet confidences in 2012-2013.

Costs

During 2012-2013, the ATIP Directorate’s estimated total cost to administer the Privacy Act was $3,715,900.00, excluding coordination support from the branches. For more details, see Appendix A.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the Government of Canada’s largest repositories of personal information. Outside of Human Resources and Skills Development Canada, no other institution retains as much information about Canadians as the CRA. In addition, the CRA collects and manages the personal information for its workforce of more than 40,000 individuals.

One of the cornerstones of the CRA is the trust Canadians place in it to safeguard the privacy of their personal information. In 2012-2013, many projects were initiated to enhance the CRA’s privacy management framework.

These projects formed part of a larger multi-year improvement plan developed within the Directorate to enhance its ATIP performance. The plan focuses on implementing specific activities in four key areas:

• communications
• training
• staffing
• efficiency measures

In 2012-2013, the CRA continued to roll out key activities outlined in this plan.

Communications

In 2012-2013, the ATIP Directorate undertook a wide range of communications activities to support and promote effective privacy management across the CRA, as well as to inform Canadians about ways to access personal information from the CRA. Below is a summary of some of the key activities completed in 2012‑2013.

Data Privacy Day

Data Privacy Day is an annual international initiative promoted in Canada by the Office of the Privacy Commissioner of Canada. A key goal of Data Privacy Day is to raise awareness about the importance of properly protecting and handling personal information.

The ATIP Directorate and the Security and Internal Affairs Directorate jointly organized Data Privacy Day 2013 at the CRA. The theme was “Privacy breaches – What do I need to know?”

A wide range of activities were undertaken to promote the day over a week-long period, including:

• Delivery of awareness sessions to 1,294 employees on privacy breach management.
• Roll-out of a customized intranet site to inform staff about privacy breaches, and what to do if they happen. This site also included a listing of CRA tools to support employees in the day-to-day fulfillment of their privacy responsibilities at the CRA.
• Posting of a billboard on branch and regional intranet sites to raise awareness about the internal Data Privacy Day Web page.
• Distribution of a national email to all CRA staff to raise awareness of the week’s activities.
• A screen saver promoting the week appeared on all CRA employees’ computers during the week.

Internal communications

In 2012-2013, the ATIP Directorate paid particular attention to key audiences within the CRA that can support the Directorate in achieving its mandate.

• ATIP contacts: these are the employees who are tasked with responding to ATIP requests. They play a significant role in making sure the ATIP Directorate receives all the information it needs to process requests on time. In 2012-2013, the ATIP contacts were given more support to help them fulfill this important role. Monthly emails and a quarterly teleconference were launched to share significant information with them and to let them seek clarification, voice their challenges and share solutions with their colleagues.
• Senior management: fulfillment of legislative obligations related to the Access to Information Act and the Privacy Act is a shared responsibility that requires the ongoing support of all parts of the CRA. In this regard, senior management play a significant role in making sure that leadership is in place to address ATIP‑related challenges at the CRA. In the fall of 2012-2013, as part of the CRA’s efforts to address recommendations made by oversight bodies, the Public Affairs Branch began meeting with the senior management of branches and regions to highlight how these areas could help the CRA address its challenges related to formal and informal disclosure and privacy management at the CRA. Ten presentations were completed at the end of the fiscal year; the remainder will take place in the first quarter of fiscal year 2013-2014.

CRA intranet

An ongoing priority for the ATIP Directorate is to make sure all CRA employees have the tools they need to fulfill their privacy-related responsibilities. In 2012‑2013, the ATIP Directorate continued to update its intranet site to include online tools for all CRA stakeholders. This included:

• revamping the privacy content to include a toolkit for privacy practices, including publishing a fillable Privacy Assessment Determination Questionnaire;
• adding electronic versions of previously released communications (to provide easy access to them); and
• adding more Treasury Board Secretariat guidance documents about privacy-related issues.

CRA Web site

To help Canadians, both in exercising their right of access to their personal information and to give them more information on how the CRA is protecting and managing their personal information, the ATIP Directorate continually monitors and updates the CRA Web site. Additionally, the ATIP Directorate continues to publish privacy impact assessment summaries, as required by the Treasury Board Secretariat’s Directive on Privacy Impact Assessment.

Internal engagement

Fulfilling privacy obligations requires ongoing support from all parts of the CRA. Toward this end, the ATIP Directorate continued to consult with the ATIP Oversight Review Committee in 2012-2013 to discuss privacy issues with horizontal implications for the CRA, including training, communications, and privacy impact assessments. This DG-level committee played a key role in supporting CRA-wide engagement on privacy-related matters.

The ATIP Directorate also consulted with other key stakeholders at the CRA to address ad hoc privacy issues. For instance, a Ginger Group of assistant commissioners was formed to identify potential privacy-related vulnerabilities in the CRA’s programs, data, and systems for appropriate mitigation. This risk identification exercise was led by the Enterprise Risk Management Division and will help the CRA implement the measures needed to mitigate any identified risks.

As well, an ad hoc privacy management working group was formed to review and provide direction to the ATIP Directorate on the draft guidelines on disclosing personal information under section 8(2) of the Privacy Act. This consultation will continue in 2013-2014, until the guidelines are finalized.

The ATIP Directorate also engaged in branch-specific consultations to address privacy issues of shared interest. These consultations included the following:

• Finance and Administration: privacy breach management;
• Information Technology: IT solutions and development;
• Legislative Policy and Regulatory Affairs: processing of privacy requests related to charities; and
• Strategy and Integration: disclosure of income tax information.

Training

The ATIP Directorate is responsible for raising awareness at the CRA about employees’ responsibilities related to administering the Privacy Act and the Access to Information Act. Historically, training consisted of “ATIP 101” training to give CRA employees a general overview of access to information and privacy legislation.

In 2012-2013, more targeted training was developed to address the recommendations of oversight bodies, including the Office of the Privacy Commissioner of Canada. This training focuses on key audiences that support the CRA in fulfilling its access and privacy obligations. In consultation with branch and regional assistant commissioners, the ATIP Directorate looked for opportunities to engage with executives, managers, ATIP contacts, and other specialized groups at the CRA, such as auditors and call centre employees. As a result of this strategy, targeted access to information and privacy training was given to 3,961 employees in 159 sessions across Canada; 1,294 of these employees attended privacy breach training coordinated by the ATIP Directorate and the Security and Internal Affairs Directorate through 28 classroom sessions and 10 Web conferences.

More training was also offered to management through the CRA’s MG Learning Program: 15 sessions were given to 294 managers. In addition, the Legal Services Branch gave 18 training sessions to 252 employees on the application of the Access to Information Act and Privacy Act legislation and jurisprudence.

Additionally, privacy impact assessment training sessions were given to various branches. Moreover, as privacy impact assessments or privacy protocol assessments were recommended to be done, the privacy analyst assigned to the file gave the applicable program area one-on-one training, detailing what was required to complete each element of the privacy assessment.

Finally, the ATIP Directorate gave extensive training to employees working within the Directorate. Most of this training was intended to familiarize employees with the functionality of the newly updated ATIP tracking system, which was launched in all three ATIP Directorate offices in October 2012. This new system combines the former version of the ATIP tracking system with the electronic redaction system. In addition to this training, analysts were given training on:

• applying exemptions and exclusions;
• responding to complaints; and
• claiming extensions.

Staffing

In 2012-2013, there was no change in resourcing levels; this is consistent with the Office of the Taxpayers’ Ombudsman’s recommendation to “Ensure that the ATIP Directorate has efficient processes and adequate resources to reduce the backlog and process information requests in a timely manner.”

In fact, resourcing to the ATIP Directorate has increased significantly over the past several years. In 2011-2012, the ATIP Directorate received significant resources to implement its multi-year improvement plan, resulting in 32 term employees being hired to focus on eliminating the Directorate’s backlog. These employees’ terms were extended in 2012-2013.

With this influx of staff, and through additional efficiency measures, the ATIP Directorate’s performance has improved significantly. In 2012-2013, the ATIP Directorate completed 45% more privacy requests than were completed in 2011-2012.

In 2013-2014, the ATIP Directorate will be completing a business case to outline the resources and measures required to make sure its operations are sustained over the longer term.

Efficiency measures

Making its operations as efficient as possible remains an ongoing goal of the ATIP Directorate. Toward this end, the Directorate implemented several efficiency measures in 2012-2013, the most significant of which are outlined below:

• Roll-out of the new ATIP tracking system: in October 2012, the ATIP Directorate implemented a combined tracking and redaction system in its three offices. This case management tool supports end-to-end management of ATIP requests from intake to mail-out and allows for improved performance monitoring and management.
• Provision of request packages on CD and DVD: providing requested documents electronically drastically reduced manual processes and paper consumption at the CRA.
• Creation of a new Access to Information and Personal Information Request Form: this CRA-specific form supports more efficient processing of ATIP requests by the ATIP Directorate.
• Drafting of revised ATIP processing manual: this manual gives ATIP Directorate employees step-by-step instructions for processing ATIP requests, including applying exemptions and exclusions.

Strengthened governance

Chief Privacy Officer

In the Office of the Privacy Commissioner of Canada’s 2009 Audit of Privacy Management Frameworks in Selected Federal Institutions Footnote 1, the Privacy Commissioner recommended that the CRA strengthen its privacy governance by appointing a Chief Privacy Officer to act “as a central locus for privacy management and for overall privacy leadership.”

After receiving the recommendations made by the Office of the Privacy Commissioner of Canada, the CRA did strengthen its privacy governance by creating a comprehensive CRA privacy policy suite that came into effect in April 2012; by developing an information-sharing protocol with the Security and Internal Affairs Directorate on managing privacy breaches; and by expanding training and communications to raise privacy awareness across the CRA. Because of the other priorities the CRA had at the time, the former Commissioner asked that discussions on creating the role of Chief Privacy Officer be postponed until all the other recommendations made in the audit were fully implemented. With these foundational elements in place, in 2012-2013, the CRA was in a position to identify the proposed mandate, organizational structure, and manner in which the CRA’s Chief Privacy Officer would operate.

In March 2013, the CRA Agency Management Committee approved the appointment of the Assistant Commissioner, Public Affairs Branch, as the CRA’s Chief Privacy Officer. This appointment was effective April 2013.

The Chief Privacy Officer will have a broad mandate for privacy oversight at the CRA. To fulfill these obligations, the Chief Privacy Officer will be responsible for:

• overseeing decisions related to privacy, including privacy impact assessments;
• championing personal privacy rights in accordance with legislation and policy, including managing internal privacy breaches; and
• reporting to the CRA’s senior management on the state of privacy management at the CRA at least twice a year.

The CRA recognizes that sound privacy management goes beyond the appointment of a Chief Privacy Officer and is a responsibility shared by all employees within the organization. In 2013-2014, the Chief Privacy Officer will implement necessary measures to make sure privacy accountabilities, responsibilities, and activities related to privacy are reinforced across the CRA.

Privacy notice project

The Privacy Act requires that institutions use a privacy notice to tell individuals, from whom they collect personal information, why the information is being collected. The privacy notice must be inserted every time personal information is collected, whether on a paper or an electronic form, an online application that collects personal information, or other such mediums of collection. Treasury Board Secretariat policies prescribe the content of such notices.

In 2012-2013, the ATIP Directorate began reviewing CRA forms to determine next steps to make sure the CRA is compliant with all legislative and Treasury Board Secretariat policy requirements regarding privacy notices.

Policies, guidelines, and procedures

Guidelines on the disclosure of personal information under subsection 8(2) of the Privacy Act

Recognizing the importance of consistent privacy practices at the CRA, the ATIP Directorate has begun consultations to draft proposed guidelines on the disclosure of personal information in accordance with the Privacy Act.

These guidelines will likely focus more particularly on the disclosure of employee and other non-tax information. They will also address the disclosure of taxpayer information in cases where exceptions to statutory prohibitions exist. The guidelines will complement the CRA’s existing Guidelines on the Disclosure of Client Information.

To support the development of these guidelines, the ATIP Directorate has formed a working group with members from all CRA branches and two regions to consult on existing practices within their respective areas and to review and provide guidance during the drafting of this document. External consultations with the Treasury Board Secretariat, the Office of the Privacy Commissioner of Canada, the Canada Border Services Agency, and the Department of Justice Canada will take place in the fall of 2013.

CRA Access to Information Policy

In 2012-2013, the ATIP Directorate started drafting the CRA Access to Information Policy as part of the CRA’s information management policy suite renewal strategy, which is being led by the Strategy and Integration Branch. The main focus of this policy is to ensure that the CRA makes maximum use of informal disclosure methods for providing access to information, while continuing to respect the public’s right to ask for information formally under the Access to Information Act and the Privacy Act.

This policy addresses recommendations by the Office of the Information Commissioner of Canada and the Office of the Taxpayers’ Ombudsman—both of which recommended that informal and proactive disclosure be expanded by the CRA. The policy is expected to be sent for Agency Management Committee approval in 2013-2014.

CRA privacy policy suite

The CRA privacy policy suite, formally approved by the Agency Management Committee at the beginning of fiscal year 2012-2013, was rolled out across the CRA through communication and training products.

Complaints, investigations, and Federal Court cases

In 2012-2013, the CRA received 72 privacy complaints.

The following chart details the dispositions Footnote 2 of the 38 complaints closed during the fiscal year.

The ATIP Directorate is drafting a business case to determine the measures and resources that will be required to support the sustainability of its operations over the longer term. The issue of optimal complaint management will be considered in this business case.

In 2012-2013, the CRA hired an expert with an access to information and privacy background. This individual made recommendations on best practices to deal effectively with large, complex files. The consultant also analyzed the effectiveness of the CRA’s justifications in the complaint process. Furthermore, the consultant helped prepare a methodology, encompassing justifications and rationales that can be applied to specific complex requests and complaints. This document will be rolled out in 2013-2014; it will make sure the CRA applies exemptions and exclusions more consistently.

The ATIP Directorate also received 66 complaints about alleged improper access, collection, use, or disclosure of personal information by the CRA. Details regarding these types of complaints are outlined in the following table.

Complaints about alleged improper access, collection, use, or disclosure of personal information

Outstanding from previous fiscal year	Received during fiscal year	Completed	Closing inventory
27	66	55	38

The CRA is well aware that ineffective management of privacy breaches has the potential to seriously erode the integrity of the CRA and Canadians’ trust in it. The CRA takes all breaches very seriously and is strengthening its controls and sanctions in respect of unauthorized access and disclosure.

Acting on ATIP: Service issues in the Canada Revenue Agency’s Access to Information and Privacy processes

In 2012-2013, the Office of the Taxpayers’ Ombudsman published a special report, Acting on ATIP: Service issues in the Canada Revenue Agency’s Access to Information and Privacy processes. This report was written as a result of several complaints from taxpayers stating that they had trouble getting information from the CRA. The report acknowledges that the number of pages that needed to be reviewed by ATIP analysts responding to a request more than tripled since 2005, but the number of employees assigned to this task increased only moderately.

The following chart summarizes the actions taken in 2012-2013 to respond to the privacy-related recommendations made by the Taxpayers’ Ombudsman in this report.