2015-2016 Annual Report to Parliament on the Administration of the Privacy Act

Source URL

http://www.cra-arc.gc.ca/gncy/tp/rprts/2015-2016/rc4415-1-16-eng.html

Disclaimer

We do not guarantee the accuracy of this copy of the CRA website.

Scraped Page Content

2015-2016 Annual Report to Parliament on the Administration of the Privacy Act

Foreword

Each fiscal year, the head of every government institution prepares and submits a report to Parliament on the administration of the Privacy Act.

This annual report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). The report describes how the CRA administered and fulfilled its obligations under the Privacy Act between April 1, 2015, and March 31, 2016. The report also discusses emerging trends, program delivery, and areas of focus for the year ahead.

The Privacy Act

The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing, and disposing of personal information held by government institutions. It provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions and with rights of correction or annotation or both. Individuals who are dissatisfied with any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other means of obtaining government information. The CRA encourages individuals and their representatives to consider requesting information through the following informal methods:

  • topical indexes on the CRA website: www.cra.gc.ca/azindex/menu-eng.html
  • individual income tax enquiries (including requests for forms and publications): 1-800-959-8281
  • universal child care benefit, Canada child tax benefit and related provincial and territorial programs, child disability benefit, and children's special allowances enquiries: 1-800-387-1193
  • TTY (teletypewriter for persons who are deaf or hard of hearing or who have a speech impairment): 1-800-665-0354

Table of contents

Overview of the Canada Revenue Agency

The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. The CRA also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies, at their request and on a cost-recovery basis, to administer non-harmonized taxes and other services. Overall, the CRA promotes compliance with Canada's tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.

The Minister of National Revenue is accountable to Parliament for all of the CRA's activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Canada Revenue Agency Act provides for the establishment of the Board of Management consisting of 15 directors appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the federal government. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel, and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA's operations, fosters sound management practices, and is committed to efficient and effective service delivery.

As the CRA's chief executive officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister's delegated authority. The Commissioner is accountable to the Board of Management for managing the CRA, supervising employees, and implementing policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA is made up of 12 branches and five regional offices across the country.

Branches

  • Appeals
  • Assessment, Benefit, and Service
  • Audit, Evaluation, and Risk
  • Collections and Verification
  • Compliance Programs
  • Finance and Administration
  • Human Resources
  • Information Technology
  • Legal Services
  • Legislative Policy and Regulatory Affairs
  • Public Affairs
  • Strategy and Integration

Regions

  • Atlantic
  • Ontario
  • Pacific
  • Prairie
  • Quebec

Chief Privacy Officer

The Assistant Commissioner, Public Affairs Branch, is the CRA's Chief Privacy Officer. This Chief Privacy Officer has a broad mandate for overseeing privacy at the CRA. To fulfill this mandate, the Chief Privacy Officer:

  • oversees decisions related to privacy, including privacy impact assessments
  • champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
  • reports to the CRA's senior management on the state of privacy management at the CRA at least twice a year

The Access to Information and Privacy Directorate

The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the Directorate:

  • responds to requests and enquiries under the Access to Information Act and the Privacy Act
  • provides advice and guidance to CRA employees on requests for, and the proper management and protection of, personal information under the CRA's control
  • coordinates privacy impact assessment processes within the CRA, including giving expert advice to CRA employees on privacy implications, risks, and options for avoiding or reducing risks
  • gives training and awareness sessions on the Access to Information Act and the Privacy Act and the practices and requirements for managing personal information
  • communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about complaints, audits, and policy and legislative requirements
  • fulfills corporate planning and reporting obligations such as the CRA's annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act

The Director has the full delegated authority of the Minister of National Revenue under the Access to Information Act and the Privacy Act. The Director also manages and coordinates the Access to Information and Privacy Program, leads strategic planning and development initiatives, and supports the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer.

The Directorate is made up of two main divisions: processing; and program support and training (within the Directorate and CRA-wide). In addition to its headquarters office in Ottawa, there is an office in Vancouver and an office in Montréal. In 2015–2016, 110 full-time employees administered the Access to Information Act and the Privacy Act.

Image description

Access to Information and Privacy Directorate Organizational Chart

First row Director, Access to Information and Privacy (ATIP) Directorate

Middle row, first box Assistant Director, ATIP Productions, Corporate and Complex Case Division

Middle row, second box Assistant Director, ATIP Productions Strategic Compliance Division

The three areas of responsibility of the Assistant Director, ATIP Productions Strategic Division are listed in the three boxes below, they are: Tax Compliance Section, Operations Training Manual, and Complaints Project

Middle row, third box Assistant Director, ATIP Productions Legislative and HQ Operational Case Division

The two areas of responsibility of the Assistant Director, ATIP Productions Legislative and HQ Operational Case Division are listed in the two boxes below, they are: Legislative Case Section and HQ Operations Section

Middle row, fourth box Assistant Director, ATIP Productions Regional Operations Case Division – Montreal

Middle row , fifth box Assistant Director, ATIP Productions Regional Operations Case Division –Vancouver

Middle row, sixth box Assistant Director, Program Support and Training Division

The two areas of responsibility of the Assistant Director, Program Support and Training Division are listed in the two boxes below, they are: Governance and Corporate Reporting Section and Business Process Section


The Access to Information and Privacy Oversight Review Committee

The Access to Information and Privacy Oversight Review Committee is an Assistant Commissioner level committee, chaired by the Chief Privacy Officer. The Committee was established to ensure horizontal consultation, collaboration, and decision-making on emerging access to information and privacy issues at the CRA. Among other responsibilities, the Committee reviews high-risk privacy impact assessments; identifies measures to support more effective administration of access to information and privacy matters; and champions related activities.

Delegation of responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers the Privacy Act and complies with the Privacy Regulations and Treasury Board of Canada Secretariat policy instruments. Section 73 of the Privacy Act gives the Minister the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the Minister's powers, duties, and functions under the Act.

The CRA's current delegation order for the Privacy Act was signed by the Minister of National Revenue on January 14, 2016. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.

The Access to Information and Privacy Director and Assistant Directors, as well as the managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, and the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer.

Image description

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
Diane Lebouthillier
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 14th day of January, 2016


Schedule-Privacy Act

The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations are the following:

Commissioner

  • Full authority

Deputy Commissioner

  • Full authority

Assistant Commissioner, Public Affairs Branch and Chief Privacy Officer

  • Full authority

Director, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority

Assistant Directors, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority with the exception of paragraphs 8(2)(j) and (m) and subsection 8(5)

Managers, Access to Information and Privacy Directorate, Public Affairs Branch

  • Subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2), 35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations.

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA's activities under the Privacy Act for the 2015-2016 reporting period. The following explains and interprets the statistical information.

Requests under the Privacy Act

During this reporting period (April 1, 2015, to March 31, 2016), the CRA received 3,048 new privacy requests. This is an increase of 515 requests (20%) over last year's total of 2,533 requests. With the 445 requests carried forward from 2014–2015, there were 3,493 active requests. The following table shows the number of privacy requests the CRA received and completed in the past five fiscal years.

Requests received and completed in the past five fiscal years

Fiscal year

Requests received

Requests completed

Pages processed

2011-2012

1,362

1,497

510,503

2012-2013

1,980

1,936

775,563

2013-2014

1,548

1,553

624,430

2014-2015

2,533

2,313

636,207

2015-2016

3,048

2,723

476,832

Other requests

In 2015–2016, the Access to Information and Privacy Directorate closed 21 consultation requests from other government institutions and organizations. A total of 299 pages were reviewed to respond to these requests. For more details on the consultations received from other government institutions and organizations, including disposition and completion times, see Part 6 of Appendix A.

In addition, the Directorate's Program Support and Training Division responded to 4,710 emails and 733 telephone enquiries received through the general enquiries mailbox and 1-800 line. The enquiries related mainly to how to submit an access to information or privacy request, the status of the request, and enquires that were redirected because the information requested is not retained by the ATIP Directorate, such as forms and tax information.

Completion time and extensions

The following chart shows the completion times for the 2,723 requests closed in 2015–2016. Extensions were taken for 1,028 (38%) of these requests, mainly because meeting the original 30 day time limit would have interfered unreasonably with operations.

Image description

The chart outlines the completion time frames of the 2,723requests closed in 2015-2016.

The Access to Information and Privacy Directorate completed 2,245 (82%) requests within the time frame required by law. This means that responses were provided within 30 calendar days, or if a time extension was taken, within the extended deadline.

Deemed refusals and complexities

A deemed refusal is a request that was closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.

Of the 2,723 requests closed during the reporting period, 478 were closed after the deadline, resulting in a deemed refusal rate of 18%.

Although the CRA continues to work toward a deemed refusal rate of zero, as the Office of the Privacy Commissioner recommended, the large volume of records that must be processed makes achieving this goal a continuing challenge. For example, in 2015–2016 there was a 20% increase in requests received during the fiscal year compared to the previous year. Despite this increase, the Access to Information and Privacy Directorate still processed 410 (18%) more requests during the reporting period compared to the previous year.

The Treasury Board of Canada Secretariat defines complexity using two criteria: the number of pages to process; and the nature and sensitivity of the subject matter.

Based on these criteria, the CRA handles a large number of complex requests. For instance, the CRA reviewed 476,832 pages in 2015–2016. Of the 1,896 requests for which records were disclosed, 688 (36%) involved processing more than 100 pages, and 93 of these requests involved processing over 1000 pages, three of which involved processing more than 5,000 pages.

Other requests were considered complex because of the nature and sensitivity of the subject matter being processed. For more details, see Table 2.5.3 of Appendix A.

Dispositions of completed requests

During the reporting period, the Access to Information and Privacy Directorate completed 2,723 requests related to the Privacy Act.

  • 946 were fully disclosed (34.74%)
  • 950 were disclosed in part (34.89%)
  • 9 were exempted in their entirety (0.33%)
  • 0 were excluded in their entirety (0%)
  • 63 resulted in no existing records (2.31%)
  • 755 were abandoned by requesters (27.73%)
  • 0 were neither confirmed nor denied (0%)

There was a notable increase in the number of abandoned requests this year (755) compared to last year (470). Of the abandoned requests, 512 were received online; 72% of the requests were abandoned because information, such as the SIN or business number, was missing. For more details, see Table 2.1 of Appendix A.

Exemptions

The Privacy Act allows an institution to sometimes refuse access to specific information. For example, information about individuals other than the requester cannot be disclosed if the individual has not given his or her consent. Exemptions are applied by analysts to support non-disclosure in these cases. Exemptions must be limited and specific.

The CRA applied the following exemptions under the Act to exempt information in full or in part for 959 (35%) of the 2,723 requests closed during the reporting period.

  • Section 19 – Personal information obtained in confidence (28 requests)
  • Section 22 – Law enforcement and investigation (352 requests)
  • Section 26 – Information about another individual (819 requests)
  • Section 27 – Solicitor-client privilege (102 requests)

Exclusions

The Privacy Act does not apply to information that is already publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences.

There were no exclusions during the reporting period.

Format of information released

Requesters can choose to receive their response package in paper, CD, or DVD format. Providing documents electronically significantly reduces manual processes and paper consumption. In 2015–2016, of the 1,896 requests for which information was disclosed in full or in part, 1,484 requests (78%) were released in electronic format. This is a 5% increase over the previous reporting period.

Requests for translation

There was one request for translation, but it was refused.

Records are normally released in the language in which they exist. However, records may be translated in a particular official language when requested, and the institution considers it in the public interest to do so.

Disclosures under paragraph 8(2)(m) of the Privacy Act

During the reporting period, there were no disclosures made under paragraph 8(2)(m) of the Privacy Act.

Paragraph 8(2)(m) provides that personal information may be disclosed for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or disclosure would clearly benefit the individual to whom the information relates.

Corrections and notation

The CRA did not receive any requests to correct personal information in 2015–2016.

Costs

During 2015–2016, the Access to Information and Privacy Directorate's estimated total cost to administer the Privacy Act was $4,540,079. This excludes significant support and resources from the branches and regions. For more details, see 10.1 in Part 10 of Appendix A.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the Government of Canada's largest repositories of personal information, second only to Employment and Social Development Canada. In addition, the CRA collects and manages the personal information for its workforce of more than 40,000 individuals. The Access to Information Directorate and Privacy Directorate faced significant challenges during the fiscal year in the processing of privacy requests received, primarily due to the volume of requests received and staffing challenges.

Request volume

The CRA's Access to Information and Privacy Directorate processes a large volume of privacy requests, among the largest of all federal organizations. The CRA is historically among the top 10 federal organizations for requests received and pages processed. In 2014–2015, the CRA processed the third largest volume of pages (over 600,000) of all federal organizations and received the eighth largest number of requests.

  • Volumes have grown from 1,912 requests received and just over 300,000 pages processed in 2006–2007, compared to 3,048 requests received and over 476,000 pages processed in 2015–2016
  • In 2015–2016 the CRA received the highest number of requests ever
  • Since 445 requests were carried over from the previous reporting period, the Directorate's total inventory in 2015–2016 was 3,493 requests
  • With the 2,723 requests closed in 2015–2016, the Directorate began 2016–2017 with 770 requests in its inventory

The following graph demonstrates the increase in privacy requests received over the past 10 years. As the graph demonstrates, the number of requests received in 2015–2016 (3,048) is almost double the number in 2013–2014 (1,548).

Image description

Workload Trend

  • 2006-2007: 1,912 requests received and 314,374 pages reviewed
  • 2007-2008: 1,406 requests received and 340,217 pages reviewed
  • 2008-2009: 1,553 requests received and 392,173 pages reviewed
  • 2009-2010: 2,083 requests received and 371,766 pages reviewed
  • 2010-2011: 2,600 requests received and 725,741 pages reviewed
  • 2011-2012: 1,362 requests received and 510,503 pages reviewed
  • 2012-2013: 1,980 requests received and 775,563 pages reviewed
  • 2013-2014: 1,548 requests received and 624,430 pages reviewed
  • 2014-2015: 2,533 requests received and 636,207 pages reviewed
  • 2015-2016: 3,048 requests received and 476,832 pages reviewed


Staffing

During the fiscal year, the Access to Information and Privacy Directorate faced staffing challenges due to attrition. Action was taken to address these challenges including hiring several analysts and clerks

Raising Awareness

The trust Canadians place in the CRA to safeguard the privacy of their personal information is a cornerstone of the CRA's work. In 2015–2016, the CRA worked on many projects to enhance employees' awareness of their privacy-related roles and responsibilities.

For the fifth consecutive year, the CRA joined the Office of the Privacy Commissioner and many other institutions across Canada and the world to promote Data Privacy Day. This initiative highlights the effect that technology has on privacy rights and underlines the importance of valuing and protecting personal information. The CRA's activities focused on the role all CRA employees play in safeguarding personal information in their day-to-day jobs. Over a week-long period, the Access to Information and Privacy Directorate highlighted the responsibilities of employees across the CRA and promoted the many tools available to support employees in this regard.

The Directorate also participated in the CRA's Security Awareness Week. This event was originally launched by the Treasury Board of Canada Secretariat and has become an annual opportunity for federal organizations to discuss security topics, including those related to personal privacy (for example, identity theft). As part of Security Awareness Week, the Finance and Administration Branch organized activities for employees, including an event at Library and Archives Canada. The Access to Information and Privacy Directorate set up an information kiosk on many privacy-related topics, including privacy impact assessments, privacy breaches, and the role of the Chief Privacy Officer at the CRA.

Through a monthly newsletter and a quarterly teleconference call, the Directorate communicates regularly with access to information and privacy (ATIP) contacts in branches and regions to raise awareness about access to information and privacy and the role they play in supporting sound privacy management at the CRA.

New tools were also developed to support the ATIP contacts in the execution of their roles and responsibilities. For instance, a recommendations memorandum was developed to help the CRA employees who provide recommendations to access to information and privacy analysts to support the severing of information.

To further support ATIP contacts, during the fiscal year, the Directorate launched a new tool, DropZone, so that responsive records could be transmitted electronically to the Directorate. This new method saves the CRA time, resources, and promotes sustainable development.

The Directorate is also leading a project to increase employee awareness and understanding of roles and responsibilities associated with how to respond to access to information and privacy requests through the development of KnowHow products. KnowHow is the CRA's portal that provides user-friendly instructions to CRA employees and managers.

Training

The Access to Information and Privacy Directorate provides training to CRA employees about the requirements of, and their responsibilities under, the Access to Information Act and the Privacy Act. This training is tailored to the needs of specific audiences. For instance, employees who have little or no knowledge of the subject take the ATIP 101 course or the Canada School of Public Service "ATIP Fundamentals" online course. Subject matter experts take more specific training, such as on how to respond to requests for records. In total, this fiscal year:

  • 1,211 employees participated in 40 sessions across Canada
  • 97 employees attended the Canada School of Public Service "ATIP Fundamentals" online course
  • 135 managers received online training under the CRA's management learning program
  • 6 presentations were given to CRA senior management committees, in addition to those presentations given at the quarterly Access to Information and Privacy Oversight Review Committee meetings

The CRA's Legal Services Branch provided specialized training on the Access to Information Act. In total, the Branch provided 14 training sessions to 131 employees. These sessions focused on advising CRA staff on how to prepare documents for release in CRA reading rooms and on legal interpretation of the Access to Information Act for specialized CRA staff.

Beyond classroom training, the Directorate also initiated a strategy to expand awareness training through other mediums, such as webinars. Moving to e-training will enable the Directorate to reach a wider audience and to develop more targeted training to specific audiences in a more effective and efficient way. In March 2016, the first webinar was delivered to ATIP contacts through the National Technical Capacity Forum. Consultations were also held with the Human Resources Branch to develop job aids for CRA staff on access to information and privacy. In 2016–2017, these job aids will be posted on KnowHow.

In addition to training for employees across the CRA, the Directorate developed and delivered training for 15 new employees who joined the Directorate as analysts in March 2016. Work was also initiated to create e-modules for access to information and privacy staff, the first of which will be rolled out in 2016–2017.

CRA website

During the fiscal year, the Access to Information and Privacy Directorate worked with internal stakeholders across the CRA to draft revised access to information and privacy webpages to better inform taxpayers that there are many ways to request information from the CRA, apart from making an access to information or privacy request. The revised pages will be posted in 2016–2017.

Privacy notices

The Privacy Act requires that all institutions include a privacy notice at the point of collection of personal information, whether on paper, in electronic form, online, or by any other method. Treasury Board of Canada Secretariat policies define the content that these notices must contain.

In 2012–2013, the Access to Information and Privacy Directorate worked with CRA branches and regional contacts to develop a plan to make sure privacy notices are included on all forms. The project is a year ahead of schedule.

Chief Privacy Officer action plan

Following the appointment of the Chief Privacy Officer in 2013, the Access to Information and Privacy Directorate developed an action plan to support fulfillment of the Chief Privacy Officer's mandate.

To implement the plan, the Directorate worked with branches to define key activities to support privacy management throughout the CRA. Following the consultations, the Directorate developed a privacy management dashboard and matrix, through which branches can report on progress on a quarterly basis. These reports will enable the Chief Privacy Officer to report on the state of privacy management to senior management at least twice yearly.

The dashboard and matrix are expected to be updated in 2016–2017 to reflect new privacy priorities requiring oversight.

Access to information and privacy action plan

Following a significant privacy breach within the Access to Information and Privacy Directorate in November 2014, the Directorate developed an action plan to strengthen its privacy management practices. In 2015–2016, the Directorate completed all remaining activities in the plan including a protocol to handle highly sensitive records.

Third-party review

In 2015–2016, the CRA engaged a third-party review of the Access to Information and Privacy Directorate's privacy practices. In general the review found the CRA's operations to be robust. Seven recommendations were made to further enhance the CRA's privacy management controls.

Significant work was done during the fiscal year to respond to the recommendations including:

  • Implementation of a process to monitor all users with access to ATIP network folders
  • Quality assurance tools drafted for implementation in 2016–2017
  • The ATIP tracking system was reviewed to ensure that the system gates in place were sufficient to ensure security of information was demonstrated at all steps in the processing of requests
  • The Directorate has developed an action plan to monitor the implementation of the recommendations. All activities in the plan are scheduled to be fully implemented in 2016–2017

Managing privacy breaches

The CRA has many controls in place to safeguard taxpayer information, including its Integrity Framework, information technology, and security controls. Despite these controls, privacy breaches sometimes occur. When they do, the CRA investigates and reports material breaches to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat. Affected individuals are also notified according to policy protocols and measures are taken to prevent breaches from occurring again.

Effectively managing privacy breaches is a responsibility that the Access to Information and Privacy Directorate and the Security and Internal Affairs Directorate in the Finance and Administration Branch share through an information-sharing protocol.

Under the protocol, the Security and Internal Affairs Directorate must inform the Access to Information and Privacy Directorate of significant privacy breaches through its early notification process. It must also advise the Directorate that it is launching an investigation into an alleged privacy breach as a result of employee misconduct and within 30 days of the end of an investigation.

The Agency Security Officer decides whether affected individuals should be notified according to Treasury Board of Canada Secretariat requirements, and the Access to Information and Privacy Directorate must confirm that it agrees with this decision. When the Directorate disagrees with a decision about notifying affected individuals, the Access to Information and Privacy Director has to refer the case to the Chief Privacy Officer for a final decision.

During 2015–2016, the CRA notified the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat of 20 material privacy breach incidents. This is a significant decrease from the 37 reported in 2014–2015. All 20 material breaches related to unauthorized access.

Integrity in the workplace is the cornerstone of the CRA's culture. The CRA supports its employees in doing the right thing by providing clear guidelines and tools to ensure privacy, security, and the protection of CRA programs and data.

Privacy impact assessments

During the reporting period, the CRA completed four privacy impact assessments and sent them to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat for review. A significant number of other initiatives were reviewed to assess potential privacy concerns. This necessitated the review of documents such as privacy assessment determination questionnaires, threat and risk assessments, and memorandums of understanding.

In line with the Treasury Board of Canada Secretariat's Directive on Privacy Impact Assessment, the CRA releases summaries of completed privacy impact assessments on its website (www.cra.gc.ca/gncy/prvcy/pia-efvp/menu-eng.html).

The following are the summaries of the four privacy impact assessments completed in 2015–2016:

Enhanced Financial Account Information Reporting

In March 2010, the Government of the United States of America enacted the Foreign Account Tax Compliance Act. This act requires non-U.S. financial institutions to report to the Internal Revenue Service accounts held by U.S. citizens.

Under the intergovernmental agreement, relevant information on accounts held by U.S. residents and U.S. citizens (including U.S. citizens who are residents or citizens of Canada) are reported to the CRA. The CRA then exchanges the information with the Internal Revenue Service through the existing provisions and safeguards of the Canada-U.S. tax treaty.

For the privacy impact assessment summary, go to www.cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-efair-eng.html.

Identity and Access Management – Phase 3

The CRA's Security and Internal Affairs Directorate is establishing the Identity and Access Management Program and concurrently managing a multi-phased, multi-year project to optimize business processes.

Password management is being delivered in Phase 3 of the project. Two key deliverables of this phase are password synchronization and self-service password reset. Password management will develop and enforce security standards and policies across five computing environments.

For the privacy impact assessment summary, go to www.cra-arc.gc.ca/gncy/prvcy/pia-efvp/dnttndcccssmngmntphs-eng.html.

GST/HST Audit and Examination Program

The GST/HST Audit and Examination Program includes reviews, examinations, and audits at the domestic and international level to determine the correct amount of excise taxes, other levies, goods and services tax/harmonized sales tax (GST/HST), and air travellers security charges owing on an account, and to prevent the issuance of unwarranted refunds and rebates.

For the privacy impact assessment summary, go to www.cra-arc.gc.ca/gncy/prvcy/pia-efvp/gsthstdrctrtcmplncprgrmsbrnch-eng.html.

Canada Child Benefit Privacy Impact Assessment

The Canada Child Benefit is a non-taxable amount paid monthly to help eligible families with the cost of raising children. The CRA will use the Canada Child Benefit application to determine eligibility for numerous federal, provincial, and territorial programs related to this benefit. The privacy impact assessment covers the administration of the benefit and related programs, including the compliance activities for enforcement purposes such as detecting fraud and investigating possible abuses within the Canada Child Benefit Program.

For the privacy impact assessment summary, go to www.cra-arc.gc.ca/gncy/prvcy/pia-efvp/pia-ccb-eng.html.

Policies, guidelines, and procedures

Disclosure of personal information under subsection 8(2) of the Privacy Act

In 2014–2015, the Access to Information and Privacy Directorate consulted with branches and regional contacts to improve direction to CRA staff on disclosures where personal information can be disclosed without consent.

A policy instrument was drafted and is currently being revised to ensure the direction provided is in a user-friendly format.

CRA privacy policy suite

In its 2013 audit of the CRA's privacy management framework, the Office of the Privacy Commissioner recommended that the CRA define fully the role of the Chief Privacy Officer and monitor how the Chief Privacy Officer's mandate is implemented in terms of awareness of employee privacy, reduction of privacy risk, and overall CRA compliance with the Privacy Act. The CRA privacy policy suite was revised to clarify the Chief Privacy Officer's role. These changes were approved and communicated in 2015–2016.

Informal disclosure

During the fiscal year, guidance documents were drafted to expand informal disclosure across the CRA.

Monitoring request inventories

The CRA's Access to Information and Privacy Directorate produces a monthly report that captures key statistical information about the CRA's inventory of access to information and privacy requests. This report shows the average time a request remains at each phase of the request process (for example, intake, search and locate records, and analysis). The report also provides statistical information about the number of extensions taken, completion times, pages processed, complaints, and complaint disposition.

These reports are used by management to monitor trends, measure the Directorate's performance, and determine any process changes required to improve performance.

Complaints, investigations, and Federal Court cases

During 2015–2016, the CRA received 29 complaints under the Privacy Act and closed 22 complaints. The following chart details the disposition of the complaints closed during the fiscal year. (For definitions of the disposition categories, go to www.priv.gc.ca/cf-dc/def2_e.asp.)

No complaints were pursued to the Federal Court

Image description

The chart details the dispositions of the 22 complaints closed during the fiscal year.

The Access to Information and Privacy Directorate also received 91 complaints about alleged improper access, collection, use, and disclosure of personal information by the CRA. Complaints came from a variety of areas including the Office of the Privacy Commissioner, individuals, and the CRA's Security and Internal Affairs Directorate.

Complaints
Outstanding from previous fiscal year Received during fiscal year Completed Closing inventory

78

91

117

52

Effectively managing privacy breaches is critical in maintaining public confidence in the integrity of the CRA. The CRA takes all breaches very seriously and continues to strengthen its controls and sanctions for unauthorized access and disclosure (see "Privacy breach management" for details).

Collaboration with oversight bodies and other organizations

The CRA continues to work closely with the Office of the Information Commissioner, the Treasury Board of Canada Secretariat, and other organizations to strengthen access to information at the CRA.

Office of the Privacy Commissioner audit

In 2012–2013, the Office of the Privacy Commissioner completed an audit of the CRA's privacy management framework as a follow-up to its February 2009 audit, "Privacy Management Frameworks of Selected Federal Institutions." In 2015–2016, when the Office of the Privacy Commissioner followed up on the progress against these recommendations, the CRA reported that, based on the Office of the Privacy Commissioner's criteria for full implementation, six of the nine recommendations were fully implemented. The remaining three recommendations will be fully implemented by June 2017, because they require the development and deployment of new, Agency-wide, information technology, systems and controls. The CRA is awaiting the Office of Privacy Commissioner's response to CRA's progress against the recommendations.

Treasury Board of Canada Secretariat

The CRA strengthened its relationship with the Treasury Board of Canada Secretariat throughout the fiscal year by:

  • consulting with the Treasury Board of Canada Secretariat Information and Privacy Policy Division on numerous occasions
  • participating in access to information and privacy community meetings
  • participating in the director-general-level Access to Information and Privacy Training Working Group
  • participating in discussions with federal organizations about the costs associated with the Access to Information and Privacy Program and how to strengthen decision making on access to information and privacy issues

Conclusion

The CRA takes privacy and the safeguarding of personal information very seriously. In 2016–2017, the CRA will continue to strengthen its operations and privacy governance by:

  • promoting the use of informal disclosure
  • enhancing employee awareness about access and privacy-related issues through new platforms such as webinars, job aids, and KnowHow
  • increasing quality assurance and process improvements within the Access to Information and Privacy Directorate
  • responding to all recommendations made in reviews and audits of the access to information and privacy functions
  • updating the privacy management dashboard and matrix to make sure the CRA's privacy management framework is sound
  • working closely with program areas to ensure privacy impact assessments are completed as required

Appendix A — Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency

Reporting period: April 1, 2015 to March 31, 2016.

Part 1 – Requests under the Privacy Act

Number of requests

Number of Requests
Received during reporting period 3,048
Outstanding from previous reporting period 445
Total 3,493
Closed during reporting period 2,723
Carried over to next reporting period 770

Part 2 – Requests closed during the reporting period

2.1 Disposition and completion time

Disposition of Requests 1 to 15 Days 16 to 30 Days 31 to 60 Days 61 to 120 Days 121 to 180 Days 181 to 365 Days More Than 365 Days Total
All disclosed 56 422 364 82 19 3 0 946
Disclosed in part 13 163 396 203 86 68 21 950
All exempted 0 4 3 0 0 2 0 9
All excluded 0 0 0 0 0 0 0 0
No records exist 10 40 11 1 0 1 0 63
Request abandoned 686 34 19 10 2 4 0 755
Neither confirmed nor denied 0 0 0 0 0 0 0 0
Total 765 663 793 296 107 78 21 2,723

2.2 Exemptions

Section

Number of requests

18(2)

0

19(1)(a)

5

19(1)(b)

0

19(1)(c)

23

19(1)(d)

0

19(1)(e)

0

19(1)(f)

0

20

0

21

0

22(1)(a)(i)

1

22(1)(a)(ii)

16

22(1)(a)(iii)

0

22(1)(b)

335

22(1)(c)

0

22(2)

0

22.1

0

22.2

0

22.3

0

23(a)

0

23(b)

0

24(a)

0

24(b)

0

25

0

26

819

27

102

28

0

2.3 Exclusions

Section Number of requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0

2.4 Format of information released

Disposition Paper Electronic Other formats
All disclosed 276 670 0
Disclosed in part 136 814 0
Total 412 1,484 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed

Disposition of requests Number of pages processed Number of pages disclosed Number of requests
All disclosed 43,095 43,095 946
Disclosed in part 428,355 307,242 950
All exempted 1,654 0 9
All excluded 0 0 0
Request abandoned 3,728 0 755
Neither confirmed nor denied 0 0 0
Total 476,832 413,337 2,660

2.5.2 Relevant pages processed and disclosed by size of request

Disposition of requests Less Than 100
Pages Processed-Number of requests		 Less Than 100 pages processed-Pages disclosed 101-500
pages processed- Number of requests		 101-500
pages processed-Pages disclosed		 501-1000
pages processed-Number of requests		 501-1000
pages processed-Pages disclosed		 1001-5000
pages processed-Number of requests		 1001-5000
pages processed-Pages disclosed		 More Than 5000
pages processed-Number of requests		 More Than 5000
pages processed-Pages disclosed

All disclosed

855

23,801

87

14,557

2

1,574

2

3,163

0

0

Disclosed in part

353

16,444

393

96,326

113

82,212

88

158,552

3

16,708

All exempted

9

0

0

0

0

0

0

0

0

0

All excluded

0

0

0

0

0

0

0

0

0

0

Request abandoned

748

0

5

0

1

0

1

0

0

0

Neither confirmed nor denied

0

0

0

0

0

0

0

0

0

0

Total

1,965

40,245

485

110,883

116

83,786

91

161,715

3

16,708

2.5.3 Other Complexities

Disposition Consultation required Legal advice sought Interwoven information Other Total
All disclosed 0 1 2 14 17
Disclosed in part 4 2 4 20 30
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 4 3 6 34 47

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline

Number of requests closed past the statutory deadline Workload External consultation Internal consultation Other
478 414 6 2 56

2.6.2 Number of days past deadline

Number of days past deadline Number of requests past deadline where no extension was taken Number of requests past deadline where an extension was taken Total
1 to 15 days 48 57 105
16 to 30 days 11 24 35
31 to 60 days 36 45 81
61 to 120 days 81 53 134
121 to 180 days 40 27 67
181 to 365 days 19 29 48
More than 365 days 2 6 8
Total 237 241 478

2.7 Requests for translation

Translation requests Accepted Refused Total
English to French 0 1 1
French to English 0 0 0
Total 0 1 1

Part 3 – Disclosures under subsection 8(2) and 8(5)

Disclosures under subsection 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4 – Requests for correction of personal information and notations

Requests for correction of personal information and notations

Disposition for correction requests received Number
Notations attached 0
Requests for correction accepted 0
Total 0

Part 5 – Extensions

5.1 Reasons for extension and disposition of requests

Disposition of requests where an extension was taken 15(a)(I)
Interference
with operations		 15(a)(ii)
Consultation
Section 70		 15(a)(ii)
Consultation
Other		 15(b) Translation or
conversion
All disclosed 377 0 0 3
Disclosed in part 609 0 4 8
All exempted 3 0 0 0
All excluded 0 0 0 0
No records exist 8 0 0 0
Request abandoned 16 0 0 0
Total 1,013 0 4 11

5.2 Length of extensions

Length of extensions 15(a)(i)Interference with operations 15(a)(ii)Consultation
Section 70		 15(a)(ii)Consultation
Other		 15(b)Translation purposes
1 to 15 days 15 0 0 0
16 to 30 days 998 0 4 11
Total 1,013 0 4 11

Part 6 – Consultations received from other institutions and organizations

6.1 Consultations received from other government institutions and other organizations

Consultations Other government of Canada institutions Number of pages to review Other organizations Number of pages to review
Received during the reporting period 19 294 2 5
Outstanding from the previous reporting period 0 0 0 0
Total 19 294 2 5
Closed during the reporting period 19 294 2 5
Pending at the end of the reporting period 0 0 0 0

6.2 Recommendations and completion time for consultations received from other government institutions

Recommendation 1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 6 0 0 0 0 0 0 6
Disclose in part 3 5 0 0 0 0 0 8
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 3 2 0 0 0 0 0 0
Total 12 7 0 0 0 0 0 19

6.3 Recommendations and completion time for consultations received from other organizations

Recommendation 1 to 15 days 16 to 30 days 31 to 60 days 61 to 120 days 121 to 180 days 181 to 365 days More than 365 days Total
Disclose entirely 1 0 0 0 0 0 0 1
Disclose in part 1 0 0 0 0 0 0 1
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 2 0 0 0 0 0 0 2

Part 7 – Completion time of consultations on Cabinet confidences

7.1 Requests with Legal Services

Number
of Days
Fewer than 100
pages processed-Number of
requests		 Fewer than 100
pages processed -Pages disclosed		 101-500 pages processed- Number of
requests		 101-500 pages processed-Pages disclosed 501-1000 pages processed-
Number of
requests		 501-1000 pages processed Pages- disclosed

1001-5000 pages processed-Number of
requests

 1001-5000 pages processed-Pages disclosed More than 5000 pages processed-Number of
requests		 More than 5000 processed pages -Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2 Requests with Privy Council Office

Number
of Days

Fewer than 100
pages Processed-Number of
requests

Fewer Than 100
pages Processed -Pages disclosed

101-500 pages processed- Number of
requests

101-500 pages processed-Pages disclosed

501-1000 pages processed-
Number of
requests

501-1000 pages processed Pages- disclosed

1001-5000 pages processed-Number of
requests

1001-5000 pages processed-Pages disclosed

More than 5000 pages processed-Number of
requests

More than 5000 processed pages -Pages disclosed

1 to 15

0

0

0

0

0

0

0

0

0

0

16 to 30

0

0

0

0

0

0

0

0

0

0

31 to 60

0

0

0

0

0

0

0

0

0

0

61 to 120

0

0

0

0

0

0

0

0

0

0

121 to 180

0

0

0

0

0

0

0

0

0

0

181 to 365

0

0

0

0

0

0

0

0

0

0

More than 365

0

0

0

0

0

0

0

0

0

0

Total

0

0

0

0

0

0

0

0

0

0

Part 8: Complaints and investigations notices received

Complaints and investigations under sections 31,33,35 and Court Action

Section 31 Section 33 Section 35 Court Action Total
29 0 22 0 51

Part 9: Privacy Impact Assessments (PIAs)

Number of PIA (s) completed - 4

Part 10: Resources Related to the Privacy Act

10.1 Costs

Expenditures Amount
Salaries $3,846,372
Overtime $63,168
Goods and Services $630,539
  • Professional services contracts
 $437,260
  • other
 $193,279
Total $4,540,079

10.2 Human Resources

Resources Person years dedicated to privacy activities
Full-time employees 57.00
Part-time and casual employees 0.00
Regional staff 0.00
Consultants and agency personnel 3.50
Students 0.00
Total 60.50
Date modified:
2016-09-12