2017-2018 Annual Report to Parliament on the administration of the Privacy Act
Foreword
Each fiscal year, the head of every government institution prepares and submits an annual report to Parliament on the administration of the Privacy Act.
This report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the minister of national revenue and the commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the Privacy Act between April 1, 2017, and March 31, 2018. The report also discusses emerging trends, program delivery, and areas of focus for the year ahead.
The Privacy Act
The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing, and disposing of personal information held by government institutions. It provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions, and with rights of correction or annotation or both. Individuals who are not satisfied with an institution’s handling of their personal information or any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.
The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to consider requesting information through the following informal methods:
- the CRA website: canada.ca/en/revenue-agency
- the CRA’s charities and giving, A to Z index: canada.ca/en/services/taxes/charities
- individual tax enquiries (including requests for forms and publications): 1- 800-959-8281
- Canada child benefit, the GST/HST credit, and related provincial and territorial programs, child disability benefit, and children’s special allowances enquiries: 1-800-387-1193
- TTY (teletypewriter for persons who are deaf or hard of hearing or who have a speech impairment): 1-800-665-0354
Table of contents
Overview of the Canada Revenue Agency
Chief Privacy Officer
Access to Information and Privacy Directorate
Access to Information and Privacy Oversight Review Committee
Delegation of responsibilities under the Privacy Act
Schedule: Privacy Act
Operational environment
Training and awareness
Policies, guidelines, and procedures
Monitoring
Complaints, investigations, and federal court cases
Managing privacy breaches
Privacy impact assessments
Collaboration with oversight bodies and other organizations
Interpretation and explanation of Appendix A – Statistical Report
Conclusion
Appendix A – Statistical Report
Overview of the Canada Revenue Agency
The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories, and other government bodies (at their request and on a cost-recovery basis) to administer non‑harmonized taxes and other services. Overall, the CRA promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.
The minister of national revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.
The Canada Revenue Agency Act provides for the establishment of a board of management consisting of 15 directors appointed by the Governor in Council. They include the chair, the commissioner and chief executive officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the Government of Canada. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel, and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s operations, fosters sound management practices, and is committed to efficient and effective service delivery.
As the CRA’s chief executive officer, the commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the minister’s delegated authority. The commissioner is accountable to the Board of Management for managing the CRA, supervising employees, and implementing policies and budgets. Moreover, the commissioner must assist and advise the minister with respect to legislated authorities, duties, functions, and Cabinet responsibilities.
The CRA is made up of 13 functional branches and 5 regional offices across the country.
Branches
- Appeals
- Assessment, Benefit, and Service
- Audit, Evaluation, and Risk
- Collections and Verification
- Domestic Compliance Programs
- Finance and Administration
- Human Resources
- Information Technology
- International, Large Business, and Investigations
- Legal Services
- Legislative Policy and Regulatory Affairs
- Public Affairs
- Strategy and Integration
Regions
- Atlantic
- Ontario
- Prairie
- Quebec
- Pacific
Chief Privacy Officer
The assistant commissioner, Public Affairs Branch, is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate for overseeing privacy at the CRA. To fulfill this mandate, the chief privacy officer:
- oversees decisions related to privacy, including privacy impact assessments
- champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
- reports to the CRA’s senior management on the state of privacy management at the CRA at least twice a year
Access to Information and Privacy Directorate
The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the Directorate:
- responds to requests and enquiries under the Access to Information Act and the Privacy Act
- provides advice and guidance to CRA employees on requests for, and the proper management and protection of, personal information under the CRA’s control
- co-ordinates the privacy impact assessment processes within the CRA, including giving expert advice to CRA employees on privacy implications, risks, and options for avoiding or reducing risks
- gives training and awareness sessions on the Access to Information Act and the Privacy Act and the practices and requirements for managing personal information
- communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and audits
- fulfills corporate planning and reporting obligations such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act
The director of the Access to Information and Privacy Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. The director also manages and co-ordinates the access to information and privacy program, leads strategic planning and development initiative, and supports the assistant commissioner, Public Affairs Branch, and chief privacy officer with the privacy governance function.
The directorate is made up of two main divisions: processing; and program support and training (within the directorate and CRA-wide). In addition to its Headquarters office in Ottawa, there is an office in Vancouver and an office in Montréal. In fiscal year 2017–2018, an equivalent of 126 full-time employees administered the Access to Information Act and the Privacy Act.
The following chart shows the structure of the Access to Information and Privacy directorate.
Image description
First row Director, Access to Information and Privacy (ATIP) Directorate
Middle row, first box Assistant Director, ATIP Processing, Corporate and Complex Case Division
Middle row, second box Assistant Director, ATIP Processing, Strategic Compliance Division
The two areas of responsibility of the Assistant Director, ATIP Processing, Strategic Compliance Division are listed in the two boxes below. They are: Tax Compliance Section and Operations / Training Manuals Section.
Middle row, third box Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division
The two areas of responsibility of the Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division are listed in the two boxes below. They are: Legislative Case Section and HQ Operations Section
Middle row, fourth box Assistant Director, ATIP Processing, Regional Operations Case Division – Vancouver
Middle row, fifth box Assistant Director, ATIP Processing, Regional Operations Case Division – Montréal
Middle row, sixth box Assistant Director, Program Support and Training Division
The two areas of responsibility of the Assistant Director, Program Support and Training Division are listed in the two boxes below. They are: Governance and Corporate Reporting Section and Business Processes Section
Access to Information and Privacy oversight review committee
The Access to Information and Privacy Oversight Review Committee is an assistant‑commissioner‑level committee, chaired by the chief privacy officer. The Committee was established to ensure horizontal consultation, collaboration, and decision‑making on emerging access to information and privacy issues at the CRA.
Among other responsibilities, the Committee identifies measures to support more effective administration of access to information and privacy matters and champions related activities.
Delegation of responsibilities under the Privacy Act
As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and the related Treasury Board of Canada Secretariat policy instruments. Section 73 of the Privacy Act gives the minister the authority to designate one or more officers or employees of the CRA to exercise or perform all, or part, of the minister’s powers, duties, and functions under the Act.
The CRA’s current delegation order for the Privacy Act was signed by the Minister of National Revenue on January 14, 2016. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.
The access to information and privacy director and assistant directors, as well as the managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner, and the assistant commissioner, Public Affairs Branch, and chief privacy officer.
Image description
Privacy Act
Delegation Order
I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
This designation replaces all previous delegation orders.
Diane Lebouthillier
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 14th day of January, 2016
Schedule: Privacy Act
The CRA positions that are authorized to perform the powers, duties, and functions given to the minister of national revenue as head of a government institution under the provisions of the Privacy Act and its regulations are the following:
Commissioner
- Full authority
Deputy commissioner
- Full authority
Assistant commissioner, Public Affairs Branch, and chief privacy officer
- Full authority
Director, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority
Assistant directors, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority with the exception of paragraphs 8(2)(j) and (m) and subsection 8(5)
Managers, Access to Information and Privacy Directorate, Public Affairs Branch
- Subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2),
35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations.
Operational environment
As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information for its workforce of about 40,000 individuals.
The CRA’s Access to Information and Privacy Directorate processes among the largest volume of privacy requests and pages of all federal institutions. The CRA historically ranks among the top 10 federal institutions. According to the most recent Treasury Board of Canada Secretariat statistics, in 2016–2017 the CRA processed the second largest volume of pages (1.1 million) of all federal institutions and received the eighth largest number of requests. This trend may have continued in 2017–2018 because for the second consecutive year, the CRA received and completed more requests than any point in history. In fact, there was a 19% increase in requests received with 3,791 and a 12% increase in requests completed with 3,821.
Beyond the 3,791 requests received under the Privacy Act during the fiscal year, the CRA's privacy workload included complaint files and internal and external consultations.
Despite this challenging workload, through collaborative relationships and the continued implementation of the access to information and privacy inventory reduction plan, the CRA processed more requests than received and reduced the total deemed refusal rate of requests by 29% over the last reporting period. As well, significant efforts were also deployed leading to progress across virtually all indicators, including openness and transparency, training, awareness, and strengthening of the privacy framework.
In a 10 year span, requests received have increased from 1,553 to 3,791 (144%) and pages processed have increased from 392,173 to 920,251 (135%).
The following table shows the directorate’s workload over the past 10 fiscal years.
Image description
Workload Trends
In 2008-2009, 1,553 requests were received, 1,447 were completed, 392,173 pages were processed
In 2009-2010, 2,083 requests were received, 1,973 were completed, 371,766 pages were processed
In 2010-2011, 2,600 requests were received, 2,767 were completed, 725,741 pages were processed
In 2011-2012, 1,362 requests were received, 1,497 were completed, 510,503 pages were processed
In 2012-2013, 1,980 requests were received, 1,936 were completed, 775,563 pages were processed
In 2013-2014, 1,548 requests were received, 1,553 were completed, 624,430 pages were processed
In 2014-2015, 2,533 requests were received, 2,312 were completed, 636,207 pages were processed
In 2015-2016, 3,048 requests were received, 2,723 were completed, 476,832 pages were processed
In 2016-2017, 3,174 requests were received, 3,400 were completed, 1,087,173 pages were processed
In 2017-2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed
Staffing
In 2017–2018, the Access to Information and Privacy Directorate undertook many actions to manage the growing access to information and privacy workload including:
- creating a junior analyst position to support career progression and to streamline work activities
- centralizing more clerical activities into the intake unit
- supporting the CRA’s service renewal initiative
- launching three selection processes
- addressing long-term acting positions
- providing developmental opportunities at the SP-07 level
Lean continuous improvement
In 2016–2017, the Access to Information and Privacy Directorate completed a Lean Six Sigma review of processes to identify ways to better use the directorate’s resources, improve processes, and complete requests more efficiently. Lean is a continuous improvement methodology that maximizes efficiency and effectiveness in the life‑cycle of a process.
During 2017–2018, a continuous improvement team was formed, with representatives from all teams and employee levels, the goal being to get continual feedback from employees. Also, the Access to Information and Privacy Directorate completed 17 improvement ideas this fiscal year, including: the switch to a paperless environment, the use of e-signatures, and the streamlined processing of mailouts.
During the Kaizen event, targets were established to reduce the processing time of levels 2, 3, and 4 complexity files. Due to the many improvements implemented during the fiscal year, the following results were achieved:
- Level 2 complexity files
- Target 10% reduction / Actual 45% reduction
- Processing time reduced from 108 days to 59 days.
- Level 3 and 4 complexity files
- Target 10% reduction / Actual 38% reduction
- Processing time reduced from 144 days to 90 days.
To make sure the Access to Information and Privacy Directorate is further positioned to support Lean continuous improvement during the fiscal year, two employees from the directorate participated in external Lean principles training.
Beyond the focus on Lean in the Access to Information and Privacy Directorate, other parts of the CRA are also looking at how to improve their processes to respond more efficiently to access to information and privacy requests. Of note, the Appeals Branch held a Kaizen event on their access to information and privacy process that Access to Information and Privacy Directorate employees participated in.
In 2018–2019, the Access to Information and Privacy Directorate will review any new procedure under a Lean lens to eliminate waste and steps that do not add value to the client.
Enhancement of the Privacy Management Framework
Late in 2017–2018, the CRA hired a third-party contractor to do a comprehensive review of all existing elements in the CRA’s privacy management framework. This includes: governance, policy instruments, guidance and tools, oversight and monitoring, and training and communication mechanisms.
The review is aimed at improving the horizontal integration of the various parts of the CRA’s privacy management program into a cohesive and well-articulated framework, as well as improving horizontal integration and reporting. To support this, the work has involved meetings with assistant commissioners of key stakeholder branches and the review of key documentation such as the corporate risk profile.
The consultations focussed around the review and analysis of privacy breach incidents, information sharing, safeguarding and retention of personal information, cyber security gaps, risk analysis, and procedures for disclosing information.
The consultant’s work will end in Q1 2018–2019, and the proposed deliverables will be:
- a fulsome current state and gap analysis of the CRA’s privacy management framework
- a final report that will include strengths, weaknesses, recommendations, and the identification and production of any new or updated tools to enhance the privacy framework
Modernization of the Privacy Act
The CRA continues to work closely with various stakeholders on the Government of Canada’s commitment to modernize the Privacy Act. Specifically, the CRA is an active participant on the Department of Justice Canada‑led committees and working groups created to review the proposed changes to the act.
The CRA will make sure that any changes related to the modernization of the Privacy Act are implemented efficiently and effectively.
Training and awareness
Training
The Access to Information and Privacy Directorate provides training to CRA employees on the requirements of, and responsibilities under, the Access to Information Act and the Privacy Act. This training is tailored to the needs of the audiences. For instance, employees who have little or no knowledge of the subject are encouraged to take the ATIP Fundamentals course or the Access to Information in the Government of Canada course offered by the Canada School of Public Service. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations to access to information and privacy analysts when they send records in response to requests.
The CRA’s Legal Services Branch also provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, as well as on the legal interpretation of the Access to Information Act and the Privacy Act for specialized CRA staff such as auditors.
In 2017–2018, close to 1,000 CRA employees across Canada participated in instructor‑led and online training. In total, this fiscal year:
- 460 employees participated in 23 training sessions
- 392 employees took the Canada School of Public Service ATIP Fundamentals online course
- 20 employees attended the Canada School of Public Service Access to Information in the Government of Canada in-class course
- 91 employees participated in specialized training given by the Legal Services Branch
Due to a shift from instructor-led to online training, the number of employees who attended online training is likely much larger, since these training sessions are frequently attended by large groups of employees under one registration.
The Legal Services Branch is developing a training module on informal disclosure that will complement program specific training. Training is scheduled to be provided in 2018–2019.
Online training and awareness
In 2017–2018, the CRA continued to look at innovative ways to reach wider audiences and provide more specialized training online by creating:
- the first of a suite of 10 web-based modules that offer specialized technical training and learning path products for access to information and privacy analysts.
- a presentation took place during the fiscal year to show this module to multiple government departments.
- KnowHow products that complement program specific procedures. KnowHow provides user-friendly online instructions to CRA employees and managers.
- formal disclosure KnowHow product – this is designed to increase awareness of roles and responsibilities associated with how to respond to a request made under the Access to Information Act or the Privacy Act.
- informal disclosure KnowHow product – this is designed to increase awareness on basic considerations for disclosure and examples of what can and cannot be disclosed informally without a request received under the Access to Information Act or the Privacy Act.
- a training module, to complement program-specific training, on the informal disclosure of taxpayer information, developed by the Legal Services Branch.
- planned to be piloted in 2018-2019 simultaneously using three channels: in class, webinar, and videoconference to maximize accessibility.
- the module can be customized for specific CRA programs, depending on the need.
Raising awareness
The trust Canadians place in the CRA to protect their personal information is a cornerstone of the CRA’s work. In 2017–2018, the Access to Information and Privacy Directorate worked on many projects to enhance employees’ awareness of their privacy-related roles and responsibilities.
For the seventh consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions across Canada, and the world, to promote Data Privacy Day. This day highlights the impact that technology has on privacy rights and underlines the importance of valuing and protecting personal information. The CRA’s activities focused on the role all CRA employees play in safeguarding personal information in their day‑to‑day jobs. The following activities took place during the week:
- an intranet banner promoted the theme of the week and the link to access the CRA’s privacy toolkit.
- the Chief Privacy Officer, Chief Information Officer, and the recently appointed Chief Data Officer sent a joint message to all CRA employees promoting the awareness week and the importance of safeguarding personal information at all times.
- the Commissioner and the Chief Privacy Officer tweeted during the week to highlight that the CRA takes the protection of personal information very seriously.
- a privacy quiz was posted on the CRA’s intranet site.
- calendars provided by the Office of the Privacy Commissioner of Canada were sent to CRA employees across the country.
Beyond this event, the directorate raised awareness about access to information and privacy and the role they play in supporting sound privacy management at the CRA through: quarterly teleconferences with access to information and privacy contacts with all CRA branches and regions; and in briefings on matters related to access to information and privacy to CRA senior management, as required.
Policies, guidelines, and procedures
The CRA continues to promote and support compliance with the Treasury Board of Canada Secretariat policies, guidelines, and procedures through its communications and training.
CRA privacy policy instruments
The Access to Information and Privacy Directorate reviewed the CRA privacy policy instruments and has sent the documents for approval of minor changes such as streamlining the privacy impact assessment process. The revised policy instruments will be finalized in 2018–2019.
The CRA’s updated investigative body designations are now in a schedule to the Privacy Act. Seven designations were amended because they were outdated, following a name change or a reorganization; and one is a new designation for a division within the Charities Directorate. The Access to Information and Privacy Directorate is developing procedures to provide guidance to these investigative bodies when asking for personal information from another federal institution.
Unrelated pages
In 2017–2018, the Access to Information and Privacy Directorate did a short study on the prevalence of out-of-scope and duplicate records received from offices of primary interest. Due to increased efforts by these offices, the directorate saw a noticeable decrease in the number of out-of-scope and duplicate records. Despite this trend, the directorate has done the following:
- updated the CRA’s formal disclosure KnowHow product to provide tips on how to avoid non-relevant records.
- included links on the access to information and privacy request-for-records document to detail requirements for preparing, organizing, and sending documents.
- provided helpful hints on the review of documents, during quarterly teleconferences with the offices of primary interest.
Internal procedures manual
The Access to Information and Privacy Directorate completed an updated version of its internal procedures manual. This release represents the first update to the manual since 2016 and serves as a guide for all major procedures related to access to information and privacy. The purpose of the manual is to promote consistent practices across the directorate when administering the Access to Information Act and the Privacy Act. The manual serves as a main resource tool for the directorate, and it reduces the time needed to train new employees.
Monitoring
The Access to Information and Privacy Directorate produces a monthly report that captures key statistical information about the CRA’s inventory of access to information and privacy requests. The report monitors active and completed requests, including pages received and processed, carry forward inventory, complexity, and deemed refusal.
Management regularly uses the report to monitor trends, measure the directorate’s performance, and determine any process changes needed to improve performance. Also, the report is presented monthly to senior management at the commissioner‑chaired Agency Management Committee.
As a deliverable of the third-party contract on enhancing the CRA’s privacy management framework, tools for the management and monitoring of privacy management will be developed in 2018–2019.
Complaints, investigations, and federal court cases
In 2017–2018, the CRA received 29 complaints under the Privacy Act and closed 26 complaints. This represents a 26% increase in the number of complaints received from the previous reporting period, and a 13% increase in the number of complaints completed.
No complaints were pursued to the Federal Court.
The following chart shows the disposition of the complaints closed during the fiscal year.
Image description
Complaint Dispositions
5 (19%) Discontinued
6 (23%) Not well founded
14 (54%) Well-founded
1 (4%) Well-founded/resolved
For definitions of the disposition categories, go to: priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-federal-institutions/def-pa.
Managing privacy breaches
One of the cornerstones of Canada’s self-assessment tax system is the trust Canadians place in the CRA to safeguard the privacy of their personal information. Effectively managing privacy breaches is critical in maintaining public confidence in the integrity of the tax system. The CRA takes all breaches very seriously and continually strengthens its controls and sanctions for unauthorized access and disclosure. Some of the controls in place include:
- the CRA Code of Ethics and Conduct
- mandatory security training
- increasing integrity awareness through communications and tools
- annual updates to the CRA integrity framework
- the anonymous internal fraud and misuse reporting line
- monitoring of employee accesses
Despite the effectiveness of these controls, privacy breaches sometimes occur. This year, the Access to Information and Privacy Directorate was informed of 185 incidents of alleged or confirmed improper access, collection, use, and disclosure of personal information by the CRA. These came from a variety of sources including the Office of the Privacy Commissioner of Canada, individuals, and the CRA’s Security and Internal Affairs Directorate.
In 2017–2018, the majority of privacy breaches at the CRA resulted from misdirected mail. Misdirected mail is taxpayer information reported to the CRA as misdirected that has been incorrectly addressed or directed to the wrong person. Misdirected mail incidents represent 0.003% of the 110 million pieces of mail handled annually by the CRA.
The CRA follows the Treasury Board of Canada Secretariat guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. As per these guidelines, the CRA only notifies them of material privacy breaches.
In 2017–2018, the CRA reported 25 material privacy breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Of these: 19 involved unauthorized access to taxpayer information by a CRA employee; and 6 involved unauthorized disclosure of taxpayer information.
The CRA continues to improve and evolve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information; limiting employees’ access permissions to only the information required to carry out their job; and regularly reviewing employee access to CRA systems.
On a technological front, the CRA has invested significantly to support the detection and monitoring of unauthorized access by CRA employees, including:
- building front-end controls to make sure employees are granted access permissions only to CRA computer systems and information required to perform their duties
- strengthening back-end controls to build on CRA automated systems for better monitoring of transactions performed by employees
The CRA will continue to look into solutions that will allow it to better protect taxpayer information.
Privacy impact assessments
CRA Privacy Impact Assessment Plan
In 2014, the CRA developed its first privacy impact assessment plan, which focused on completing program-level privacy impact assessments that were prioritized based on the level of privacy risk. This strategic approach to the assessments provided for a more comprehensive perspective of the privacy risks inherent to programs and enabled more effective risk mitigation and management. Furthermore, completing assessments at the program level was an effective use of resources.
In 2017–2018, the plan was updated. The revised plan built on the significant work undertaken in the previous plan. It was developed in consultation with the branches that identified projects and activities involving personal information scheduled to be implemented over two years, from 2017 to 2019.
The plan considers the key programs and activities of the CRA’s Departmental Results Framework as outlined in the 2017–2019 Departmental Plan and assesses the associated privacy-risks. The plan also considers the operational context outlined in the departmental plan, including the corporate risk profile that helps the CRA protect its integrity by identifying and putting plans in place to reduce risk exposure. The plan includes all branches with ongoing privacy impact assessments and requires all branches to report on the progress of these assessments and corresponding action plans on a quarterly basis. The plan is evergreen and will be amended to address any new priorities and activities that emerge during the planning cycle.
Since the implementation of the PIA plan in 2014, the CRA has completed 37 privacy impact assessments.
Summaries of completed privacy impact assessments
The CRA completed 11 privacy impact assessments during the 2017–2018 reporting period. In addition, a significant number of initiatives were reviewed to assess potential privacy impacts.
This necessitated the review of documents such as privacy assessment determination questionnaires, threat and risk assessments, local application solutions, and written collaborative arrangements.
In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA publishes summaries of completed privacy impact assessments on its website: canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.
The following are the summaries of the 11 privacy impact assessments completed and sent to the Office of the Privacy Commissioner of Canada and to the Treasury Board of Canada Secretariat for review in 2017–2018:
Common Reporting Standard (Income Tax Act, Part XIX)
The Common Reporting Standard is a new international standard for the automatic exchange of financial account information between tax administrations to use in fighting tax evasion and to promote voluntary compliance with tax laws. Canada and close to 100 other jurisdictions are committed to its implementation.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/common-reporting-standard-ita-part-xix.
Community Volunteer Income Tax Program
The Community Volunteer Income Tax Program is a collaboration between community organizations and the CRA. This program has been helping individuals and families in need to prepare simple income tax and benefit returns for more than 45 years. Community organizations host tax preparation clinics and arrange for volunteers to prepare income tax and benefit returns for eligible individuals who have a modest income and a simple tax situation. To participate, volunteers and organizations register and their information is kept on a centralized program database. Through the dedication of community organizations and volunteers, hundreds of thousands of Canadians are able to meet their tax obligations, as well as receive their tax credits and benefits on time.
For the privacy impact assessment summary, go to:
Corporation Income Tax Return Assessment Program
The Corporation Returns and Payment Processing Program is responsible for assessing T2 corporation income tax returns, special elections and returns, and non-resident T2 returns. The program processes payments associated with the returns and administers provincial taxes and credits harmonized with the federal T2 return for all provinces except Quebec and Alberta.
For the privacy impact assessment summary, go to:
Government of Canada Business Number Adoption: Web Validation Service
In October 2013, the Deputy Minister of Service and Federating Identity endorsed the mandatory adoption of the business number by making it the common identifier for business throughout the Government of Canada. The purpose is to allow businesses to use one number in their dealings with public-sector programs and various levels of government within Canada. The aim is to allow businesses to register for business number participating programs through a seamless service. As a common identifier, the number will improve services to business, standardize data collection and sharing, and eliminate redundant data collection. As the office of primary interest, Innovation, Science and Economic Development, tasked the CRA with providing the technical solution for this initiative. The CRA used the existing business number system to provide a web validation service, which gives federal organizations the ability to use the business number as the common identifier.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/government-of-canada-business-number-adoption-web-validation-service-summary
Goods and Services Tax / Harmonized Sales Tax (GST/HST) Returns and Rebates Program v 2.0
This privacy impact assessment covers the GST/HST tax returns, rebate applications and various elections that are filed by businesses, third parties and individuals. The assessment relates to the GST/HST that businesses and third parties collect and send, as well as to the GST/HST that individuals and businesses pay if a rebate applies. The assessment also covers various elections that businesses can make to amend certain aspects of their GST/HST account, for example, changing a filing frequency.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/gst-hst-returns-and-rebates-program.
Identity and Access Management Phase 4
In 2013, a privacy impact assessment was completed for Phase 2 and then updated in 2015 to include Phase 3. Phase 4 consists of improvements to the following identity and access management functions:
Identity Management – This function provides the ability to uniquely identify a person and provide them with access to only the information/data needed to perform their duties.
Request Management – This function provides the ability to add, remove, or update access permissions through a centralized management tool.
Access Review and Certification – Access review and certification is a risk management activity. The compliance, enforcement, and certification of accesses are a result of steady increases in regulations, internal controls, and external audit pressures. This activity will give managers an efficient and comprehensive view of what permissions their employees have, including for non-standard accounts. The activity will also give managers the ability to ask for the deletion of access permissions.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/identity-and-access-management-phase-4.
Scientific Research and Experimental Development Program v 2.0
The CRA is committed to administering the Scientific Research and Experimental Development Program with fiscal integrity and to making sure businesses are aware of the program and can easily access it. It is important that the CRA apply the legislation correctly, consistently, and fairly so that claimants receive all that they qualify for under the program. In continuing to enhance delivery of the program, four new services or processes were implemented as described below.
Pre-claim consultation
The pre-claim consultation is a free on-demand service that potential claimants can use to find out whether their work qualifies for scientific research and experimental development tax incentives, before they make a claim.
Pre-claim review
The pre-claim review is a free, on-demand review. It gives businesses a determination on how much of their research and development work is eligible and what expenditures qualify for the scientific research and experimental development tax incentives, before they make a claim.
Self-Assessment and Learning Tool
The Self-Assessment and Learning Tool is an online self-assessment tool to help claimants understand the eligibility requirements of the Scientific Research and Experimental Development Program.
Administrative review
The CRA is committed to providing fair treatment to all claimants under the Scientific Research and Experimental Development Program. In instances where a claimant does not agree with the findings of the review of their claim, or if they have any concerns with how the review was done, they can send a request for an administrative review. This process ensures the fair and timely addressing of claimants’ concerns.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-and-experimental-development-program.
Specialty Business Returns Program
The Specialty Business Returns Program administers the filing and assessing provisions of the following legislation:
- Air Travellers Security Charge Act
- Excise Act
- Excise Act, 2001
- Softwood Lumber Products Export Charge Act, 2006
- Parts I to VII of the Excise Tax Act (the parts that do not deal with goods and services tax / harmonized sales tax)
The program is also responsible for all activities related to the filing of partnership information returns. The filing of those returns is a requirement under the Income Tax Act.
The information collected by the Specialty Business Returns Program is used to assess returns, refunds, and rebate applications and is used to issue notices of assessment and reassessment.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/specialty-business-returns-program.
T3 Trust Returns Assessing
The T3 Trust Returns Assessing Program includes assessing and reassessing trust income tax and information returns. This program checks whether amounts on a return and related schedules are supported by the required documents and verifies the accuracy of calculations of the amounts reported on the documents. The information collected by this program is used to issue notices of assessment and reassessment.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/t3-trust-returns-assessing.
Non-Filer Program
The Non-Filer Program is responsible for promoting compliance as outlined in the Income Tax Act. The program’s responsibilities focus on ensuring all individuals, corporations, and trusts file their required returns. The program also prosecutes certain non-filers.
For the privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/non-filer-program.
Monitoring of Employee Electronic Access to Taxpayer Information
This initiative is intended to enhance the CRA’s ability to prevent, monitor, and detect unauthorized access to electronic taxpayer information and internal fraud or misuse. The CRA has procured an enterprise fraud management solution that will enable the proactive identification of questionable user activities using business intelligence, such as detection models and data-matching, along with an increased ability to do trend and pattern analysis.
For the privacy impact assessment summary, go to:
Collaboration with Oversight Bodies and Other Organizations
The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy at the CRA.
Office of the Privacy Commissioner of Canada
The CRA met with the Office of the Privacy Commissioner of Canada on various subjects throughout the fiscal year, including privacy breaches and specific privacy impact assessments. The follow-up on these privacy impact assessments involved multiple discussions, meetings, and presentations by the CRA to the Office of the Privacy Commissioner of Canada.
In 2012–2013, the Office of the Privacy Commissioner of Canada completed an audit of the CRA’s privacy management framework as a follow-up to its February 2009 audit called Privacy Management Frameworks of Selected Federal Institutions. In 2017–2018, the CRA completed the remaining recommendation concerning identity and access management controls.
Treasury Board of Canada Secretariat
The CRA strengthened its relationship with the Treasury Board of Canada Secretariat throughout the fiscal year by:
- consulting with the Information and Privacy Policy Division of the Treasury Board of Canada Secretariat on a wide-range of subjects, such as policy and legal interpretation
- participating in access to information and privacy community meetings and in working groups on various privacy-related topics, including the modernization of the Privacy Act
- presenting to the director general and assistant deputy minister committees of the Treasury Board of Canada Secretariat on a community development initiative to develop a formal access to information and privacy network to further meet the growing needs of access to information and privacy offices across government
Interpretation and explanation of Appendix A – Statistical Report
Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the reporting period from April 1, 2017, to March 31, 2018. The following explains and interprets the statistical information.
Requests under the Privacy Act
During the reporting period, the CRA received 3,791 new requests under the Privacy Act. This is an increase of 617 requests (19%) over last year’s total of 3,174 requests. Including the 541 requests carried forward from the 2016–2017 reporting period, the CRA had 4,332 active requests in its inventory.
The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past 5 fiscal years. The number of requests received has more than doubled from 2013-2014.
| Fiscal year | Requests received | Requests completed | Pages processed |
|---|---|---|---|
| 2014-2015 | 2,533 | 2,313 | 636,207 |
| 2015-2016 | 3,048 | 2,723 | 476,832 |
| 2016-2017 | 3,174 | 3,400 | 1,086,917 |
| 2017-2018 | 3,791 | 3,821 | 920,251 |
| 2013-2014 | 1,548 | 1,553 | 624,430 |
Other requests and workload
Beyond the 3,791 requests received under the Privacy Act, the CRA processes a high volume of other requests. The additional volume significantly affects operations, since resources must be diverted to manage this workload. These additional requests include external and internal consultations, general enquiries, and complaints.
External and Internal consultations
Over the past five years, there has been a 171% increase in the number of internal consultations completed.
In 2017–2018, the Access to Information and Privacy Directorate closed 6 external consultation requests from other government institutions and organizations. To respond to these requests, a total of 168 pages were reviewed. For more details, including disposition and completion times, see Part 6 of Appendix A.
Furthermore, 328 internal privacy consultation requests were completed in 2017-2018, a 29% increase over the previous reporting period. To respond to these requests, the directorate reviewed a total of 11,033 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.
The following table shows the increase in internal privacy consultation requests received over the past 5 years.
Image description
Internal Privacy Consultation Trends
In 2013-2014, 121 internal privacy consultation requests were received, 3,297 pages were processed.
In 2014-2015, 230 internal privacy consultation requests were received, 3,772 pages were processed.
In 2015-2016, 202 internal privacy consultation requests were received, 5,837 pages were processed.
In 2016-2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.
In 2017-2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.
General enquiries
The Program Support and Training Division of the Access to Information and Privacy Directorate responded to 4,433 emails and 919 telephone enquiries received through the general enquiries mailbox and 1‑800 line. The enquiries concerned a wide range of matters, including:
- how to send an access to information or privacy request
- the status of a request
- the public reading room
- enquires that were redirected because the information requested is not kept by the CRA, such as requests about social insurance numbers
Disposition of completed requests
During the reporting period, the Access to Information and Privacy Directorate completed 3,821 requests under the Privacy Act.
- 2,057 were fully disclosed (53.8%)
- 1,174 were disclosed in part (30.7%)
- 6 were exempted in their entirety (0.2%)
- 0 was excluded in its entirety (0%)
- 45 resulted in no existing records (1.2%)
- 504 were abandoned by requesters (13.2%)
- 35 were neither confirmed nor denied (0.9%)
For more details, see Table 2.1 of Appendix A.
For the second straight year, the CRA completed a record number of privacy requests.
Exemptions
The Privacy Act allows an institution to refuse access to specific information. For example, information about an individual other than the requester cannot be disclosed if the individual has not given his or her consent. Exemptions are applied by analysts to support non‑disclosure in these cases.
In 2017–2018, the CRA applied the following exemptions, in full or in part for requests closed during the reporting period:
- section 19 – Personal information obtained in confidence (27 times)
- section 21 – International affairs and defence (1 time)
- section 22 – Law enforcement and investigation (443 times)
- section 26 – Information about another individual (1,055 times)
- section 27 – Solicitor-client privilege (160 times)
Exclusions
The Privacy Act does not apply to information that is publicly available, such as government publications and material in libraries and museums. It also excludes material such as Cabinet confidences.
In 2017–2018, the CRA applied no exclusions for information that was publicly available or a Cabinet confidence.
Format of information released
Requesters can choose to receive their response package in paper, CD, or DVD format. Persons with disabilities may also request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically significantly reduces manual processes and paper consumption.
Requests for translation
Records are normally released in the language in which they exist. However, records may be translated to an official language when requested and when the institution considers it in the public interest to do so.
There were no requests for translation received in 2017-2018.
In 2017–2018, of the 3,231 requests for which information was disclosed in full or in part, 1,952 requests (60%) were released in electronic format.
Corrections and notations
Under the Privacy Act, an individual may ask that any factual errors or omissions in their personal information be corrected.
The CRA did not receive any requests to correct personal information during 2017-2018.
Disclosures under subsection 8(2) of the Privacy Act
Subsection 8(2) provides that, subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent, for limited and specific circumstances. For example, for any purpose where, in the opinion of the head of an institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure or the disclosure would clearly benefit the individual to whom the information relates.
The CRA’s enabling tax legislation, such as the Income Tax Act and the Excise Tax Act contain confidentiality provisions that take precedence over Privacy Act disclosures. As such, any disclosure under subsection 8(2) would only involve non-tax personal information, such as employee personal information.
During the reporting period, there were no disclosures of personal information under subsection 8(2) of the Privacy Act.
Completion time and extensions
421 (12%) more requests were completed in 2017–2018 compared to last fiscal.
The Privacy Act sets the timelines for responding to privacy requests. Also, the act allows time extensions if:
- meeting the original time limit would unreasonably interfere with operations
- there is a need to consult (for example, with a government institution or third party)
- there is a need to translate or convert records into another format
Of the 3,821 requests closed in 2017-2018, the CRA applied extensions for 692 (18%) of them. Extensions were applied 97% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining 3% of the time was for consulting with third parties or other government institutions, as well as converting records into other formats.
The following chart shows the completion times for the 3,821 requests closed in 2017-2018.
Image description
Completion time
2,865 (75%) in 30 days or under
564 (15%) from 31 to 60 days
122 (3%) from 61 to 120 days
270 (7%) in 121 days or more
The Access to Information and Privacy Directorate completed 3,467 (91%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline when an extension was taken.
Deemed refusals and complexities
A deemed refusal is a request that was closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.
Of the 3,821 requests closed during the reporting period, 354 were closed after the deadline, resulting in a deemed refusal rate of 9%.
The CRA consistently receives a high volume of requests, with many of them broad in scope. In addition, there are other priorities for the directorate, including responding to consultations. Despite this, the CRA completed more files this year than any time in history.
The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process; and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.
The deemed refusal rate has decreased from 25% in
2016–2017 to 9% this year.
In 2017–2018, the directorate processed an average of 241 pages per request.
For example, to respond to the 3,821 requests closed during the fiscal year, the CRA processed 920,251 pages. Of the 3,231 requests for which records were disclosed, 893 (28%) involved processing more than 100 pages; 139 of these involved processing more than 1,000 pages and 8 involved processing more than 5,000 pages.
Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see Table 2.5.3 of Appendix A.
Completion time of consultations on Cabinet confidences
Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services to determine if the information requested should be excluded. If there is any doubt or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.
In 2017-2018, the CRA did not apply any exclusions for Cabinet confidences.
Costs
During 2017–2018, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $6,288,591. This does not include significant support and resources from the branches and regions. For more details, see Table 10.1 in Appendix A.
Conclusion
The CRA takes privacy and the safeguarding of personal information very seriously.
In 2017–2018, the CRA continued to make significant progress in addressing challenges by: completing the final recommendation in the Office of the Privacy Commissioner of Canada 2013 audit; continuing to introduce processing efficiencies through the Lean continuous improvement method; undertaking an updated privacy impact assessment plan; improving access to training; and undertaking the review of the privacy management framework.
In 2018–2019, the CRA will continue its work to safeguard personal information and improve efficiencies in operations by implementing recommendations within the CRA’s revised privacy management framework, continuing to work on the privacy impact assessment plan, continuing to implement Lean continuous improvements initiatives, and continuing to work closely with various stakeholders on the Government’s commitment to modernize the Privacy Act.
Appendix A – Statistical Report
Statistical Report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2017 to March 31, 2018
Part 1 – Requests under the Privacy Act
1.1 Number of requests
| Requests | Number of requests |
|---|---|
| Total | 4,332 |
| Received during reporting period | 3,791 |
| Outstanding from previous reporting period | 541 |
| Requests | Number of requests |
|---|---|
| Total | 4,332 |
| Closed during reporting period | 3,821 |
| Carried over to next reporting period | 511 |
Part 2 - Requests closed during the reporting period
2.1 Disposition and completion time
| Disposition of requests |
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
|---|---|---|---|---|---|---|---|---|
| All exempted | 0 | 0 | 1 | 3 | 0 | 0 | 2 | 6 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 19 | 15 | 7 | 3 | 0 | 1 | 0 | 45 |
| Request abandoned | 432 | 40 | 14 | 2 | 0 | 5 | 11 | 504 |
| Neither confirmed nor denied | 23 | 5 | 1 | 0 | 0 | 0 | 6 | 35 |
| Total | 1,405 | 1,460 | 564 | 122 | 46 | 85 | 139 | 3,821 |
| All disclosed | 855 | 1,040 | 145 | 10 | 2 | 3 | 2 | 2,057 |
| Disclosed in part | 76 | 360 | 396 | 104 | 44 | 76 | 118 | 1,174 |
2.2 Exemptions
| 18(2) | |
| 19(1)(a) | |
| 19(1)(b) | |
| 19(1)(c) | |
| 19(1)(d) | |
| 19(1)(e) | |
| 19(1)(f) | |
| 20 | |
| 21 | |
| 22(1)(a)(i) | |
| 22(1)(a)(ii) | |
| 22(1)(a)(iii) | |
| 22(1)(b) | |
| 22(1)(c) | |
| 22(2) | |
| 22.1 | |
| 22.2 | |
| 22.3 | |
| 23(a) | |
| 23(b) | |
| 24(a) | |
| 24(b) | |
| 25 | |
| 26 | |
| 27 | |
| 28 |
2.3 Exclusions
| 69(1)(a) | |
| 69(1)(b) | |
| 69.1 | |
| 70(1) | |
| 70(1)(a) | |
| 70(1)(b) | |
| 70(1)(c) | |
| 70(1)(d) | |
| 70(1)(e) | |
| 70(1)(f) | |
| 70.1 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other formats |
|---|---|---|---|
| Total | 1,279 | 1,952 | 0 |
| All disclosed | 1,072 | 985 | 0 |
| Disclosed in part | 207 | 967 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Disposition of requests | Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|---|
| All exempted | 18,215 | 0 | 6 |
| All excluded | 0 | 0 | 0 |
| Request abandoned | 925 | 921 | 504 |
| Neither confirmed nor denied | 0 | 0 | 35 |
| Total | 920,251 | 668,001 | 3,776 |
| All disclosed | 71,918 | 71,918 | 2,057 |
| Disclosed in part | 829,193 | 595,162 | 1,174 |
2.5.2 Relevant pages processed and disclosed by size of request
Less than 100 pages processed
| Disposition of requests |
Number of requests | Pages disclosed |
|---|---|---|
| All exempted | 6 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 503 | 100 |
| Neither confirmed nor denied | 35 | 0 |
| Total | 2,882 | 73,954 |
| All disclosed | 1,949 | 54,495 |
| Disclosed in part | 389 | 19,359 |
101 - 500 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 561 | 128,437 |
| All disclosed | 107 | 16,830 |
| Disclosed in part | 454 | 111,607 |
501 - 1000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 1 | 821 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 186 | 133,610 |
| All disclosed | 1 | 593 |
| Disclosed in part | 184 | 132,196 |
1001 - 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 139 | 258,918 |
| All disclosed | 0 | 0 |
| Disclosed in part | 139 | 258,918 |
More than 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 8 | 73,082 |
| All disclosed | 0 | 0 |
| Disclosed in part | 8 | 73,082 |
2.5.3 Other complexities
| Disposition | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 1 | 4 | 3 | 8 |
| Neither confirmed or denied | 0 | 0 | 0 | 0 | 0 |
| Total | 7 | 2 | 7 | 10 | 26 |
| All disclosed | 1 | 0 | 3 | 1 | 5 |
| Disclosed in part | 6 | 1 | 0 | 6 | 13 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of requests closed past the statutory deadline |
Principal reason - Workload |
Principal reason - External consultation |
Principal reason - Internal consultation |
Principal reason - Other |
|---|---|---|---|---|
| 354 | 332 | 10 | 0 | 12 |
2.6.2 Number of days past deadline
| Number of days past deadline | Number of requests past deadline where no extension was taken | Number of requests past deadline where an extension was taken | Total |
|---|---|---|---|
| 31 to 60 days | 6 | 17 | 23 |
| 61 to 120 days | 16 | 35 | 51 |
| 121 to 180 days | 17 | 29 | 46 |
| 181 to 365 days | 42 | 26 | 68 |
| More than 365 days | 83 | 32 | 115 |
| Total | 184 | 170 | 354 |
| 1 to 15 days | 12 | 17 | 29 |
| 16 to 30 days | 8 | 14 | 22 |
2.7 Requests for translation
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| Total | 0 | 0 | 0 |
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
Part 3 - Disclosures under subsection 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Part 4 – Requests for correction of personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Total | 0 |
| Notations attached | 0 |
| Requests for correction accepted | 0 |
Part 5 - Extensions1
5.1 Reasons for extensions and disposition of requests
| Disposition of requests | 15(a)(i) Interference with operations | 15(a)(ii) consultation - Section 70 | 15(a)(ii) consultation - Other | 15(b) translation or conversion |
|---|---|---|---|---|
| All exempted | 4 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 6 | 0 | 0 | 0 |
| Request abandoned | 12 | 0 | 0 | 0 |
| Total | 666 | 1 | 11 | 8 |
| All disclosed | 98 | 0 | 2 | 3 |
| Disclosed in part | 546 | 1 | 9 | 5 |
1Note that the CRA has an additional 6 requests which are not accounted for in sections 5.1 and 5.2, for the disposition of ‘neither confirmed nor denied’. Of this disposition, 5 requests were extended for 30 days under 15(a)(i) and 1 request was extended for 30 days under 15(b).
5.2 Length of extensions
| Length of extensions | 15(a)(i) Interference with operations | 15(a)(ii) consultation - Section 70 | 15(a)(ii) consultation - Other | 15(b) Translation or conversion |
|---|---|---|---|---|
| Total | 666 | 1 | 11 | 8 |
| 1 to 15 days | 3 | 0 | 0 | 0 |
| 16 to 30 days | 663 | 1 | 11 | 8 |
Part 6 – Consultations received from other institutions and organizations
6.1 Consultations received from other government institutions and organizations
| Consultations |
Other government institutions |
Number of pages to review |
Other organizations |
Number of pages to review |
|---|---|---|---|---|
| Total | 7 | 215 | 0 | 0 |
| Received during reporting period |
7 | 215 | 0 | 0 |
| Outstanding from the previous reporting period |
0 | 0 | 0 | 0 |
| Consultations |
Other government institutions |
Number of pages to review |
Other organizations |
Number of pages to review |
|---|---|---|---|---|
| Total | 7 | 215 | 0 | 0 |
| Closed during the reporting period |
6 | 168 | 0 | 0 |
| Pending at the end of the reporting period |
1 | 47 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government institutions
| Recommendations | Completion time - 1 to 15 days |
Completion time - 16 to 30 days |
Completion time - 31 to 60 days |
Completion time - 61 to 120 days |
Completion time - 121 to 180 days |
Completion time - 181 to 365 days |
Completion time - More than 365 days |
Total |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 3 | 2 | 1 | 0 | 0 | 0 | 0 | 6 |
| Disclose entirely | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 3 |
| Disclose in part | 0 | 2 | 1 | 0 | 0 | 0 | 0 | 3 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Completion time - 1 to 15 days |
Completion time - 16 to 30 days |
Completion time - 31 to 60 days |
Completion time - 61 to 120 days |
Completion time - 121 to 180 days |
Completion time - 181 to 365 days |
Completion time - More than 365 days |
Total |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other organization | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7: Completion time of consultations on Cabinet confidences
7.1 Requests with Legal Services
| Number of days |
Less than 100 pages processed - Number of requests | Less than 100 pages processed - Pages disclosed | 101 - 500 pages processed - Number of requests |
101 - 500 pages processed - Pages disclosed |
501 - 1000 pages processed - Number of requests |
501 - 1000 pages processed - Pages disclosed |
1001 - 5000 pages processed - Number of requests |
1001 - 5000 pages processed - Pages disclosed |
More than 5000 pages processed - Number of requests |
More than 5000 pages processed - Pages disclosed |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of days |
Less than 100 pages processed - Number of requests |
Less than 100 pages processed - Pages disclosed |
101 - 500 pages processed - Number of requests |
101 - 500 pages processed - Pages disclosed |
501 - 1000 pages processed - Number of requests |
501 - 1000 pages processed - Pages disclosed |
1001 - 5000 pages processed - Number of requests |
1001 - 5000 pages processed - Pages disclosed |
More than 5000 pages processed - Number of requests |
More than 5000 pages processed - Pages disclosed |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8 - Complaints and investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 29 | 0 | 26 | 0 | 55 |
Part 9 - Privacy impact assessments (PIAs)
| Number of PIAs completed | 11 |
Part 10 - Resources related to the Privacy Act
10.1 Costs
| Expenditures | Amounts |
|---|---|
|
$429,906 |
|
$248,973 |
| Total | $6,288,591 |
| Salaries | $5,393,835 |
| Overtime | $215,877 |
| Goods and Services - Total | $678,879 |
10.2 Human resources
| Resources | Person years dedicated to privacy activities |
|---|---|
| Regional staff | 0 |
| Consultants and agency personnel | 2 |
| Students | 1.5 |
| Total | 76.5 |
| Full-time employees | 73 |
| Part-time and casual employees | 0 |
Page details
- Date modified: