2021–2022 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

In keeping with section 72 of the Privacy Act, each year the head of every government institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.

The following report is tabled in Parliament under the direction of the Minister of National Revenue. It describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2021, and March 31, 2022. It also discusses emerging trends, program delivery, and areas of focus for the year ahead.

Privacy Act

The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of, and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) the right to access (with a few and specific exceptions), correct, or add notes to their own information.

Individuals who are not satisfied with the way an institution handled their personal information or a formal request they made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other ways of getting federal government information. The CRA actively encourages individuals and their representatives to get information informally through its online self-service channels, such as My Account and Represent a Client. The CRA continually updates these portals to provide access to more information, which reduces the burden on Canadians to make Privacy Act requests. Also, the CRA actively promotes other informal channels, such as requesting information directly from the CRA through its automated and toll free phone lines, as alternatives.

About the Canada Revenue Agency

Operational environment including the impact of the COVID-19 pandemic

Privacy Management Program

Monitoring compliance

Privacy assessments

Interpretation and explanation of Appendix A – Statistical report

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Conclusion

Appendix A – Statistical report

Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Appendix C – Delegation order

ISSN: 2563-3465

About the Canada Revenue Agency

The Canada Revenue Agency (CRA) promotes and ensures compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well being of Canadians. The CRA does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies to share information, and for a fee, can administer enhanced services at the request of provinces and territories.

The minister of national revenue is accountable to Parliament for all the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Board of Management, which was established by the Canada Revenue Agency Act, is made up of 15 directors appointed by the Governor in Council. Each province nominates one director, and the territories take turns nominating one director. The other four directors include the chair, the commissioner and chief executive officer of the CRA, and two directors nominated by the Government of Canada. The board oversees the administration and management of the CRA, including the development of the corporate business plan and management of policies related to resources, services, property, and personnel. In fulfilling this role, the board brings a forward looking strategic perspective to the CRA’s administration, fosters sound management practices, and commits to delivering efficient and effective service.

As the CRA’s chief executive officer, the commissioner is responsible for the day to day administration and enforcement of the program legislation that falls under the minister of national revenue’s delegated authority. They ensure that operations are guided by the CRA’s vision to be trusted, fair, and helpful by putting people first. As well, they are accountable to the board for the management of the CRA, which includes supervising employees, implementing policies, and managing budgets. They also assist and advise the minister about legislated authorities, duties, functions, and Cabinet responsibilities.

The CRA is made up of 12 functional branches and four regional offices across the country:

Branches

Appeals
Assessment, Benefit, and Service
Audit, Evaluation, and Risk
Collections and Verification
Compliance Programs
Finance and Administration
Human Resources
Information Technology
Legal Services
Legislative Policy and Regulatory Affairs
Public Affairs
Service, Innovation, and Integration

Regions

Atlantic
Ontario
Quebec
Western

Chief Privacy Officer

The assistant commissioner of the Public Affairs Branch is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, they:

oversee decisions related to privacy, including privacy assessments
champion personal privacy rights, including managing internal privacy breaches, according to legislation and policy
report to the CRA’s senior management at least twice a year on the state of privacy management at the CRA

Agency Privacy Council

The Agency Privacy Council was inaugurated in July 2020. It has nine key senior officers, including the chief privacy officer as the chair.

The mandate of the council is to:

facilitate a horizontal approach to privacy governance
identify privacy risks
outline mitigation strategies for the CRA
act as a steering committee to set the direction on privacy matters and recommend courses of action to senior management committees

During the reporting period, the council met three times. Some of the issues it considered related to:

approaches to major privacy breaches
tracking how privacy is managed across the agency
the Privacy and Access to Information Training and Awareness Strategy
the Protection of Personal Information Vulnerability Review

In January 2022, the Agency Privacy Council and the AC Security Steering Committee merged to form the Agency Security and Privacy Executive Council. The new executive council:

acts as a steering committee to set the direction on security and privacy matters
recommends courses of action to the Planning and Priorities Committee about agency wide objectives and strategies, business enablers, and investment priorities, and
recommends courses of action to the Corporate Management Committee for corporate related issues and initiatives

Personal Information Incident Working Group

The Personal Information Incident Working Group was created in July 2019 to help branches and regions collaborate and make decisions on emerging issues related to suspicious activities and incidents involving personal information.

During the reporting period, the working group provided input on the Privacy and Access to Information Training and Awareness Strategy.

However, the working group was dissolved during the reporting period and replaced with a combined privacy and security director general-level committee that meets monthly.

Access to Information and Privacy Directorate

The Access to Information and Privacy (ATIP) Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the ATIP Directorate:

responds to requests and questions under the Access to Information Act and the Privacy Act
responds to consultations, complaints, and informal disclosure requests
offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
reviews and, if applicable, publishes information to be proactively disclosed, including briefing note titles and committee material
gives ATIP training and awareness sessions
coordinates the privacy assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid or reduce risks
responds to and manages privacy breaches, enquiries, and complaints
communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and investigations
fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act

The director general of the ATIP Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. As well, the director general:

manages and coordinates the ATIP program
leads strategic planning and development initiatives, and
supports the assistant commissioner of the Public Affairs Branch and chief privacy officer of the CRA in the role of ATIP governance

The ATIP Directorate supports two main functions: processing and program support, which includes privacy management. Directorate employees are located in Ottawa, Montréal, and Vancouver. In the 2021–2022 fiscal year, an equivalent of 194 full time employees administered the Access to Information Act and the Privacy Act.

The following chart shows the structure of the ATIP Directorate.

Image description

First row Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer

Second row Director General of the Access to Information and Privacy Directorate

The three areas of responsibility of the Director General of the Access to Information and Privacy Directorate are listed in the three circles below. They are:

First the Privacy and Access Policy Division, Second the Access, Operations, and Analysis Division, and third, the Access to Information and Privacy Way Forward Initiative

The four areas of responsibility of the Director of the Privacy and Access Policy Division are listed in the four boxes to the right. They are: the Access to Information Policy and Governance Section, the Privacy Risk and Incident Management Section, the Program Support Section and the Privacy Policy and Governance Section.

The six areas of responsibility of the Director of the Access, Operations, and Analysis Division are listed in the six boxes at the bottom. They are: the Corporate and Complex Case Section, the Vancouver Regional Operations Section, the Montréal Regional Operations Section, the Complaints and Intake Section, the Strategic Compliance Section, and the Legislative & Headquarters Operations Case Section.

The two areas of responsibility of the Director, ATIP Way Forward Modernization Initiative are listed in the two boxes to the far right column. They are: the Business Transformation and Analytics Section, and the Innovation and System Support Section

Delegating responsibilities under the Privacy Act

As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Subsection 73(1) of the Privacy Act gives the minister the authority to designate one or more CRA officials to perform all or part of the minister’s powers, duties, and functions under the Act.

The Honourable Diane Lebouthillier, Minister of National Revenue, signed the CRA’s current delegation order for the Privacy Act on May 15, 2020. The order identifies specific provisions of the Privacy Act and its regulations that the Minister delegated to various positions within the CRA.

The ATIP Directorate’s director general, directors, assistant directors, and managers of the units approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner and the assistant commissioner of the Public Affairs Branch and chief privacy officer.

For the delegation order and schedule, see Appendix C – Delegation order.

Operational environment including the impact of the COVID-19 pandemic

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information of its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information, and the CRA takes the protection of that information very seriously.

During the COVID-19 pandemic, the CRA noticed that unauthorized third parties tried to access Canadians’ personal information using sophisticated technologies to take advantage of emergency relief measures. This created a significant workload for privacy management. ATIP Directorate employees had to work very closely with other CRA areas, oversight bodies, and other federal institutions to apply and enhance privacy and confidentiality safeguards while upholding the principles of open and transparent government.

Other impacts of the pandemic included demonstrations that blocked employees from working onsite to open and send mail for five weeks. The CRA’s innovative efforts at the beginning of the pandemic to put solutions in place to send requests electronically lessened this impact. Instead, it leveraged Canada Post’s Connect service. For more information about the impact of COVID-19 on operations, see Appendix B.

The ATIP Directorate processes among the largest volume of requests and pages of any federal institution. According to the latest statistics from the Treasury Board of Canada Secretariat, in 2020–2021 the CRA processed the second largest volume of pages of any federal institution to respond to Privacy Act requests and closed the fourth largest number of requests.

The number of requests the CRA received under the Privacy Act in 2021–2022 (8,763) was 113% higher than in 2020–2021 (4,120). The number of requests completed (8,558) was also 113% higher than in 2020-2021 (4,023). Beyond large page and request volumes, the CRA continues to respond to very complex requests, including many COVID-19-related requests. Complaints and consultations also represent a significant workload for the ATIP Directorate.

The following table shows the trend of requests received under the Privacy Act over the past five years.

Image description

Privacy Act requests trend

In 2017–2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed

In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed

In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed

In 2020–2021, 4,120 requests were received, 4,023 were completed, 653,853 pages were processed

In 2021–2022, 8,763 requests were received, 8,558 were completed, 951,414 pages were processed

ATIP Way Forward Modernization Initiative

The ATIP Way Forward Initiative is a project designed to modernize processes and technology to improve productivity and efficiency in the ATIP Directorate. The goal of the initiative is to standardize and re engineer business processes that support the directorate and make it more efficient. It did this by developing a project management office and governance structure, and by staffing a Lean Centre of Expertise and a Business Intelligence and Reporting Centre.

In 2021–2022, key changes made to enhance productivity and efficiency in the ATIP Directorate included implementing the following initiatives:

Backlog elimination plan

The ATIP Directorate has been working diligently to eliminate its backlog inventory while balancing the requirement to respond on time to a steadily increasing workload of requests received under the Access to Information Act and the Privacy Act, as well as other related inventory such as consultation files and complaints. In the fall of 2021, the ATIP Directorate put a backlog elimination plan in place to address the backlog. The first phase involves closing by September 30, 2022, all requests that the CRA received before March 31, 2019 (186 requests). At the end of the reporting period, 43 requests remained. Phase 2 will focus on closing requests received between April 2019 and March 2020. Responding to requesters in a timely manner and eliminating the backlog remains an ongoing focus of our work.

Level 1 request initiative

The ATIP Directorate routinely receives requests for tax information that does not require redactions (level 1 files). Although each of these requests are not labour intensive, together they represent a significant volume for the ATIP Directorate. Using Lean methodology and working with local tax service offices, the ATIP Directorate was able to significantly reduce the workload associated with these types of files.

During the reporting period, the ATIP Directorate reduced the average processing time for these requests from 26 days to 11 days. It did this by removing 10 of the 16 steps from the process. This represents a savings of over 1,800 working hours annually.

The ATIP Directorate also communicated with specific frequent requesters and directed them to other more efficient channels, such as My Account and Represent a Client, to get their information.

Audio redaction software

In the past, the CRA had to transcribe any audio recordings before redacting and releasing the transcript. The new audio redaction software implemented during the reporting period, allows the CRA to redact the information and release it in the original format.

PDF conversion tool

Rather than manually converting records into a PDF so it can process them, the ATIP Directorate created a program to help offices of primary interest prepare the documents for processing by automatically converting the records to PDF. The ATIP Directorate continues to look into enhancements to this software.

Upgraded server supporting the ATIP tracking system

The ATIP Directorate upgraded from one server in each of its three offices to one centralized server. This server is more stable, is easier to upgrade, and has more available space than the individual servers.

Upgraded tracking system to manage privacy breaches

The ATIP Directorate created a new database to manage privacy breaches. The new system provides more stability and has better reporting capabilities.

Lean Centre of Expertise

The ATIP Directorate implemented a centre of expertise that teaches and promotes Lean principles within the directorate. All employees have obtained their Lean white belt certifications, and the directorate sends out videos regularly to reinforce Lean concepts. It also conducts Lean workshops to identify and plan how to implement improvements to its business processes.

Access to Information and Privacy Strategic Plan 2021-2024

The Access to Information and Privacy Strategic Plan 2021-2024 was implemented during the reporting period. The plan outlines the ATIP Directorate’s vision and purpose, strategic priorities, and initiatives. The plan supports service excellence and flows from the Public Affairs Branch’s and the CRA’s strategic plans. The plan focuses on two key priorities: transforming business and information technology and creating a culture of privacy and accountability. It outlines the initiatives planned over the next three years that will help develop plans, projects, and activities to move the ATIP Directorate forward, including working in a paperless environment.

Human resources

In 2021–2022, the ATIP Directorate launched eight selection processes ranging from SP-03¹ and SP-09 levels and created pools of qualified candidates.

The ATIP Directorate is committed to promoting the one-office model by recruiting the best qualified people regardless of where they are physically located across Canada. It also fully supports creating a respectful, inclusive, and diverse workplace.

Modernizing the Privacy Act

Led by the Department of Justice of Canada, the Privacy Act is in the process of being reviewed. The CRA is an active participant in the interdepartmental working group, which reconvened in early 2022. The group’s discussions focused on possible revisions to the Act, following the Department of Justice’s public consultations in early 2021, in which CRA stakeholder feedback was sought and provided.

In 2022–2023, the CRA will continue to work closely with the Treasury Board of Canada Secretariat, the Department of Justice, and other stakeholders on the Government of Canada’s commitment to modernize the Act.

Protection of Personal Information Vulnerability Review

In March 2021, the Audit, Evaluation, and Risk Branch completed a vulnerability review on the protection of personal information at the CRA. The objectives of the review were to identify key risks relating to the protection of personal information, assess those risks, identify mitigating controls and activities, test select controls in place, and issue recommendations to strengthen control gaps.

CRA management agreed with all the recommendations in the final report and committed to making the necessary amendments to address them.

The following summarizes the ATIP-related recommendations and the corresponding status of each:

Recommendation 3: The Public Affairs Branch should centralize the information needed to perform ATIP reviews and update procedures so that all employees conducting reviews have access to training products, legal opinions, and jurisprudence.

Status: The Access to Information Policy and Governance Section in the ATIP Directorate was established with a mandate to be the centre of expertise for the ATIP Directorate’s operations, including developing and delivering training. Also, the ATIP Directorate centralized its legal opinion repository and made it accessible to all directorate employees. This recommendation has been completed.

Recommendation 4: The Public Affairs Branch should establish a formal quality assurance process on ATIP files to ensure quality and consistency of the application of procedures.

Status: The Public Affairs Branch developed a quality assurance plan that it will pilot by June 2022 and fully implement by March 2023.

Recommendation 14: The Public Affairs Branch should update procedures to verify delivery information before mailing ATIP responses and regularly communicate these updates to employees.

Status: The ATIP Directorate mitigated this risk by digitizing the mail out process. For electronic delivery, the ATIP Directorate is continually monitoring risks when sending documents electronically to requesters. It will update the procedures in August 2022, at which point the recommendation will be fully implemented.

Training

The ATIP Directorate is committed to promoting and providing ATIP training to CRA employees. This training varies depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service’s Fundamentals of Access to Information and Privacy course or the Access to Information in the Government of Canada course. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests. Privacy management training is also delivered throughout the year.

The CRA’s Legal Services Branch also provides training related to the Access to Information Act and the Privacy Act.

In 2021–2022, the CRA continued to offer its suite of 10 web based modules, which consist of specialized technical training, to ATIP Directorate ATIP employees.

In October 2021, as part of the ATIP Way Forward Initiative, directorate employees took part in mandatory Lean White Belt training. Employees who could not attend the training and new hires will participate in the training in 2022–2023.

During the reporting period, directorate employees also participated in privacy training offered by the International Association of Privacy Professionals. This training builds on similar training the employees took during the last reporting period. In previous reporting periods, several directorate employees took part in the association’s training to prepare participants to become certified by the International Association of Privacy Professionals as information privacy professionals (CIPP/C) and as privacy managers (CIPM).

In 2020–2021, the CRA established an agency-wide privacy and access to information training and awareness strategy. During the reporting period, activities took place toward implementing that strategy. These activities included agency-wide surveys and interviews to identify needs and gaps in existing privacy and access to information learning, and to shape new approaches to address them

During the reporting period, the ATIP Directorate delivered technical training as well as information and awareness sessions to:

ATIP Directorate employees:
- Two-week training was delivered to seven new ATIP analysts
- Half-day training on an Introduction to the Privacy Act and the Access to Information Act was delivered to the Intake Team
other CRA employees:
- 16 ATIP information sessions were delivered to 3,025 participants
- Information gathering and gap analysis on the state of ATIP training were conducted agency-wide
offices of primary interest and outreach programs:
- Four teleconferences were delivered to 318 participants

In 2022–2023, the CRA will continue to implement the agency-wide privacy and access to information training and awareness strategy, including expanding training and awareness by offering monthly information sessions to all CRA employees.

Raising awareness

In 2021–2022, beyond the work the CRA completed to enhance its privacy management program, the ATIP Directorate worked on many projects to make employees more aware of their privacy‑related roles and responsibilities.

Every January 28, the CRA celebrates Data Privacy Day, an international initiative, which promotes awareness of the effects of technology on privacy rights and the importance of valuing and protecting personal information.

In January 2022, the CRA held its inaugural Data Privacy Week by extending the annual Data Privacy Day. The agency held a CRA-wide virtual event with guest speaker Nora Young, host of the CBC’s “The Spark.” She talked about data privacy in our current technological landscape, as well as emerging trends, in a presentation titled “From Big Data to Your Data: How Data-Driven Technologies are Shaping the Future.” Over 3,000 employees from across the agency participated in this event.

Also during the reporting period, the ATIP Directorate created and published a new central hub for privacy resources under a redeveloped Chief Privacy Officer page on the CRA’s intranet site. It also drafted a new fact sheet on Privacy by Design and will publish the fact sheet in 2022–2023. Privacy by Design is a cornerstone of the CRA’s Privacy Management Framework.

As well, the ATIP Directorate obtained a short bilingual video about “Access to information and privacy” from the Canadian School of Public Service and featured it in the CRA’s intranet Agency News. It also added the awareness video to the ATIP landing page.

Throughout the year, the ATIP Directorate continued to promote awareness of the role that privacy plays in supporting sound privacy management. It participated in various committees and working groups, provided advice to program areas, and regularly communicated with employees in the offices of primary interest across the CRA, and collaborated with the Office of the Privacy Commissioner of Canada to organize information sessions for CRA employees on privacy impact assessments.

Collaborating with oversight bodies and other organizations

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy at the CRA. Notably beyond many collaborations referenced earlier in this report, in 2021–2022, the CRA:

communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects, including privacy breaches, privacy investigations, and new or amended initiatives that involve the use of personal information including the COVID-19 benefit programs the CRA helped administer
worked closely with the Treasury Board of Canada Secretariat on various items, including privacy breaches, privacy assessments, corporate policy instruments, ATIP request-processing software solutions, and COVID-19 benefit programs
collaborated with the ATIP community by co-chairing the ATIP Coordinators Working Group. Through this group, departments that receive a large volume of requests share best practices
co-chaired the ATIP Interdepartmental Modernization Committee. This group identifies and pilots modernization initiatives that impact the entire ATIP community and that other departments can use to improve their processes and modernization solutions
hosted an innovations meeting with the ATIP team from the Royal Canadian Mounted Police. The primary goal of this meeting was to share best practices since each department is working on their own modernization initiatives
continued to work with other departments on an ad hoc basis to share strategies and solutions with the aim of maximizing each department’s ability to process ATIP requests and promote privacy and transparency

Privacy Management Program

Enhancing the Privacy Management Program, including policies, guidelines and procedures

The privacy landscape continues to evolve dramatically with ever-expanding digital technologies and automated decision-making.

In 2021–2022, in consultation with the Agency Privacy Council, the Personal Information Incident Working Group, and other agency officials, the CRA implemented an enhanced privacy program that uses Privacy by Design principles, including the completion of the following deliverable from the corporate business plan:

start reporting on privacy key performance indicators using the 12 metrics derived from best practices and mapped to the CRA’s Privacy Management Framework. These metrics are intended to provide an overview of how the CRA is managing privacy
complete new procedures for investigative bodies
implement an agency-wide privacy training and awareness strategy

As well, the CRA Privacy Management Framework, published in 2019–2020, continues to undergo an annual review. The Privacy Management Framework is available at canada.ca/content /dam/cra-arc/migration/cra-arc/scrty/pmf-eng.pdf.

Managing privacy breaches

One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and protection of taxpayers’ information very seriously and has strong controls in place to prevent privacy breaches. Despite the effectiveness of those controls, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.

The CRA conducts routine scans to identify at risk credentials (CRA user IDs and passwords) that may be available on the dark web for use by unauthorized individuals. In a number of instances, we found that unauthorized third parties and sources external to the CRA may have obtained the credentials of taxpayers. To detect, protect, and prevent potential instances of fraud and identity theft, the CRA routinely monitors taxpayer accounts for suspicious activity.

When a privacy breach occurs, the ATIP Directorate works closely with CRA program areas to contain and manage the breach and assess the impacts to affected individuals.

When warranted, the CRA notifies and offers credit protection services to help individuals affected by a breach.

This year, the CRA’s Security and Internal Affairs Directorate informed the ATIP Directorate of 55 incidents of alleged or confirmed improper access or disclosure of personal information by CRA employees. Founded misconduct is dealt with promptly and appropriately. And if it suspects criminal activity, the CRA refers the matter to the proper authorities. All CRA employees receive mandatory and ongoing security training that highlights the importance of protecting taxpayer information.

Also, the ATIP Directorate received 33 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada. For more information, see Part 9 – Complaints and investigation notices received.

In 2021–2022, most privacy breaches at the CRA resulted from misdirected mail, that is, mail that was incorrectly addressed or sent to the wrong person. However, misdirected mail incidents occurs in only 0.003% of the 110 million pieces of mail the CRA handles each year.

The CRA follows Treasury Board of Canada Secretariat guidelines to determine which privacy breaches meet the threshold for notifying the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2021–2022, the CRA reported seven significant privacy breaches to these organizations. Of those seven:

five involved unauthorized access or disclosure of taxpayer information by CRA employees
one involved the loss of an unencrypted portable storage device containing taxpayer information, and
one involved unauthorized access to taxpayer information by unauthorized third parties

The CRA continually strives to monitor and improve its internal processes and systems to further protect taxpayer information. This includes ongoing monitoring of employee access to taxpayer information, limiting employees’ access permissions to only the information they need to do their job, and regularly reviewing employee access to CRA systems.

Updating Information about Programs and Information Holdings (formerly Info Source)

Information about Programs and Information Holdings provides information about the functions, programs, activities, and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. This resource also offers guidance to individuals on how they can access the information that government institutions so they can exercise their rights under these acts.

Each institution subject to the Access to Information Act and the Privacy Act must update its chapter annually by the due date set by the Treasury Board of Canada Secretariat, normally in June.

The CRA's Info Source chapter can be found at canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/access-information-privacy-canada-revenue-agency/information-programs-information-holdings-sources-federal-government-employee-information.

Monitoring compliance

The ATIP Directorate produces multiple reports that capture key statistics about the CRA’s inventory of ATIP requests. The reports show active and closed requests, the status of requests by branch and region, the carry-forward inventory, complaints, and deemed refusal volumes.

Management regularly uses the reports to monitor trends, measure the directorate’s performance, and identify any process changes needed to improve performance. Management presents the reports monthly to senior management at the commissioner chaired Corporate Management Committee.

During the reporting period, the ATIP Directorate:

improved its ability to query the ATIP database by using Power Business Intelligence software
developed automated reports directly linked to source data, which significantly reduced manual intervention and potential errors, and
created new dynamic and interactive dashboards to provide stakeholders direct and real time access to data and statistics

Privacy assessments

At the start of any new initiative, the CRA consults with the Office of the Privacy Commissioner of Canada and submits privacy assessments to the office and the Treasury Board of Canada Secretariat so it can identify and mitigate any potential privacy implications.

Privacy impact assessment

In line with the Directive on Privacy Impact Assessment, the CRA conducts privacy impact assessments when new programs or services raise privacy issues. It also does this when changes to programs or services affect the way it collects, uses, or discloses personal information.

Privacy compliance evaluation

During the COVID-19 pandemic, the CRA used a privacy compliance evaluation in place of a full privacy impact assessment for urgent COVID-19-related initiatives that did not continue beyond March 31, 2021.

Privacy protocol assessment

A privacy protocol assessment is a privacy assessment process designed to assess initiatives that have a non-administrative purpose (for example, research, audit, evaluation, and statistical purposes). This assessment makes sure those initiatives comply with the CRA's privacy practices.

Summaries of completed privacy assessments

The CRA completed 14 privacy assessments during the 2021–2022 reporting period: 12 privacy impact assessments, 1 privacy compliance evaluation, and 1 privacy protocol assessment.

As well, the CRA reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, treasury board submissions, threat and risk assessments, local application solutions, and written collaborative arrangements.

The CRA publishes summaries of completed privacy assessments at canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.

The following is an overview of the privacy assessments the CRA completed in 2021–2022.

Anonymous Internal Fraud and Misuse Reporting Line Privacy Impact Assessment

This initiative provides individuals with a communication channel to report suspected internal fraud and misuse through the CRA Anonymous Internal Fraud and Misuse Reporting Line, which is administered by an independent third-party contractor.

The privacy impact assessment has been updated to include the ClearView Connects™ contract extension.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/anonymous-internal-misuse-reporting.

Business Refund Set-off Program v2.0

The Business Refund Set-off Program allows the CRA to set-off corporation income tax refunds, GST/HST refunds, and specialty business return refunds in accordance with the legislation the CRA administers. The CRA can set-off these refunds to other federal agencies and departments, Crown corporations, and provincial and territorial departments that participate in the program.

The CRA updated this privacy impact assessment to include excise duty refunds on cannabis products and fuel charge refunds.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-refund-program-privacy-impact-assessment-summary-business-returns-directorate-assessment-benefit-service-branch.

Canada Emergency Student Benefit

Employment and Social Development Canada established the Canada Emergency Student Benefit to support post secondary students, recent graduates, and recent high school graduates whose income was affected by the COVID-19 pandemic. The CRA is administering this benefit on behalf of Employment and Social Development Canada and is using existing taxpayer information to verify eligibility, compliance, and enforcement.

This privacy impact assessment covers only the administration of the Canada Emergency Student Benefit.

Canada recovery benefits

Recovery benefits comprise the Canada Recovery Benefit, Canada Recovery Sickness Benefit, and Canada Recovery Caregiving Benefit. The Government created these benefits to support workers whose income was affected by the COVID-19 pandemic. The CRA administers these benefits on behalf of Employment and Social Development Canada and uses existing taxpayer information to verify eligibility, compliance, and enforcement.

This privacy impact assessment covers only the administration of the recovery benefits.

Corporation Returns and Payment Processing Program v3.0

The Corporation Returns and Payment Processing Program is responsible for:

assessing T2 corporation income tax returns for resident and non-resident corporations
processing special elections and returns
processing payments associated with those returns
administering provincial taxes and credits harmonized with the federal T2 return for all provinces except Quebec and Alberta, and
administering information specific to treaty agreements with foreign governments so that corporations are not double-taxed

The CRA revised this privacy impact assessment to reflect the updated agreement between Employment and Social Development Canada and the CRA to collect T2 information. The amendment allows the CRA to share protected taxpayer information.

COVID-19 one-time disability payment

Issued on October 30, 2020, this payment to persons with disabilities was a non taxable, non reportable, one-time payment of up to $600. In 2020 and 2021, newly identified eligible individuals and individuals with updated contact information received the payment.

Employment and Social Development Canada administered this payment as a COVID-19 relief benefit using eligibility information from multiple government sources, including the CRA and Veterans Affairs Canada. Since this one-time benefit involved many potentially overlapping programs, the social insurance number was the most efficient and reliable form of identification to avoid duplicate payments. The CRA supported this one-time payment by identifying individuals who had a valid 2020 disability tax credit and disclosed that information to Employment and Social Development Canada.

As well, Veterans Affairs Canada gave the CRA a list of beneficiaries from its disability support programs who met the eligibility criteria for the one-time payment. The CRA performed matching methodology on these individuals to identify their social insurance number and added the number to the Veterans Affairs file. The CRA then forwarded the file to Employment and Social Development Canada to administer the payments.

This privacy compliance evaluation covered the CRA’s role in supporting this one-time payment, including the CRA’s collection of personal information from Veterans Affairs Canada and its disclosure to Employment and Social Development Canada.

For the complete privacy compliance evaluation summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/covid-19-one-time-disability-payment-provacy-compliance-evaluation-summary.

Contract for the COVID-19 benefits contact centre

The purpose of this contract was to provide short-term contact centre services to respond to a surge in general telephone enquiries about CRA-administered COVID-19 relief benefit programs.

Since the onset of the COVID-19 pandemic, the CRA administered the new benefit programs the Government introduced. These programs resulted in a significant surge in the volume of calls the CRA contact centre call received with no sign that this demand would subside.

Initially, to assist Canadians in their time of need, the CRA created a separate telephone line at the contact centre for general enquiries related to the suite of COVID-19 relief benefits. Thousands of CRA employees volunteered to staff this line so they could help deliver these benefits. However, as the CRA resumed business, the staffing levels on this line reached a critical level.

The CRA needed another solution to continue serving Canadians effectively and efficiently. Also, the CRA staffed thousands of frontline agents in an effort to support more complex and account-specific enquiries, but it needed more support for low complexity general enquiries. To maintain priority for the COVID-19 benefit phone enquiries, the CRA sought temporary assistance from a third-party service provider.

The Assessment, Benefit, and Service Branch engaged in a short-term contract for contact centre services to address these general and non-protected phone enquiries. The contractor was neither connected to nor had access to any internal CRA IT systems. Callers with complex and account specific enquiries were advised to call CRA contact centres where agents with the right experience and access would help them. The period of this short-term contract was from February 1, 2021, to August 31, 2021.

For the complete privacy protocol assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/covid-19-benefits-contract-center-contract-privacy-protocol-assessment-summary.

EFILE online services

The EFILE Online Services Program is responsible for registering, screening, and monitoring EFILE applicants, as well as managing the credentials used to allow access to secure online program applications related to EFILE. All EFILE applicants are evaluated and monitored to make sure they adhere to high standards of conduct and integrity in order to safeguard the system and maintain a high level of public confidence in electronic filing.

This CRA completed this privacy impact assessment to identify and assess any risks to personal information the EFILE Online Services Program collects, as well as to establish an action plan to reduce the impact of the risks identified during the assessment.

Income Verification Services Program v3.0

The Income Verification Services Program helps federal, provincial, and territorial partners determine eligibility for income-tested programs, such as drug cost assistance, housing, and student loans and grants. The CRA provides taxpayer information to these programs with the consent of each applicant. The CRA sends proof of the applicant’s income electronically to the partner government organization, allowing for faster processing and reduced wait times for applicants.

The CRA completed an update to the privacy impact assessment in 2022 to include recent additions made to the different programs.

Individual Refund Set-Off program

Under the Individual Refund Set-Off Program, the CRA applies an individual’s tax refunds and certain credits against debts the individual owes to the Crown. Any federal, provincial or territorial department, agency, or Crown corporation may participate in this program, subject to the CRA’s legislative and policy requirements.

The CRA updated the program’s privacy impact assessment to include two federal departments that recently joined the program: Natural Resources Canada and Public Safety Canada.

Individual Returns Assessment Program

This program helps individuals voluntarily comply with Canada’s tax laws by processing their information and payments as quickly and accurately as possible, and by giving them the results of their assessment or reassessment.

The privacy impact assessment identifies and assesses the privacy risks to personal information from processing individual taxpayer income tax returns for the federal government and for most provinces and territories. The processing includes initial assessments, payments, validations, accounting, and adjustments, as well as determining eligibility for various refundable amounts.

As the CRA continually seeks to provide a better experience for its clients, it updated the privacy impact assessment in 2021 to include recent improvements made to the operations of the program.

Office of the Taxpayers' Ombudsperson Program v2.0

The Office of the Taxpayers' Ombudsperson Program conducts impartial examinations of unresolved service complaints from individual taxpayers and benefit recipients who feel that the CRA has treated them unfairly.

Under the program, taxpayers, benefit recipients or their representatives submit their service complaints to the Office of the Taxpayers' Ombudsperson by mail, fax, or that office’s online complaint form. In rare cases, the complaints may be hand delivered. Taxpayers, benefit recipients or their representatives may call the Office of the Taxpayers' Ombudsperson’s general enquiry line for information before submitting a complaint.

Taxpayers have to complete a Permission to Disclose form that enables the Office of the Taxpayers' Ombudsperson to share information with the CRA, and also permits the CRA to provide information to the Office of the Taxpayers' Ombudsperson.

Other requests are sent by encrypted email to a restricted mailbox at the Ombudsman Liaison Office in the Service, Innovation and Integration Branch. These requests include a Request for Information, Requests for Action, or Urgent Requests for Information within the Office of the Taxpayers' Ombudsperson’s mandate.

This privacy impact assessment identifies and assesses privacy risks to the collection of personal information relating to the Office of the Taxpayers’ Ombudsperson program activities. The CRA updated this assessment to notify the public about the office title change and the CRA’s plans to use epost Connect.

Part XIII Non-Resident Withholding Program

The Part XIII Non-Resident Withholding Program is responsible for ensuring compliance with:

the withholding, remitting, reporting, and filing obligations under Part XIII of the Income Tax Act
various elections, and
requests for refunds that are submitted by businesses, third parties, and individuals

The CRA updated the privacy impact assessment to reflect the CRA’s implementation of the Non Resident Source Deductions Identification Project. This project improves the functionality of registration and identification, and properly categorizes non-resident accounts to cross-reference them with their taxpayer entity.

Pooled Registered Pension Plans Program

Pooled registered pension plans are professionally administered, defined contribution style pension plans targeted to employees and self-employed persons who do not have access to a workplace pension plan. These plans may pool the funds in the accounts of participating plan members to achieve low costs in relation to investment management and plan administration. Contributions and investment earnings are tax exempt until the plan starts to pay the benefits.

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2021, to March 31, 2022. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.

Notes

Some totals may be more than 100% due to rounding.

Part 1 – Requests under the Privacy Act

During the reporting period, the CRA received 8,763 new requests under the Privacy Act. This is an increase of 4,643 requests (113%) from last year’s total of 4,120 requests. Including the 964 requests carried forward from the 2020–2021 reporting period, the CRA had 9,727 active requests in its inventory.

The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years.

The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years
Fiscal year	Requests received	Requests closed	Pages processed
2017–2018	3,791	3,821	920,251
2018–2019	4,789	4,599	896,837
2019–2020	4,895	4,728	1,115,075
2020–2021	4,120	4,023	653,853
2021–2022	8,763	8,558	951,414

The following table shows the channels of the 8,763 requests received during the 2021–2022 reporting period.

The following table shows the channels of the 8,763 requests received during the 2021–2022 reporting period.
Channel	Number of requests	Percentage
Online	6,728	77%
E-mail	324	3.7%
Mail	874	10%
In person	0	0%
Phone	3	0.03%
Fax	834	9.5%

Other requests and workload

Beyond the 8,763 requests received under the Privacy Act, the CRA processed a high volume of other requests. The additional volume significantly affected operations, since resources had to be diverted to manage the workload. The additional requests included external and internal consultations, general enquiries and complaints. During the fiscal year, the Intake Team of the Access to Information and Privacy Directorate responded to 3,300 emails and 1,367 phone enquiries were received through the general enquiries mailbox and toll free phone line.

Part 2 – Informal requests

The CRA did not receive nor close any informal requests under the Privacy Act in 2021–2022.

Part 3 – Requests closed during the reporting period

Disposition and completion time

The CRA continues to complete a large number of privacy requests. The disposition of the 8,558 requests closed is as follows:

5,159 were fully disclosed (60%)
1,841 were disclosed in part (22%)
1 was exempted in its entirety (0.001%)
81 resulted in no existing records (1%)
1,476 were abandoned by requesters (17%)

4,535 (113%) more requests were closed
in 2021–2022 than
in 2020–2021.

The following chart shows the completion times for the 8,558 requests closed in 2021–2022.

Image description

Completion time

6,911 (86%) in 30 days or under

1,145 (13%) from 31 to 60 days

244 (3%) from 61 to 120 days

258 (3%) in 121 days or more

For more details, see table 3.1 of Appendix A.

Exemptions

The Privacy Act allows an institution to refuse access to specific information when necessary. For example, the CRA can refuse to give a requester information about another individual if that individual has not given consent. For detailed information on each of the exemptions that may be applied, see section 18 of the Privacy Act.

In 2021–2022, the CRA applied the following exemptions, in full or in part, to the 8,558 requests closed during the reporting period:

section 19 – Personal information obtained in confidence (23 times)
section 22 – Law enforcement and investigation (272 times)
section 25 – Safety of individuals (1 time)
section 26 – Information about another individual (871 times)
section 27 – Solicitor client privilege (96 times)

Exclusions

The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the act does not apply to Cabinet confidences. In 2021–2022, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.

Format of information released

Requesters can choose to receive their response package on paper or electronically. Persons with disabilities may ask for information in alternative formats, such as braille, although the CRA did not receive any of these requests this fiscal year. Providing documents electronically is more efficient because it significantly reduces manual processes, and it is environmentally friendly and secure. Notably there was a 21% increase in the volume of requests sent electronically in 2021–2022 compared to 2020–2021.

In 2021–2022, of the 7,000 requests for which information was disclosed in full or in part, 6,589 requests (94%) were released in electronic format.

Complexity

The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests. For example, to respond to the 8,399 requests it closed during the fiscal year (excluding requests where no records exist), the CRA processed 951,414 pages. Of these requests, 1,091 involved processing more than 100 pages, 164 involved processing more than 1,000 pages, and 19 involved processing more than 5,000 pages.

Of note, 6 requests involved processing more than 10,000 pages, and 1 of these requests involved processing more than 50,000 pages.

In addition to paper records, the CRA also processes requests for audio and video records. There were no requests for these formats in 2021–2022 under the Privacy Act. Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see tables 3.5.2 to 3.5.7 of Appendix A.

In 2021–2022, the ATIP Directorate processed an average of 112 pages per request.

Closed requests

The ATIP Directorate closed 7,932 (93%) requests within the timelines required by law. This means that it provided responses within 30 calendar days or within an extended deadline. This is the highest compliance rate for the CRA since 2018–2019.

Deemed refusals

A deemed refusal is a request closed after the deadline of 30 calendar days, or after the extended deadline if a time extension was taken.

Of the 8,558 requests closed during the reporting period, 626 were closed after the deadline. This resulted in a deemed refusal rate of 7%.

Requests for translation

Records are normally released in the language they exist in. However, the institution may translate records to an official language if requested, or if the institution considers a translation to be necessary so the individual can understand the information.

The CRA received two requests for translation in 2021–2022. The CRA fulfilled both requests.

Part 4 – Disclosures under subsections 8(2) and 8(5)

Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, an institution may disclose personal information without consent for limited and specific circumstances. This is the case, for example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), the institution must notify the Privacy Commissioner of Canada.

During the reporting period, the CRA had one disclosure of personal information under paragraph 8(2)(e) of the Privacy Act. Paragraph 8(2)(e) permits disclosure without consent of the individual for which it pertains, to an investigative body specified in the Privacy Act regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed.

Part 5 – Requests for correction of personal information and notations

Under the Privacy Act, an individual who believes their personal information contains an error or omission can ask for it to be corrected. When a request for correction has been refused, a notation must be attached to the information reflecting that a correction was requested and refused.

The CRA received one request to correct personal information in 2021–2022. This request did not meet the criteria for a records correction; therefore, the CRA attached a notation to the information and notified the requester.

Part 6 – Extensions

The Privacy Act sets the required timelines for responding to requests for personal information. The Act allows time extensions under these circumstances:

meeting the original time limit would unreasonably interfere with operations
there is a need to consult (for example, with a government institution or another third party), and
there is a need to translate or convert records into another format

Of the 8,558 requests closed in 2021–2022, the CRA applied extensions to 1,101 (13%) of them. It applied those extensions 99% of the time because of the workload and because meeting the original 30 day time limit would have resulted in unreasonable interference with CRA operations. The CRA applied the remaining extensions because of the need for internal and external consultations, translation, and converting records into other formats.

Of the 1,101 extensions, 7 were for 1 to 15 days in length and 1,094 were for 16 to 30 days in length.

Part 7 – Consultations received from other institutions and organizations

In 2021–2022, the ATIP Directorate received and closed five external consultation requests from other Government of Canada institutions and organizations. To respond to these requests, it reviewed 836 pages.

Internal consultations

In 2021–2022, 160 internal privacy consultation requests were completed, a 20% increase from the previous reporting period. To respond to these requests, the directorate reviewed a total of 2,288 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.

The following chart shows the trend for internal privacy consultation requests received over the past five years.

Image description

Internal Privacy Consultation Trends

In 2017–2018, 327 internal privacy consultation requests were received, 11,033 pages were processed.

In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.

In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.

In 2020–2021, 105 internal privacy consultation requests were received, 5,824 pages were processed.

In 2021–2022, 180 internal privacy consultation requests were received, 2,288 pages were processed.

Part 8 – Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), Treasury Board of Canada Secretariat policies require agencies and departments to consult with their legal services office to determine if they should exclude requested information. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2021–2022, the CRA did not have to consult with Legal Services of the Privy Council Office for Cabinet confidences.

Part 9 – Complaints and investigation notices received

In 2021–2022, the CRA received 13 complaints under the Privacy Act related to privacy requests. The complaints it received related to the following issues:

time delay (2)
non disclosure (4)
refusal due to exemption (7)

In addition, the CRA received 24 early-resolution complaints:

1 of those was escalated to a formal complaint
11 were closed because the Office of Privacy Commissioner of Canada determined in the early-resolution process that there was no need to complete a formal investigation, and
12 were carried over to the next fiscal year

During the fiscal year, the CRA closed 22 complaints. This represents a 10% increase in the number of complaints it closed during the previous fiscal year. In addition, the CRA completed 12 early resolution complaints.

The following chart shows the disposition of the 22 complaints closed during the fiscal year.

Image description

The following chart shows the disposition of the 20 complaints closed during the fiscal year.

Complaint dispositions

12 (55%) Not well-founded

1 (4%) Resolved

9 (41%) Well-founded

For definitions of the disposition categories, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf.

The ATIP Directorate received 33 privacy related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada during the reporting period. These complaints were not related to Privacy Act requests. The directorate closed 32 complaints and allegations during the reporting period. These included outstanding complaints and allegations from previous reporting periods.

In 2021–2022, there were no complaints pursued to the Federal Court.

Part 10 – Privacy impact assessments and personal information banks

During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is described in the “Privacy assessments” section of this report.

A personal information bank must be created in the Information about Programs and Information Holdings (formerly InfoSource) for any collection or grouping of personal information under the control of a government institution that:

has been used
is being used, or
is available for a program or activity of an institution to use for an administrative purpose

The personal information bank must include how the information is organized and retrieved (for example, by a person's name, or by an identifying number or symbol). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 96 active personal information banks. In the same period, three were created and nine were modified.

Part 11 – Privacy breaches

The CRA follows the Treasury Board of Canada Secretariat guidelines to determine which privacy breaches meet the threshold for notifying the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2021–2022, the CRA reported seven material privacy breaches to the office and the secretariat.

Part 12 – Resources related to the Privacy Act

Costs

During the 2021–2022 fiscal year, the ATIP Directorate’s direct cost to administer the Privacy Act was $15,311,390. This includes $78,773.06 in credit protection services provided to individuals affected by privacy breaches. However, it does not include significant support and resources from CRA branches and regions. For more details, see Table 12.1 of Appendix A.

Human resources

In 2021–2022, the CRA dedicated an equivalent of 158 full time employees, in addition to 2 consultants and agency personnel and 6 students, to administering the Privacy Act. Many of these employees simultaneously administer the Access to Information Act.

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

The following is a brief overview of the tables included in Appendix B:

Table 1: The CRA was able to receive requests by mail for 47 of the 52 weeks in 2021–2022. The CRA however had full capacity throughout the reporting period to process electronic records.
Table 2.1 and 2.2: The CRA was able to process unclassified, Protected B, Secret, and Top -Secret paper records for 47 of the 52 weeks in 2021. The CRA however had full capacity throughout the reporting period to process electronic records.

Note: The CRA was unable to receive requests by mail or process paper records for a five week period because of the truck convoy that occupied the Ottawa downtown area.

Table 3.1: At the end of the fiscal year, the CRA had 1,072 Access to Information Act requests outstanding: 610 of these were within legislated timelines, while 462 were beyond legislated timelines. The CRA received 269 of these requests before 2021–2022, and it will address many of these through the CRA backlog elimination plan.
Table 3.2: At the end of the fiscal year, the CRA had 222 open complaints with the Information Commissioner of Canada.
Table 4.1: At the end of the fiscal year, the CRA had 1,169 Privacy Act requests outstanding: 904 of these were within legislated timelines, while 265 were beyond legislated timelines. The CRA received 85 of these requests before
2021–2022, and it will address many of these through the CRA backlog elimination plan.
Table 4.2: At the end of the fiscal year, the CRA had 35 open complaints with the Privacy Commissioner of Canada.
Table 5: The CRA has reported that it received the authority for a new collection of the social insurance number in 2021–2022.

Conclusion

Despite the growing demands on the ATIP program and the ever-challenging privacy landscape, the CRA continued to make significant progress in addressing any challenges in protecting personal information and in processing Privacy Act requests. The CRA did this by:

processing ATIP requests using Lean methodology
addressing the backlog through the backlog elimination plan
developing a Quality Assurance Review Plan
promoting Privacy by Design across the CRA
reporting on the state of privacy with new key performance indicators
drafting governance material in preparation to merge the Agency Privacy Council and the AC Security Steering Committee to form the Agency Security and Privacy Executive Council
implementing the Privacy and Access to Information Training and Awareness Strategy
implementing the Access to Information and Privacy Strategic Plan 2021-2024

In 2022–2023, the ATIP Directorate will focus on the priorities in its strategic plan, including leading the directorate’s business transformation and technology modernization and continuing to create a culture of privacy, transparency and accountability.

The directorate will also continue to implement the backlog elimination plan with a focus on completing Phase 1 by March 31, 2023, and starting Phase 2, which has a planned completion date of March 31, 2024. Another priority during the fiscal year will be to continue to develop and implement innovative solutions to address requests for taxpayer information that can be provided by more efficient channels, such as My Account, My Business Account, or Represent a Client than the Access to Information Act or the Privacy Act.

Appendix A – Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2021, to March 31, 2022

Part 1 – Requests under the Privacy Act

1. 1 Number of requests

Part 1 - Requests under the Privacy Act - 1.1 Number of requests
		Number of requests
Received during reporting period		8,763
Outstanding from previous reporting periods		964
Outstanding from previous reporting period	700
Outstanding from more than one reporting period	264
Total		9,727
Closed during reporting period		8,558
Carried over to next reporting period		1,169
Carried over within legislated timeline	904
Carried over beyond legislated timeline	265

1.2 Channels of requests

Part 1 – Requests under the Privacy Act, 1.2 Channels of requests
Channel	Number of requests
Online	6,728
E-mail	324
Mail	874
In Person	0
Phone	3
Fax	834
Total	8,763

Part 2 – Informal requests

2.1 Number of informal requests

Part 2 – Informal requests - 2.1 Number of informal requests
		Number of requests
Received during reporting period		0
Outstanding from previous reporting periods		0
Outstanding from previous reporting period	0
Outstanding from more than one reporting period	0
Total		0
Closed during reporting period		0
Carried over to next reporting period		0

2.2 Channels of requests

Part 2 – Informal requests - 2.1 Number of informal requests
Channel	Number of requests
Online	0
E-mail	0
Mail	0
In Person	0
Phone	0
Fax	0
Total	0

2.3 Completion time of informal requests

Part 2 - Informal requests - 2.3 Completion time of informal requests
Completion Time (Days)
1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
0	0	0	0	0	0	0	0

2.4 Pages released informally

Part 2 - Informal requests - 2.4 ges released informally
Less than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed
0	0	0	0	0	0	0	0	0	0

Part 3 ‑ Requests closed during the reporting period

3.1 Disposition and completion time

Part 3 Requests closed during the reporting period - 3.1 Disposition and completion time
Disposition of requests	Completion Time (Days)
Disposition of requests	1 to 15	16 to 30	31 to 60	61 to 120	121 to 180	181 to 365	More than 365	Total
All disclosed	1,256	3,187	641	65	3	5	2	5,159
Disclosed in part	135	933	448	148	46	57	74	1,841
All exempted	0	0	1	0	0	0	0	1
All excluded	0	0	0	0	0	0	0	0
No records exist	13	51	13	1	0	3	0	81
Request abandoned	1,235	101	42	30	23	5	40	1,476
Neither confirmed nor denied	0	0	0	0	0	0	0	0
Total	2,639	4,272	1,145	244	72	70	116	8,558

3.2 Exemptions

Part 3 Requests closed during the reporting period - 3.2 Exemptions
Section	Number of requests	Section	Number of requests	Section	Number of requests
18(2)	0	22(1)(a)(i)	0	23(a)	0
19(1)(a)	9	22(1)(a)(ii)	9	23(b)	0
19(1)(b)	0	22(1)(a)(iii)	2	24(a)	0
19(1)(c)	12	22(1)(b)	261	24(b)	0
19(1)(d)	2	22(1)(c)	0	25	1
19(1)(e)	0	22(2)	0	26	871
19(1)(f)	0	22.1	0	27	96
20	0	22.2	0	27.1	0
21	0	22.3	0	28	0
-	-	22.4	0	-	-

3.3 Exclusions

Part 3 Requests closed during the reporting period - 3.2 Exemptions
Section	Number of requests	Section	Section
69(1)(a)	0	70(1)	70(1)(d)
69(1)(b)	0	70(1)(a)	70(1)(e)
69.1	0	70(1)(b)	70(1)(f)
-	-	70(1)(c)	70.1

3.4 Format of information released

Part 3 Requests closed during the reporting period - 3.4 Format of information released
Paper	Electronic				Other
Paper	E-record	Data Set	Video	Audio	Other
411	6,589	0	0	0	0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

Part 3 Requests closed during the reporting period - 3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of pages processed	Number of pages disclosed	Number of requests
951,414	759,893	8,477

3.5.2 Relevant pages processed and disclosed by request disposition for paper and e-record formats by size of requests

Part 3 Requests closed during the reporting period - 3.5.2 Relevant pages processed and disclosed by request disposition for paper and e-record formats by size of requests
Disposition of requests	Less than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
Disposition of requests	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed
All disclosed	4,786	155,689	359	53,974	9	5,796	4	5,748	1	6,912
Disclosed in part	1,129	48,306	455	93,882	101	72,954	138	289,868	18	208,699
All exempted	1	14	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0	0	0
Request abandoned	1,470	123	1	403	2	1,636	3	7,410	0	0
Neither confirmed nor denied	0	0	0	0	0	0	0	0	0	0
Total	7,386	204,132	815	148,259	112	80,386	145	303,026	19	215,611

3.5.3 Relevant minutes processed and disclosed for audio formats

Part 3 Requests closed during the reporting period - 3.5 3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed	Number of minutes disclosed	Number of requests
0	0	0

3.5.4 Relevant minutes processed per request disposition for audio formats by size of request

Part 3 Requests closed during the reporting period - 3.5.4 Relevant minutes processed per request disposition for audio formats by size of request
Disposition of requests	Less than 60 minutes processed		60-120 minutes processed		More than 120 minutes processed
Disposition of requests	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	0	0	0	0	0	0
Disclosed in part	0	0	0	0	0	0
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	0	0	0	0	0	0

3.5.5 Relevant minutes processed and disclosed for video formats

Part 3 Requests closed during the reporting period - 3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed	Number of minutes disclosed	Number of requests
0	0	0

3.5.6 Relevant minutes processed per request disposition for video formats by size of request

Part 3 Requests closed during the reporting period - 3.5.6 Relevant minutes processed per request disposition for video formats by size of request
Disposition of requests	Less than 60 minutes processed		60-120 minutes processed		More than 120 minutes processed
Disposition of requests	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	0	0	0	0	0	0
Disclosed in part	0	0	0	0	0	0
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	0	0	0	0	0	0

3.5.7 Other complexities

Part 3 Requests closed during the reporting period - 3.5.7 Other complexities
Disposition of requests	Consultation required	Legal advice sought	Other	Total
All disclosed	0	0	13	13
Disclosed in part	20	2	13	35
All exempted	0	0	0	0
All excluded	0	0	0	0
Request abandoned	1	0	17	18
Neither confirmed nor denied	0	0	0	0
Total	21	2	43	66

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

Part 3 Requests closed during the reporting period - 3.6.1 Number of requests closed within legislated timelines
	Requests closed within legislated timelines
Number of requests closed within legislated timelines	7,932
Percentage of requests closed within legislated timelines (%)	92.69

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

Part 3 Requests closed during the reporting period - 3.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines	Principal reason
Number of requests closed past the legislated timelines	Interference with operations /workload	External consultation	Internal consultation	Other
626	549	2	3	72

3.7.2 Number of days past legislated timeline (including any extension taken)

Part 3 Requests closed during the reporting period - 3.7.2 Number of days past legislated timeline (including any extension taken)
Number of days past legislated timeline	Number of requests past legislated timeline where no extension was taken	Number of requests past legislated timeline where an extension was taken	Total
1 to 15	94	49	143
16 to 30	69	20	89
31 to 60	65	29	94
61 to 120	76	19	95
121 to 180	24	9	33
181 to 365	52	17	69
More than 365	48	55	103
Total	428	198	626

3.8 Requests for translation

Part 3 Requests closed during the reporting period - 3.8 Requests for translation
Translation requests	Accepted	Total
English to French	2	2
French to English	0	0
Total	2	2

Part 4 ‑ Disclosures under subsections 8(2) and 8(5)

Part 4 - Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e)	Paragraph 8(2)(m)	Subsection 8(5)	Total
1	0	0	1

Part 5 – Requests to correct personal information and notations

Part 5 – Requests to correct personal information and notations
Disposition for correction requests received	Number
Notations attached	1
Requests for correction accepted	0
Total	1

Part 6 ‑ Extensions

6.1 Reasons for extensions and disposition of requests

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken	15(a)(i) Interference with operations
Number of requests where an extension was taken	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain
1,101	7	43	1,030	16

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests
15(a)(ii) Consultation			15(b) Translation purposes or conversion
Cabinet Confidences (Section 70)	External	Internal	15(b) Translation purposes or conversion
0	1	2	2

6.2 Length of extensions

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests
Length of extensions (days)	15(a)(i) Interference with operations
Length of extensions (days)	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain
1 to 15	0	0	7	0
16 to 30	7	43	1,023	16
31 days or greater	N/A	N/A	N/A	N/A
Total	7	43	1,030	16

Part 6 Extensions - 6.2 Length of extensions
Length of extensions (days)	15(a)(ii) Consultation			15(b) Translation purposes or conversion
Length of extensions (days)	Cabinet Confidences (Section 70)	External	Internal	15(b) Translation purposes or conversion
1 to 15	0	0	0	0
16 to 30	0	1	2	2
31 days or greater	N/A	N/A	N/A	0
Total	0	1	2	2

Part 7 – Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and organizations

Part 7 – Consultations received from other institutions and organizations, 7.1 Consultations received from other Government of Canada institutions and organizations
Consultations	Other Government of Canada institutions	Number of pages to review
Received during reporting period	5	836
Outstanding from the previous reporting period	0	0
Total	5	836
Closed during the reporting period	5	836
Carried over to next reporting period	0	0
Carried over beyond negotiated timelines	0	0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Part 7 - Consultations received from other institutions and organizations - 7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation	Number of days required to complete consultation requests
Recommendation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclose entirely	1	2	0	0	0	0	0	3
Disclose in part	0	1	0	0	0	0	0	1
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	1	0	0	0	0	0	0	1
Total	2	3	0	0	0	0	0	5

7.3 Recommendations and completion time for consultations received from other organizations

Part 7 - Consultations received from other institutions and organizations - 7.3 Recommendations and completion time for consultations received from other organizations
Recommendation	Number of days required to complete consultation requests
Recommendation	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
Disclose entirely	0	0	0	0	0	0	0	0
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0

Part 8 – Completion time of consultations on Cabinet confidences

8.1 Requests with Legal Services

Part 8 – Completion time of consultations on Cabinet confidences 8.1 Requests with Legal Services
Number of days	Less than 100 pages processed		101 - 500 pages processed		501 - 1000 pages processed		1001 - 5000 pages processed		More than 5000 pages processed
Number of days	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

8.2 Requests with Privy Council Office

Part 8 – Completion time of consultations on Cabinet confidences 8.1 Requests with Legal Services
Number of days	Less than 100 pages processed		101 - 500 pages processed		501 - 1000 pages processed		1001 - 5000 pages processed		More than 5000 pages processed
Number of days	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

Part 9 ‑ Complaints and investigations notices received

Part 9 - Complaints and investigations notices received
Section 31	Section 33	Section 35	Court action	Total
13	0	22	0	35

Part 10 ‑ Privacy impact assessments and personal information banks

10.1 Privacy impact assessments

Part 10 - Privacy impact assessments and personal information banks - 10.1 Privacy impact assessments
Number of privacy impact assessments completed	12
Number of privacy impact assessments modified	8

10.2 Personal information banks

Part 10 - Privacy impact assessments and personal information banks - 10.2 Personal information banks
Personal Information Banks	Active	Created	Modified
Institution-specific	45	3	9
Central	51	0	0
Total	96	3	9

Part 11 – Privacy breaches

11.1 Material Privacy Breaches reported

Part 11 – Privacy breaches, 11.1 Material Privacy Breaches reported
Material privacy breaches	Amount
Number of material privacy breaches reported to the Treasury Board of Canada Secretariat	7
Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada	7

11.2 Non-Material Privacy Breaches

Part 11 – Privacy breaches, 11.2 Non-Material Privacy Breaches
Non-material privacy breaches	Amount
Number of non-material privacy breaches	1,215

Part 12 – Resources related to the Privacy Act

12.1 Costs

Part 12 - Resources related to the Privacy Act - 12.1 Costs
Expenditures		Amount
Salaries		$13,601,272
Overtime		$555,022
Goods and Services		$1,155,096
Professional services contracts	$458,068
Other	$697,028
Total		$15,311,390

12.2 Human resources

Part 12 - Resources related to the Privacy Act - 12.2 Human Resources
Resources	Person years dedicated to privacy activities
Full-time employees	158
Part-time and casual employees	0
Regional staff	0
Consultants and agency personnel	2
Students	6
Total	166

Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Table 1 – Capacity to receive requests

The following table reports the total number of weeks the CRA was able to receive ATIP requests through different channels.

Table 1 - The following table reports the total number of weeks the CRA was able to receive ATIP requests through different channels.
-	Number of weeks
Able to receive requests by mail	47
Able to receive requests by email	52
Able to receive requests through the digital request service	52

Table 2.1

The following table reports the total number of weeks the CRA was able to process paper records in different classification levels.

Table 2.1 - The following table reports the total number of weeks the CRA was able to process paper records in different classification levels.
-	No capacity	Full capacity	Total
Unclassified paper records	5	47	52
Protected B paper records	5	47	52
Secret and top secret paper records	5	47	52

Table 2.2

The following table reports the total number of weeks the CRA was able to process electronic records in different classification levels.

Table 2.2 - The following table reports the total number of weeks the CRA was able to process electronic records in different classification levels.
-	Full capacity	Total
Unclassified paper records	52	52
Protected B paper records	52	52
Secret and top secret paper records	52	52

Table 3.1

The following table reports the total number of open Access to Information Act requests that are outstanding from previous reporting periods.

Table 3.1 - The following table reports the total number of open Access to Information Act requests that are outstanding from previous reporting periods.
Fiscal year open requests were received	Open requests that are within legislated timelines as of March 31, 2022	Open requests that are beyond legislated timelines as of March 31, 2022	Total
2021–2022	594	209	803
2020–2021	13	141	154
2019–2020	3	70	73
2018–2019	0	22	22
2017–2018	0	13	13
2016–2017	0	7	7
2015–2016 or earlier	0	0	0
Total	610	462	1,072

Table 3.2

The following table reports the total number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.

Table 3.2 - The following table reports the total number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods..
Fiscal year open requests were received	Number of open complaints
2021–2022	100
2020–2021	30
2019–2020	26
2018–2019	40
2017–2018	12
2016–2017	2
2015–2016 or earlier	12
Total	222

Table 4.1

The following table reports the total number of open Privacy Act requests that are outstanding from previous reporting periods.

Table 4.1 - The following table reports the total number of open Privacy Act requests that are outstanding from previous reporting periods..
Fiscal year open requests were received	Open requests that are within legislated timelines as of March 31, 2022	Open requests that are beyond legislated timelines as of March 31, 2022	Total
2021–2022	904	180	1,084
2020–2021	0	46	46
2019–2020	0	38	38
2018–2019	0	1	1
2017–2018	0	0	0
2016–2017	0	0	0
2015–2016 or earlier	0	0	0
Total	904	265	1,169

Table 4.2

The following table reports the total number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.

Table 4.2 - The following table reports the total number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open requests were received	Number of open complaints
2021–2022	17
2020–2021	4
2019–2020	4
2018–2019	5
2017–2018	1
2016–2017	0
2015–2016 or earlier	4
Total	35

Table 5

The following table reports if there was authority received for a new collection of the social insurance number (SIN)

Table 5 - The following table reports if there was authority received for a new collection of the social insurance number (SIN)
Authority received for a new collection of the social insurance number (SIN)
Did your institution receive authority for a new collection or new consistent use of the SIN in 2021–2022?	Yes

Appendix C – Delegation order

Image description

Privacy Act

Delegation Order

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to subsection 73(1) of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders.

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 15th day of May, 2020

The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:

Commissioner

Full authority

Deputy Commissioner

Full authority

Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer

Full authority

Director General of the Access to Information and Privacy Directorate in the Public Affairs Branch

Full authority

Directors in the Access to Information and Privacy Directorate of the Public Affairs Branch

Full authority

Assistant directors, managers, technical reviewers/advisors in the Access to Information and Privacy Directorate of the Public Affairs Branch

Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)

Page details

Date modified:: 2022-10-18

2021–2022 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

Privacy Act

Table of contents

About the Canada Revenue Agency

Branches

Regions

Chief Privacy Officer

Agency Privacy Council

Personal Information Incident Working Group

Access to Information and Privacy Directorate

Delegating responsibilities under the Privacy Act

Operational environment including the impact of the COVID-19 pandemic

ATIP Way Forward Modernization Initiative

Backlog elimination plan

Level 1 request initiative

Audio redaction software

PDF conversion tool

Upgraded server supporting the ATIP tracking system

Upgraded tracking system to manage privacy breaches

Lean Centre of Expertise

Access to Information and Privacy Strategic Plan 2021-2024

Human resources

Modernizing the Privacy Act

Protection of Personal Information Vulnerability Review

Training

Raising awareness

Collaborating with oversight bodies and other organizations

Privacy Management Program

Enhancing the Privacy Management Program, including policies, guidelines and procedures

Managing privacy breaches

Updating Information about Programs and Information Holdings (formerly Info Source)

Monitoring compliance

Privacy assessments

Privacy impact assessment

Privacy compliance evaluation

Privacy protocol assessment

Summaries of completed privacy assessments

Anonymous Internal Fraud and Misuse Reporting Line Privacy Impact Assessment

Business Refund Set-off Program v2.0

Canada Emergency Student Benefit

Canada recovery benefits

Corporation Returns and Payment Processing Program v3.0

COVID-19 one-time disability payment

Contract for the COVID-19 benefits contact centre

EFILE online services

Income Verification Services Program v3.0

Individual Refund Set-Off program

Individual Returns Assessment Program

Office of the Taxpayers' Ombudsperson Program v2.0

Part XIII Non-Resident Withholding Program

Pooled Registered Pension Plans Program

Interpretation and explanation of Appendix A – Statistical report

Part 1 – Requests under the Privacy Act

Other requests and workload

Part 2 – Informal requests

Part 3 – Requests closed during the reporting period

Exemptions

Exclusions

Format of information released

Complexity

Closed requests

Deemed refusals

Requests for translation

Part 4 – Disclosures under subsections 8(2) and 8(5)

Part 5 – Requests for correction of personal information and notations

Part 6 – Extensions

Part 7 – Consultations received from other institutions and organizations

Internal consultations

Part 8 – Completion time of consultations on Cabinet confidences

Part 9 – Complaints and investigation notices received

Part 10 – Privacy impact assessments and personal information banks

Part 11 – Privacy breaches

Part 12 – Resources related to the Privacy Act

Costs

Human resources

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Conclusion

Appendix A – Statistical report

Statistical report on the Privacy Act