2019–2020 Annual Report to Parliament on the Administration of the Privacy Act
Introduction
In keeping with section 72 of the Privacy Act, each year the head of every government institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.
The following report is tabled in Parliament under the direction of the Minister of National Revenue. It describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2019, and March 31, 2020. It also discusses emerging trends, program delivery, and areas of focus for the year ahead.
The Privacy Act
The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of, and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) a right of access to their own personal information, with limited and specific exceptions, and a right of correction and or annotation.
Individuals who are not satisfied with an institution’s handling of their personal information or of a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.
The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to ask for information online at canada.ca/en/revenue-agency or through the CRA’s toll-free phone lines.
Table of contents
About the Canada Revenue Agency
Operational environment
Privacy management program
Policies, guidelines, and procedures
Monitoring compliance
Privacy impact assessments
Interpretation and explanation of Appendix A – Statistical report
Interpretation and explanation of Appendix B – Supplemental statistical report
Conclusion
Appendix A – Statistical report
Appendix B – Supplemental statistical report
Appendix C – Delegation order
ISSN: 2563-3465
About the Canada Revenue Agency
The Canada Revenue Agency (CRA) promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians. It does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies (at their request and by recovering any costs) to administer enhanced services.
The Minister of National Revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.
The Board of Management (established by the Canada Revenue Agency Act) is made up of 15 directors appointed by the Governor in Council, 11 of whom are nominated by the provinces and territories. The other four directors include the Chair; the Commissioner and Chief Executive Officer of the CRA; and two directors nominated by the Government of Canada. The Board oversees the administration and management of the CRA, including the development of the Corporate Business Plan and management of policies related to resources, services, property, and personnel. In fulfilling this role, the Board brings a forward-looking strategic perspective to the CRA’s administration, fosters sound management practices, and is committed to efficient and effective service delivery.
As the CRA’s Chief Executive Officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister’s delegated authority. The Commissioner ensures that operations are guided by the CRA’s vision to be trusted, to be helpful, and to put people first. As well, the Commissioner is accountable to the Board for the management of the CRA, which includes supervising employees, implementing policies, and managing budgets. The Commissioner also assists and advises the Minister regarding legislated authorities, duties, functions, and Cabinet responsibilities.
The CRA is made up of 12 functional branches and four regional offices across the country:
Branches
- Appeals
- Assessment, Benefit, and Service
- Audit, Evaluation, and Risk
- Collections and Verification
- Compliance Programs
- Finance and Administration
- Human Resources
- Information Technology
- Legal Services
- Legislative Policy and Regulatory Affairs
- Public Affairs
- Service, Innovation, and Integration
Regions
- Atlantic
- Ontario
- Quebec
- Western
Chief Privacy Officer
The Assistant Commissioner of the Public Affairs Branch is the CRA’s Chief Privacy Officer. The Chief Privacy Officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the Chief Privacy Officer:
- oversees decisions related to privacy, including privacy impact assessments
- champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
- reports to the CRA’s senior management at least twice a year on the state of privacy management at the CRA
The CRA's Chief Privacy Officer is a member of the Conference Board of Canada Council for Chief Privacy Officers.
Access to Information and Privacy Directorate
The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the directorate:
- responds to requests and questions under the Access to Information Act and the Privacy Act
- responds to consultations, complaints, and informal disclosure requests
- offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
- co-ordinates the privacy impact assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid or reduce risks
- gives training and awareness sessions on access to information and privacy
- responds to and manages privacy breaches, inquiries, and complaints
- communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and audits
- fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act
The Director of the Access to Information and Privacy Directorate has the full delegated authority of the Minister of National Revenue under the Access to Information Act and the Privacy Act. The Director also manages and coordinates the access to information and privacy program, leads strategic planning and development initiatives, and supports the Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer of the CRA in their role of privacy governance. The Director is supported by the Directorate Management Committee.
The directorate supports two main functions: processing and program support, which includes privacy management. In addition to the directorate’s headquarters office in Ottawa, the directorate has an office in Vancouver and an office in Montréal. In 2019–2020, an equivalent of 155 full-time employees administered the Access to Information Act and the Privacy Act.
Delegating responsibilities under the Privacy Act
As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers and complies with the Privacy Act, Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Section 73 of the Privacy Act gives the Minister the authority to designate one or more CRA officials to perform all or part of the Minister’s powers, duties, and functions under the Act.
The Minister of National Revenue signed the CRA’s current delegation order for the Privacy Act on January 14, 2016.Footnote 1 The order identifies specific provisions of the Privacy Act and its Regulations that the Minister delegated to various positions within the CRA.
The Access to Information and Privacy Directorate’s Director and assistant directors, as well as managers of the units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, and the Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer.
For the delegation order and schedule, see Appendix C.
Operational environment
As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Government of Canada. In addition, the CRA collects and manages the personal information for its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information and the CRA takes the protection of that information very seriously.
During the reporting period, the Access to Information and Privacy Directorate enhanced the CRA’s privacy management program. This enhancement included establishing the Privacy Management Framework, privacy governance structure, and privacy strategy. The framework is available in full at canada.ca/en/revenue-agency/corporate/security/privacy
-management-framework. For more details, see the Privacy management program section of this report.
Although the number of requests received under the Privacy Act in 2019–2020 is consistent with the 2018–2019 fiscal year, it is still more than the Access to Information and Privacy Directorate has the capacity to process. In fact, the directorate processes among the largest volume of requests and pages of any federal institution. According to the most recent statistics from the Treasury Board of Canada Secretariat, in 2018–2019 the CRA processed the second largest volume of pages (over two million) of any federal institution and received the fourth largest number of requests.
As shown in this report, many employees in the directorate are also carrying out other workloads, such as consultations, complaints, and other privacy-related initiatives within the CRA. Because of this increasing demand on the access to information and privacy program, the CRA developed a workload management plan, known as ATIP Way Forward, in 2018–2019. In 2019–2020, a project manager led the implementation of key changes in the plan. Among these changes was a significant amendment to the organizational structure of the directorate, which will be implemented fully in 2020–2021. For more details, see the Organizational changes section in this report.
Image description
Privacy Act requests trend
In 2015–2016, 3,048 requests were received, 2,723 were completed, 476,832 pages were processed
In 2016–2017, 3174 requests were received, 3,400 were completed, 1,086,917 pages were processed
In 2017–2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed
In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed
In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed
ATIP Way Forward - a workload management plan
In 2018–2019, the Access to Information and Privacy Directorate’s senior management team developed the ATIP Way Forward workload management plan. The plan is designed to resolve the high volume of requests and the CRA’s backlog by building sustainable, long-term solutions.
In 2019–2020, key changes made to enhance productivity and efficiency in the Access to Information and Privacy Directorate included:
- implementing Agile principles and practices in the Access to Information and Privacy Directorate like Lean continuous improvement, which is a methodology the directorate adopted in 2017
- Agile means working in a highly responsive way that allows for the enhanced delivery of services and products; the project manager trained employees in Agile principles and practices, and most teams practised elements such as daily scrums
- organizing and centralizing the administrative services in the headquarters’ Access to Information and Privacy office
- enhancing reporting on the targets for the backlog and carryforward
- expediting staffing processes
- submitting two business cases and succeeding in getting more funding to enable staffing processes to increase the directorate’s workforce
- researching, (in collaboration with the Finance and Administration Branch and the Information Technology Branch) in support of the Government of Canada’s commitment to enhance digital services, whether the directorate could use epost to securely release records electronicallyFootnote 2
- establishing a new centralized complaints team pilot project – a team of employees in the headquarters and Montréal offices was tasked with addressing all non-administrative complaints
- centralizing complaints allows analysts and managers to better focus on their main workload, improve consistency in addressing complaints, and enable better collection and analysis of complaint statistics
Organizational changes
As part of the ATIP Way Forward workload management plan, in 2019–2020 the Access to Information and Privacy Directorate extensively reviewed its organizational structure. Previously, the organizational structure had not been reviewed or updated since 2014. However, the directorate’s work has evolved significantly since then. Not only has the workload increased in volume and complexity, it is now more strategic in nature. The directorate also has an expanded role in the CRA in advising, monitoring, and supporting compliance of sound privacy and access to information management practices.
As a result of the review, the directorate made temporary adjustments to its organizational structure in 2019–2020 to allow for a greater focus on data analytics, designing the new organizational structure, and managing the plan.
After more review and consultation, a new organizational structure was proposed and approved. The initial changes come into effect early in the 2020–2021 fiscal year. The new structure will support the growth of the directorate, increase its productivity, and increase its capacity to address the expanded access and privacy role within the CRA. Among other changes, the new structure changed the Director of the Access to Information and Privacy Directorate’s level to a director-general-level and added two new director roles. Over the 2020–2021 fiscal year, the new structure will be implemented and hiring will take place to fulfill the new roles as well as other positions.
The Directive for the Disclosure of Taxpayer and Other Information outlines the accountabilities of CRA officials for informal and formal disclosures. To supplement the directive, in 2018–2019, the CRA launched an informal disclosure course. The course is targeted to subject-matter experts who need a comprehensive understanding of the disclosure of protected information to taxpayers under program legislation. Additionally, an informal disclosure page was launched on the CRA’s intranet site; this page provides guidance and resources in support of expanded informal disclosure.
Human resources
In 2019–2020, the Access to Information and Privacy Directorate undertook many staffing actions to increase its capacity to manage the growing workload. This included launching SP-04, SP-05, and SP-07 staffing processes.Footnote 3 The SP-07 staffing process was critical to staffing the directorate’s privacy team.
Outreach and recruitment with post-secondary institutions also took place during the fiscal year and focused on the paralegal and legal assistance fields.
In headquarters, a desk-sharing initiative was launched to maximize the use of space for new employees joining the directorate.
Modernizing the Access to Information Act and the Privacy Act
On June 21, 2019, Bill C-58, An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts, received royal assent.
Extensive work, including briefings and training, took place up to and upon royal assent to ensure the CRA was ready. Although the primary focus of the bill is on the Access to Information Act, it does include related amendments to the Privacy Act.
The amended Access to Information Act reinforces the Government of Canada’s commitment to improve accountability and increase openness and transparency by offering greater access to government records. This includes a new requirement to proactively publish a broad range of information known to be of interest to the public. This information includes the following records prepared for ministers or deputy heads: transition material, question period responses, parliamentary committee appearance briefing binders, travel and hospitality expenses, and titles and tracking numbers of briefing notes.
Although the amended Act allows for a more open and transparent government, the public’s right to know must be balanced by a person’s right to privacy, as outlined in the Privacy Act. This new legislation does not require the release of information that a response to an access to information request would normally withhold, such as Cabinet confidences, solicitor-client privilege, and personal information.
During the fiscal year, the Access to Information and Privacy Directorate provided oversight to make sure program areas posted their required proactive disclosures within the legislated timeline The directorate was also responsible for reviewing the briefing note titles and tracking numbers, transition material, and question period responses to determine if sensitive information needed to be protected according to legislation. The directorate also managed the publication of the briefing note titles and tracking numbers.
The Privacy Act is also being modernized. During the fiscal year, the Department of Justice Canada requested feedback from federal institutions, including the CRA, on the technical and legal considerations to consider in modernizing the Act. The departments were asked to base their feedback on their experiences and mandates involving the collection, use, and sharing of personal information. In support of the review, Justice Canada circulated five discussion papers for feedback. The Access to Information and Privacy Directorate took the lead on collaborating the development of a single submission for the CRA.
In 2020–2021, the CRA will continue to work closely with Justice Canada and other stakeholders on the Government of Canada’s commitment to modernize the Privacy Act.
Informal disclosure
The CRA continually explores ways to get information to clients in the fastest and most efficient way. One of these ways is informal disclosure. Informal disclosure provides information without the need to make a request under the Access to Information Act or the Privacy Act. Examples of information provided informally are copies of tax slips and CRA policies and manuals. The Access to Information and Privacy Directorate receives a significant number of Privacy Act requests that could potentially be redirected to informal channels. These are referred to as “fast-track requests”.
In April 2019, the Access to Information and Privacy Directorate, along with other government departments, met with the Office of the Privacy Commissioner of Canada to discuss ways to improve informal disclosure across government.
Training
The Access to Information and Privacy Directorate is committed to promoting and providing access to information and privacy training to CRA employees. This training varies depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service’s Fundamentals of Access to Information and Privacy course or its Access to Information in the Government of Canada course. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests.
The CRA’s Legal Services Branch provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, on informal disclosure, and on the legal interpretation of the Access to Information Act and the Privacy Act for specialized CRA staff such as auditors.
In 2019–2020, more than 3,800 CRA employees across Canada participated in instructor-led in-person and online training related to access to information and privacy. In total, this fiscal year:
- 1,222 employees participated in 50 training sessions given by the CRA
- 823 employees took the Canada School of Public Service Fundamentals of Access to Information and Privacy course
- 41 employees attended the Canada School of Public Service Access to Information in the Government of Canada course
- 1,778 employees participated in specialized training given by the Legal Services Branch
As needed, members of the privacy team delivered interactive privacy sessions during the Public Affairs Branch onboarding events. Additionally, the Director of the Access to Information and Privacy Directorate gave a presentation to the Branch Management Committee on the importance of privacy management. The Chief Privacy Officer also delivered a presentation to the Security and Internal Affairs Directorate on how privacy and security are interconnected.
In 2019–2020, the CRA continued to offer its suite of 10 web-based modules, which consist of specialized technical training, to employees of the Access to Information and Privacy Directorate. This series of modules is the first of its kind for access to information and privacy professionals in the Government of Canada.
In November 2019, the Access to Information and Privacy Directorate participated in the International Association of Privacy Professionals certification training. The course prepares participants to become certified as information privacy professionals and focuses on Canadian privacy laws and practices.
Raising awareness
In 2019–2020, beyond the work the CRA completed to enhance its privacy management program, the Access to Information and Privacy Directorate worked on many projects to make employees more aware of their privacy-related roles and responsibilities.
For the eighth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions internationally to promote Data Privacy Day. On that day, individuals are informed about the impact technology has on privacy rights and the importance of protecting personal information.
In 2019–2020, the CRA’s Data Privacy Day campaign promoted the launch of its new Privacy Management Framework. This framework explains how the CRA manages privacy and includes its privacy vision, guiding principles, and privacy commitment. For more information about the Privacy Management Framework, see the Policies, guidelines, and procedures section.
Throughout the year, the Access to Information and Privacy Directorate also raised awareness about access to information and privacy and the role they play in supporting sound privacy management. This awareness includes multiple committee meetings and regular communication with CRA employees in the offices of primary interest.
Collaborating with oversight bodies and other organizations
The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat and other organizations to strengthen privacy at the CRA. Notably, in 2019–2020:
- the CRA communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects including privacy breaches, privacy impact assessments, and the COVID–19 benefit programs the CRA helped administer
- the CRA worked closely with the Treasury Board of Canada Secretariat to implement Bill C-58, develop draft corporate policy instruments, and collaborate on responding to the COVID–19 pandemic as it related to the access to information and privacy program
- the CRA participated in the Department of Justice Canada’s consultation process on the modernization of the Privacy Act
- the CRA’s privacy and security officials met with Employment and Social Development Canada several times to share best practices on how to protect personal information. Both departments also worked closely together to ensure all privacy implications were considered in the implementation of the COVID–19 benefit programs
- the Chief Privacy Officer met with his counterparts from several countries to discuss their respective privacy management programs
COVID–19
On March 11, 2020, COVID–19 was designated by the World Health Organization to be a controllable pandemic. On March 16, most CRA employees were asked to work from home in an effort to prevent the spread of the illness.
The CRA played a critical role in providing financial assistance and services to Canadians during the initial stage of the pandemic. Most employees across the CRA focused their efforts on facilitating benefit programs to assist Canadians. The Access to Information and Privacy Directorate’s privacy team played a critical role in ensuring that all privacy implications were considered when the benefit programs were implemented and that timely briefings took place across the CRA, with Employment and Social Development Canada, and with the Office of the Privacy Commissioner of Canada.
Since the CRA’s priority was critical services, the CRA temporarily suspended the processing of access to information and privacy requests. It did this for several other reasons as well, including employees being unable to physically enter the office, the lack of access to computer equipment, and the lack of access to records.
During this period, the Access to Information and Privacy Directorate worked toward a business resumption plan to process requests, and it collaborated closely with the Treasury Board of Canada Secretariat and coordinators in the access to information and privacy community.
The impact of COVID–19 is very significant on operations and will further impact the backlog of privacy requests in the Access to Information and Privacy Directorate. The reduction of the backlog will continue to be a high priority for the directorate moving forward.
See Appendix B for more information about how this period from March 14 to March 31, 2020, affected the processing of privacy requests.
Privacy management program
Enhancing the privacy management program
The privacy landscape has evolved dramatically over the past few years and continues to change at an increasing pace. Some of these changes include:
- new technologies such as business and artificial intelligence, biometrics, quantum computing, cloud computing, and others that present new challenges for the protection of personal information
- recent national and international privacy breaches that have created a heightened awareness of potential privacy issues and caused government institutions to evaluate their privacy practices
- the modernization of privacy legislation worldwide in response to these developments (for example, General Data Protection Regulation, California Consumer Privacy Act, and Privacy Act review)
The CRA is aware of the necessity to adapt its privacy management program as the privacy landscape evolves. In 2019–2020, enhancing the CRA’s privacy management program under the leadership of the CRA’s Chief Privacy Officer was a major focus for the CRA.
During the year, the CRA enhanced the program based on Privacy by Design principles, where privacy is systemically embedded into business practices and systems. After extensive CRA-wide and external consultations, the CRA established the CRA Privacy Management Framework, privacy governance structure, privacy strategy, as well as other components, such as proposed staffing and training plans. CRA-wide privacy breach procedures were also drafted.
In 2020–2021, the CRA plans to enhance the privacy content on the CRA’s webpages, including the CRA’s privacy statement, to provide Canadians with information on how their information is managed. The CRA also plans to finalize the updated privacy breach procedures. For more details, see the next section, Managing privacy breaches.
During the fiscal year, after several external national and international high-profile privacy breaches, the Personal Information Incident Working Group was established. The mandate of the working group is to facilitate horizontal collaboration and decision-making on emerging issues related to suspicious activities and incidents involving personal information. The working group played a key role in the consultation phase to develop CRA privacy breach procedures.
Significant work also took place during the fiscal to launch the Agency Privacy Council. The mandate of the council, an assistant-commissioner-level committee, is to facilitate a horizontal approach to privacy governance, identify privacy risks, and outline mitigation strategies for the CRA. The inaugural meeting of the council will take place early next fiscal.
The Access to Information and Privacy Oversight Review Committee, an assistant-commissioner-level committee chaired by the CRA’s Chief Privacy Officer, met just once early in the fiscal as the CRA reviewed its privacy governance needs. The structure and mandate of this committee will be reviewed in 2020–2021.
Also, next fiscal, to further support privacy management in the CRA, there will be significant organizational changes within the privacy team. The new organizational structure of the privacy team will require additional resources to better address the demands on the CRA because of the changing privacy landscape.
Managing privacy breaches
One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and the protection of taxpayers’ information very seriously and keeps its controls and sanctions very strong to prevent privacy breaches. Despite the effectiveness of the many controls in place, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.
Following an external high-profile privacy breach, the CRA’s Chief Privacy Officer was called to participate in a meeting in July 2019 in front of the Standing Committee on Public Safety and National Security. During the appearance, the Chief Privacy Officer described the strong protocols the CRA has in place to protect the personal information of Canadians.
This year, the CRA’s Security and Internal Affairs Directorate informed the Access to Information and Privacy Directorate of 39 incidents of alleged or confirmed improper access or disclosure of personal information by CRA employees. Founded misconduct is dealt with promptly and appropriately. If criminal activity is suspected, the matter is referred to the proper authorities. All CRA employees receive mandatory and ongoing security training which includes the protection of taxpayer information.
The Access to Information and Privacy Directorate also received 32 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada. For more information, see Part 8 – Complaints and investigation notices received.
In 2019–2020, most privacy breaches at the CRA resulted from misdirected mail, that is, mail that has been incorrectly addressed or sent to the wrong person. Misdirected mail incidents represent 0.003% of the 110 million pieces of mail the CRA handles each year.
The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2019–2020, the CRA reported six significant privacy breaches to these departments. Of these, four involved loss of information, one involved the unauthorized use of taxpayer information, and one involved the unauthorized access of taxpayer information by a CRA employee.
The CRA continues to improve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information, limiting employees’ access permissions to only the information required to carry out their job, and regularly reviewing employee access to CRA systems.
Policies, guidelines, and procedures
The Access to Information and Privacy Directorate dedicated significant time in 2019–2020 to the review of CRA corporate documents, including policy instruments, to make sure that the role of the CRA’s Chief Privacy Officer and privacy implications were considered.
Furthermore, the CRA continues to provide feedback to the Treasury Board of Canada Secretariat on draft corporate policy instruments and promote compliance once those policy instruments are implemented.
Privacy Management Framework
In January 2020, the CRA launched the CRA Privacy Management Framework. The framework is a reference document for Canadians and explains the CRA’s vision, objective, and commitment to privacy.
In the framework, the CRA introduces its five privacy guiding principles. These principles are embedded into the development, operation, and management of all programs, processes, solutions, and technologies involving personal information. The principles are:
- We value and respect the client data in our possession and help our clients clearly understand how and why we are using it.
- We support our employees in understanding their data handling responsibilities, and we respond to our clients’ requests promptly and helpfully to drive a seamless and efficient experience.
- We put our clients at the heart of all changes and improvements to our service delivery by adopting innovative practices and including Privacy by Design principles into all that we do.
- We collaborate with our employees and integrate effective and secure client data management across the CRA to foster a holistic approach to building and maintaining client trust.
- We decide how we handle client data in line with legislative obligations and leading privacy practices and based on ethical standards.
The framework also defines the CRA’s commitment to promote collaboration across all branches and the adoption of the Privacy by Design principles. Privacy management is described in the framework as a responsibility shared by all CRA employees.
The framework is available in full at canada.ca/en/revenue-agency/corporate/security/privacy-management-framework.
Internal procedures manual
The internal procedures manual is an Access to Information and Privacy Directorate guide for all major procedures involved in processing requests made under the Access to Information Act and the Privacy Act. The purpose of the manual is to promote consistent practices across the directorate.
In 2019–2020, the Access to Information and Privacy Directorate drafted an online version of the manual. In 2020–2021, the directorate plans to make the final version of the online manual available to employees.
Updating Info Source
Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. Info Source also provides guidance to individuals on how to access information held by government institutions to exercise their rights under these acts.
Each institution subject to the Access to Information Act and the Privacy Act must update its Info Source chapter annually by the due date set by the Treasury Board of Canada Secretariat, normally in June.
Because of COVID–19’s impact and the operational realities that faced government institutions, the Treasury Board of Canada Secretariat recognized that institutions may be unable to meet the June publishing deadline in 2020. Since many of its program areas were focused on providing critical services, the CRA decided not to task them with the Info Source update. Therefore, the Access to Information and Privacy Directorate updated the Treasury Board of Canada Secretariat on the information the directorate had already reviewed during the fiscal year.
The CRA's Info Source chapter can be found at canada.ca/cra-info-source.
Monitoring compliance
The Access to Information and Privacy Directorate produces several monthly reports that capture key statistics about the CRA’s inventory of access to information and privacy requests. Management regularly uses the reports to monitor trends, measure the directorate’s performance, and identify any process changes needed to improve performance. The reports are presented monthly to senior management at the Commissioner-chaired Corporate Management Committee.
In 2019–2020, the access to information and privacy business analytics team reviewed the existing reports and introduced new reports to improve awareness of outstanding access to information and privacy requests. The reports monitor active and closed requests, the status of requests broken down by branch and region, the carryforward inventory, and deemed refusal volumes.
In addition to the monitoring and reporting mechanisms in place, the CRA’s work to develop enhanced business analytics for its access to information and privacy program continued in 2019–2020. The directorate’s database, which is used for monitoring and reporting, is primarily designed for workload management.
To improve the capability of business analytics, the business analytics team acquired the open analytics solution SAS Viya and made sure all team members were trained in the SAS Enterprise and SAS Viya tools. As well, the team developed the use of SQL coding to query the database and access data that was unavailable using the standard interface. Each month, they ran a database cleanup and established a routine of running a weekly anomaly report to ensure the best maintenance of the database.
In 2020–2021, the team plans to pursue the ability to query the database directly from the SAS software. An overall goal is to use business analytics to develop the directorate as a more data-driven organization.
The CRA has completed 61 privacy impact assessments since implementing the Privacy Impact Assessment Plan in 2014.
Summaries of completed privacy impact assessments
The CRA completed 12 privacy impact assessments during the 2019–2020 reporting period. As well, it reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, threat and risk assessments, local application solutions, and written collaborative arrangements.
In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA publishes summaries of completed privacy impact assessments. These summaries are available at canada.ca/en
/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.
The following is an overview of the summaries the CRA completed and sent to the Office of the Privacy Commissioner of Canada and to the Treasury Board of Canada Secretariat for review in 2019–2020.
Business Intelligence Research and Development Environment version 2.0
To fulfill its mandate and manage the organization internally, the CRA collects and creates a significant amount of data. The CRA uses the data to gain insight into its programs and activities, make strategic changes, and take appropriate actions in support of its mandate. The information from the data also helps the CRA support the fairness and integrity of Canada’s tax system by enabling it to better enforce compliance. To be able to detect, deter, predict, and correct the behaviours of non-compliant taxpayers and benefit recipients, the CRA needs to be aware of their behaviours.
The first privacy impact assessment (version 1.0) of the Business Intelligence Research and Development Environment was completed in the 2016–2017 fiscal year. It has been updated this fiscal year (version 2.0) to assess recent program activities related to the business intelligence research and development environment.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-intelligence-research-development
-environment-v2.
Business Number and Program Account Registration Program
The Business Number and Program Account Registration Program provides and administers business numbers. The business number, which the CRA introduced in 1994, allows the CRA to identify a specific business (or other organization such as a charity) for tax matters. As well, the business number system stores information about businesses. Other CRA programs, as well as other federal and provincial government departments, use this system as a central source to retrieve that data.
The privacy impact assessment identifies, assesses, and lessens any privacy risks associated with this program. These risks include collecting, using, and disclosing personal information with federal, provincial, and municipal partners.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-number-program-account
-registration.html.
Corporation Returns and Payment Processing Program version 2.0
The Corporation Returns and Payment Processing Program assesses T2 corporation income tax returns for resident and non-resident corporations, and processes special elections and returns. The program also processes the payments for those returns and administers provincial taxes and credits harmonized with the federal T2 return for all provinces except Quebec and Alberta. As well, the program is responsible for administering information specific to treaty agreements with foreign governments, under the authority of a tax treaty, so that corporations are not double-taxed.
The first privacy impact assessment (version 1.0) of the Corporation Income Tax Return Assessment Program was completed in the 2017–2018 fiscal year. It has been updated (version 2.0) to reflect the use of a new system to capture special elections forms and returns and to more accurately reflect operating practices.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/corporation-returns-payment-processing
-program.
Corporations and GST/HST compliance programs
Corporations and GST/HST compliance programs, administered under the CRA’s returns compliance framework, encourage businesses and trusts to file on time and educate them about their tax obligations. The programs conduct the following activities:
- review GST/HST and corporation returns after assessment
- review new business number registrations
- promote the registration, filing, and remitting requirements of GST/HST accounts and of other levies accounts (for example, cannabis, fuel charge, and air travellers security charge)
- conduct examinations of GST/HST accounts and other levies accounts
The privacy impact assessment on these programs was completed to register a new personal information bank because the CRA’s program structure and activities were reorganized. As well, because of recent legislative changes related to cannabis and fuel charges, the inventory for these programs now includes additional business return types.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/corporations-gst-hst-compliance-programs.
Film and Media Tax Credits Program
Film and media tax credits are federal and provincial tax incentives designed to encourage the film and media production industry in Canada. More specifically, they are designed to encourage the film and media production industry to hire Canadians since most of the tax credits are labour based.
The privacy impact assessment of this program assessed all its activities that relate to the provisions of the Income Tax Act regarding the film and media production industry in Canada.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/film-media-tax-credits.
Individual Returns Assessment Program
This program helps individuals voluntarily comply with Canada’s tax laws by processing their information and payments as quickly and accurately as possible, and by giving them the results of their assessment or reassessment.
The privacy impact assessment identifies and assesses the privacy risks to personal information from processing individual taxpayer income tax returns for the federal government and for most provinces and territories. The processing includes initial assessments, payments, validations, accounting, and adjustments, as well as determining eligibility for various refundable amounts.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-returns-assessment-program.
Leads Program version 2.0
The main role of the Leads Program is to coordinate and review all domestic leads received from the public to help the CRA identify taxpayers who are not complying with their tax obligations. The Leads Program gives the public the chance to come forward and anonymously report suspected cases of non-compliance with the tax laws the CRA administers.
The CRA completed the first privacy impact assessment (version 1.0) of the Leads Program in the 2011–2012 fiscal year. It updated the assessment this fiscal year to address the changes to the program, including new procedures and a modern records retention strategy.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/leads-program-v2.
Monitoring of Electronic Access to Taxpayer Information version 2.0
The CRA monitors internal electronic access to taxpayer information to prevent, monitor, and detect internal fraud or misuse and unauthorized access to electronic taxpayer information. The CRA has procured an Enterprise Fraud Management solution tool that enables the CRA to proactively identify questionable user activities. This tool uses business intelligence, such as detection models and data matching, to perform trend and pattern analysis.
Version 1.0 of the privacy impact assessment was completed in the 2017–2018 fiscal year. It has been updated (version 2.0) to assess the use of the Enterprise Fraud Management solution tool and the new sources of employee personal information being captured.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/monitoring-electronic-access-taxpayer
-information-v2.
Office of the Taxpayers’ Ombudsman Program
The Office of the Taxpayers' Ombudsman program impartially examines unresolved service complaints from taxpayers and benefit recipients who feel the CRA has treated them unfairly. The office generally receives complaints online, by mail, or by fax. As well, plaintiffs can call the Office of the Taxpayers’ Ombudsman’s general inquiry line for information before submitting a complaint. Details of the call will be logged in the General Enquiry phone log.
The privacy impact assessment identifies and assesses privacy risks involved in collecting personal information relating to the Office of the Taxpayers’ Ombudsman program activities.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/office-taxpayers-ombudsman.
Scientific Research and Experimental Development Program version 3.0
The Scientific Research and Experimental Development Program is a federal tax incentive program. It is designed to encourage Canadian businesses of all sizes and in all sectors to conduct scientific research and experimental development in Canada.
The first privacy impact assessment (version 1.0) of this program was completed in the 2016–2017 fiscal year and version 2.0 in 2017–2018. The privacy impact assessment has been updated (version 3.0) to reflect changes to the program. These changes include new retention and disposition authorities, Footnote 5 new data sources, and new data disclosures.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental
-development-v3.
VidCruiter Pilot
The CRA’s Human Resources Management Program enables effective people management by providing services that support the workforce and workplace excellence. The program is exploring video interview technology as a way to be more flexible in evaluating candidates in a staffing process. We contracted the Canadian company VidCruiter Inc. to provide online recorded video interviewing services.
The privacy impact assessment was completed to assess privacy risks to personal information relating to asynchronous (recorded) video interviewing in a staffing process.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/vidcruiter.
Voluntary Disclosures Program
The purpose of the Voluntary Disclosures Program is to promote voluntary compliance with the provisions regarding the accounting and payment of duty and tax provisions in the Income Tax Act; Excise Tax Act; Excise Act, 2001; Air Travellers Security Charge Act; and the Softwood Lumber Products Export Charge Act, 2006. The Voluntary Disclosures Program encourages taxpayers to come forward and correct errors or omissions so they meet their legal obligations.
The privacy impact assessment identifies and assesses privacy risks to personal information that relate to administering the Voluntary Disclosures Program’s activities.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/voluntary-disclosures-program.
Interpretation and explanation of Appendix A – Statistical report
Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2019, to March 31, 2020. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.
Notes
Some totals may be more than 100% due to rounding.
Due to COVID–19, the Access to Information and Privacy Directorate did not close any personal information requests received under the Privacy Act from March 14 to 31, 2020.
Part 1 – Requests under the Privacy Act
During the reporting period, the CRA received 4,895 new requests under the Privacy Act. This is an increase of 106 requests (2%) from last year’s total of 4,789 requests. Including the 703 requests carried forward from the 2018–2019 reporting period, the CRA had 5,598 active requests in its inventory.
The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past five fiscal years. The number of requests received has increased significantly and the number of pages processed has more than doubled since 2015–2016.
| Fiscal year | Requests received | Requests completed | Pages processed |
|---|---|---|---|
| 2015–2016 | 3,048 | 2,723 | 476,832 |
| 2016–2017 | 3,174 | 3,400 | 1,086,917 |
| 2017–2018 | 3,791 | 3,821 | 920,251 |
| 2018–2019 | 4,789 | 4,599 | 896,837 |
| 2019–2020 | 4,895 | 4,728 | 1,115,075 |
Other requests and workload
Beyond the 4,895 requests received under the Privacy Act, the CRA processes a high volume of other requests. The additional volume significantly affects operations since resources must be diverted to manage this workload. These additional requests include external and internal consultations, general enquiries, and complaints. For instance, during the fiscal year, the Intake Team of the Access to Information and Privacy Directorate responded to 3,905 emails and 1,013 phone enquiries received through the general enquiries mailbox and toll-free phone line.
Part 2 – Requests closed during the reporting period
Disposition and completion time
The CRA continues to complete a record number of privacy requests. The disposition of the 4,728 requests closed is as follows:
- 2,078 were fully disclosed (44%)
- 1,747 were disclosed in part (37%)
- 2 were exempted in their entirety (0.04%)
- 36 resulted in no existing records (0.8%)
- 862 were abandoned by requesters (18%)
- 3 were neither confirmed nor denied (0.06%)
129 (3%) more requests
were closed in 2019–2020
than in 2018–2019.
The following chart shows the completion times for the 4,728 requests closed
Image description
Completion time
2,354 (50%) in 30 days or under
1,775 (38%) from 31 to 60 days
344 (7%) from 61 to 120 days
255 (5%) in 121 days or more
For more details, see table 2.1 of Appendix A.
Exemptions
The Privacy Act allows an institution to refuse access to specific information when necessary. For example, information about an individual other than the requester cannot be disclosed if the individual has not given consent. For detailed information on each of the exemptions that may be applied, consult section 18 of the Privacy Act.
In 2019–2020, the CRA applied the following exemptions, in full or in part, for the 4,728 requests closed during the reporting period:
- section 19 – Personal information obtained in confidence (27 times)
- section 22 – Law enforcement and investigation (625 times)
- section 25 – Safety of individuals (1 time)
- section 26 – Information about another individual (1,316 times)
- section 27 – Solicitor-client privilege (452 times)
- section 28 – Physical or mental health of individuals (3 times)
Exclusions
The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the Act does not apply to Cabinet confidences.
In 2019–2020, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.
Format of information released
Requesters can choose to receive their response package in paper or DVD format. Persons with disabilities may request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically (in DVD format) significantly reduces manual processes and paper consumption.
In 2019–2020, of the 3,825 requests for which information was disclosed in full or in part, 2,742 requests (72%) were released in electronic format.
Complexity
In 2019–2020, the directorate processed an average of 238 pages per request.
The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process, and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.
For example, to respond to the 4,728 requests closed during the fiscal year, the CRA processed 1,115,075 pages. Of the 3,825 requests for which records were disclosed, 1,236 (32%) involved processing more than 100 pages: 206 of these involved processing more than 1,000 pages and 15 involved processing more than 5,000 pages, including one request that required the review of 45,530 pages. For more details, see table 2.5.2 of Appendix A.
Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see table 2.5.3 of Appendix A.
Closed requests
The Access to Information and Privacy Directorate closed 4,199 (89%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline.
Deemed refusals and requests closed beyond legislated timelines
A deemed refusal is a request closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.
Of the 4,728 requests closed during the reporting period, 529 were closed after the deadline, resulting in a deemed refusal rate of 11%.
Requests for translation
Records are normally released in the language they exist in. However, records may be translated to an official language when requested and when the institution considers a translation or interpretation to be necessary to enable the individual to understand the information.
The CRA received two requests for translation in 2019–2020 and both were fulfilled.
Part 3 – Disclosures under subsections 8(2) and 8(5)
Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent for limited and specific circumstances. For example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), notice must be provided to the Privacy Commissioner of Canada.
During the reporting period, there were no disclosures of personal information under paragraphs 8(2)(e) and (m) and subsection 8(5) of the Privacy Act. For more details, see Part 3 of Appendix A.
Part 4 – Requests for correction of personal information and notations
Part 5 – Extensions
The Privacy Act sets the required timelines for responding to privacy requests. Time extensions are allowed under these circumstances:
- meeting the original time limit would unreasonably interfere with operations
- there is a need to consult (for example, with a government institution or third party)
- there is a need to translate or convert records into another format
Of the 4,728 requests closed in 2019–2020, the CRA applied extensions to 2,008 (42%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining instances were for internal consultation, translation purposes, and to convert the records into other formats.
Of the 2,008 extensions, eight were for 1 to 15 days in length, while the remaining 2,000 were for 16 to 30 days in length.
Part 6 – Consultations received from other Government of Canada institutions and organizations
In 2019–2020, the Access to Information and Privacy Directorate received and closed eight external consultation requests from other government institutions and organizations. To respond to these requests, 928 pages were reviewed. For more details, including disposition and completion times, see tables 6.1 and 6.2 of Appendix A.
Internal consultations
The following chart shows the trend for internal privacy consultation requests received over the past five years.
Image description
Internal Privacy Consultation Trends
In 2015–2016, 202 internal privacy consultation requests were received, 5,837 pages were processed.
In 2016–2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.
In 2017–2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.
In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.
In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.
Part 7 – Completion time of consultations on Cabinet confidences
Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services office to determine if requested information should be excluded. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.
In 2019–2020, the CRA did not apply any exclusions for Cabinet confidences.
Part 8 – Complaints and investigation notices received
In 2019–2020, the CRA received 39 complaints under the Privacy Act related to privacy requests – this represents a decrease of 17% compared to 2018–2019. The complaints received were related to the following issues:
- time delay (27)
- non-disclosure (8)
- refusal due to exemption (1)
- refusal due to general reasons (1)
- time extensions (2)
In addition, the CRA received 38 early resolution complaints: 23 of those were escalated to formal complaints, 6 were closed because the Office of Privacy Commissioner of Canada determined in the early resolution process that there was no need to complete a formal investigation, and 9 were carried over to the next fiscal year.
During the fiscal year, the CRA closed 53 complaints – this represents a 152% increase in the number of complaints closed compared to the previous fiscal year. No complaints were pursued to the Federal Court.
The following chart shows the disposition of the 53 complaints closed during the fiscal year.
Image description
Complaint dispositions
1 (2%) Settled
9 (17%) Not well-founded
3 (6%) Resolved
40 (75%) Well-founded
For definitions of the disposition categories, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf/.
The Access to Information and Privacy Directorate received 32 privacy related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada during the reporting period. These complaints were not related to Privacy Act requests. The directorate closed 42 complaints and allegations during the reporting period, which included outstanding complaints and allegations from previous reporting periods.
Part 9 – Privacy impact assessments and personal information banks
During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is given earlier in this report.
A personal information bank must be created in Info Source for any collection or grouping of personal information under the control of a government institution that has been used, is being used, or is available for use for an administrative purpose by a program or activity of an institution. The personal information bank must include how the information is organized and retrieved (for example, a person's name, an identifying number or symbol, or other means). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 45 active personal information banks. In the same period, two were created and six were modified.
Part 10 – Material privacy breaches
The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2019–2020, the CRA reported six material privacy breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.
Part 11 – Resources related to the Privacy Act
Costs
During the 2019–2020 fiscal year, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $8,629,697. This does not include significant support and resources from CRA branches and regions. For more details, see table 11.1 in Appendix A.
Human resources
Interpretation and explanation of Appendix B – Supplemental statistical report
New data on requests affected by COVID–19 measures
In 2019–2020, the Treasury Board of Canada Secretariat included a new requirement to help identify the impact of COVID–19 measures on institutional performance for the 2019–2020 fiscal period.
For all 3 tables in Appendix B, the period identified as affected by COVID–19 was March 14 to March 31, 2020. More analysis of the effects of COVID–19 on the productivity of the CRA’s Access to Information and Privacy Directorate will be included in the 2020–2021 annual report. The following is a brief overview of the tables included in Appendix B:
- Requests received: Table 1 of Appendix B shows how many requests were received before March 14 and during the affected period. During the affected period, the CRA received 155 requests.
- Requests closed: Table 2 shows that no requests were closed during the affected period.
- Requests carried over: Table three shows that, in addition to the 715 requests carried over to the 2020–2021 fiscal period, an additional 155 requests were carried over from the affected period.
Conclusion
The CRA takes privacy and the safeguarding of personal information very seriously.
In 2019–2020, the CRA continued to make significant progress in addressing challenges to the protection of personal information and in the processing of privacy requests. It did this by:
- implementing key changes in the ATIP Way Forward workload management plan
- addressing the backlog of requests received under the Privacy Act
- collaborating with partners across the CRA to make sure privacy implications are considered for new or revised initiatives involving personal information by building Privacy by Design into the process
- continuing to enhance the CRA’s privacy management program
- collaborating with partners to share ways to respond to the changing privacy landscape
In 2020–2021, the CRA will continue its work to safeguard personal information. Beyond the day-to-day privacy management, the privacy team plans to finalize the CRA wide privacy breach procedures and enhance the privacy information published on the Canada.ca website. Finally, the team will continue to work closely with the Department of Justice Canada and other stakeholders on the Government’s commitment to modernize the Privacy Act.
Regarding the processing of requests, the CRA will continue its work to enhance access to information at the CRA and to make operations more efficient. It will do this by implementing the new organizational structure to further advance the ATIP Way Forward workload management plan and by incorporating Lean principles to process requests. More work to implement epost, other innovative solutions, and digital services to address the workload is also planned for the next fiscal period. This work is even more critical given the additional backlog because of the COVID–19 pandemic.
Appendix A – Statistical report
Statistical report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2019, to March 31, 2020
Part 1 – Requests under the Privacy Act
1. 1 Number of requests
| Requests | Number of requests |
|---|---|
| Received during reporting period | 4,895 |
| Outstanding from previous reporting period | 703 |
| Total | 5,598 |
| Closed during reporting period | 4,728 |
| Carried over to next reporting period | 870 |
| Disposition of requests | 1 to 15 days |
16 to 30 days |
31 to 60 days |
61 to 120 days |
121 to 180 days |
181 to 365 days |
More than 365 days |
Total |
|---|---|---|---|---|---|---|---|---|
All disclosed |
262 | 910 | 837 | 59 | 8 | 2 | 0 | 2,078 |
| Disclosed in part | 42 | 327 | 888 | 265 | 79 | 90 | 56 | 1,747 |
| All exempted | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 2 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 6 | 14 | 14 | 1 | 0 | 0 | 1 | 36 |
| Request abandoned | 743 | 48 | 34 | 18 | 4 | 1 | 14 | 862 |
| Neither confirmed nor denied | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 3 |
| Total | 1,054 | 1,300 | 1,775 | 344 | 91 | 93 | 71 | 4,728 |
2.2 Exemptions
| Section | Number of requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 9 |
| 19(1)(b) | 1 |
| 19(1)(c) | 16 |
| 19(1)(d) | 1 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 0 |
| 21 | 0 |
| 22(1)(a)(i) | 1 |
| 22(1)(a)(ii) | 12 |
| 22(1)(a)(iii) | 0 |
| 22(1)(b) | 612 |
| 22(1)(c) | 0 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 0 |
| 22.4 | 0 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 1 |
| 26 | 1,316 |
| 27 | 452 |
| 27.1 | 0 |
| 28 | 3 |
2.3 Exclusions
| Section | Number of requests |
|---|---|
| 69(1)a) | 0 |
| 69(1)b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)a) | 0 |
| 70(1)b) | 0 |
| 70(1)c) | 0 |
| 70(1)d) | 0 |
| 70(1)e) | 0 |
| 70(1)f) | 0 |
| 70.1 | 0 |
2.4 Format of information released
| Paper | Electronic | Other |
|---|---|---|
| 1,083 | 2,742 | 0 |
2.5 Complexity
2.5.1 Relevant pages processed and disclosed
| Number of pages processed |
Number of pages disclosed |
Number of requests |
|---|---|---|
| 1,115,075 | 877,780 | 4,692 |
Less than 100 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All disclosed | 1,950 | 59,243 |
| Disclosed in part | 639 | 30,785 |
| All exempted | 2 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 862 | 0 |
| Neither confirmed nor denied | 3 | 4 |
| Total | 3,456 | 90,032 |
101 - 500 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All disclosed | 123 | 20,596 |
| Disclosed in part | 679 | 148,312 |
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 802 | 168,908 |
501 - 1000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All disclosed | 2 | 1,511 |
| Disclosed in part | 226 | 164,880 |
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 228 | 166,391 |
1001 - 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All disclosed | 3 | 3,963 |
| Disclosed in part | 188 | 347,349 |
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 191 | 351,312 |
More than 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
| All disclosed | 0 | 0 |
| Disclosed in part | 15 | 101,137 |
| All exempted | 0 | 0 |
| All excluded | 0 | 0 |
| Request abandoned | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 |
| Total | 15 | 101,137 |
| Disposition of requests | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 3 | 4 | 7 |
| Disclosed in part | 8 | 0 | 2 | 15 | 25 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 2 | 0 | 3 | 51 | 56 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 10 | 0 | 8 | 70 | 88 |
2.6 Closed requests
2.6.1 Number of requests closed within legislated timelines
| - | Requests closed within legislated timelines |
|---|---|
| Number of requests closed within legislated timelines | 4,199 |
| Percentage of requests closed within legislated timelines (%) | 88.8% |
2.7 Deemed refusals
2.7.1 Reasons for not meeting legislated timelines
| Number of requests closed past the legislated deadline | Principal reason - Interference with operations / workload | Principal reason - External consultation | Principal reason - Internal consultation | Principal reason - Other |
|---|---|---|---|---|
| 529 | 443 | 11 | 1 | 74 |
2.7.2 Number of days past legislated timeline (including any extension taken)
| Number of days past legislated timeline | Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timeline where an extension was taken | Total |
|---|---|---|---|
| 1 to 15 | 61 | 64 | 125 |
| 16 to 30 | 39 | 31 | 70 |
| 31 to 60 | 25 | 33 | 58 |
| 61 to 120 | 42 | 62 | 104 |
| 121 to 180 | 18 | 27 | 45 |
| 181 to 365 | 34 | 30 | 64 |
| More than 365 | 17 | 46 | 63 |
| Total | 236 | 293 | 529 |
2.8 Requests for translation
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 2 | 0 | 2 |
| French to English | 0 | 0 | 0 |
| Total | 2 | 0 | 2 |
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Part 4 – Requests to correct personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Notations attached | 1 |
| Requests for correction accepted | 1 |
| Total | 2 |
Part 5 – Extensions
5.1 Reasons for extensions and disposition of requests
| Number of requests where an extension was taken | 15(a)(i) Interference with operations - Further review required to determine exemptions | 15(a)(i) Interference with operations - Large volume of pages | 15(a)(i) Interference with operations - Large volume of requests | 15(a)(i) Interference with operations - Documents are difficult to obtain |
|---|---|---|---|---|
| 2,008 | 15 | 130 | 1,815 | 35 |
| 15(a)(ii) Consultation - Cabinet Confidences (Section 70) | 15(a)(ii) Consultation- External | 15(a)(ii) Consultation- Internal | 15(b) Translation purposes or conversion |
|---|---|---|---|
| 0 | 0 | 1 | 12 |
5.2 Length of extensions
| Length of extensions (days) | 15(a)(i) - Interference with operations - Further review required to determine exemptions | 15(a)(i) - Interference with operations - Large volume of pages | 15(a)(i) - Interference with operations - Large volume of requests | Documents are difficult to obtain |
|---|---|---|---|---|
| 1 to 15 | 2 | 0 | 5 | 1 |
| 16 to 30 | 13 | 130 | 1,810 | 34 |
| Total | 15 | 130 | 1,815 | 35 |
| 15(a)(ii) Consultation Cabinet Confidences (Section 70) |
15(a)(ii) Consultation External |
15(a)(ii) Consultation Internal |
15(b) Translation purposes or conversion |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
| 0 | 0 | 1 | 12 |
| 0 | 0 | 1 | 12 |
Part 6 – Consultations received from other institutions and organizations
6.1 Consultations received from other Government of Canada institutions and organizations
| Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during reporting period | 8 | 928 | 0 | 0 |
| Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
| Total | 8 | 928 | 0 | 0 |
| Closed during the reporting period |
8 | 928 | 0 | 0 |
| Carried over to next reporting period | 0 | 0 | 0 | 0 |
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Completion time - 1 to 15 days | Completion time - 16 to 30 days | Completion time - 31 to 60 days | Completion time - 61 to 120 days | Completion time - 121 to 180 days | Completion time - 181 to 365 days | Completion time - More than 365 days | Total |
|---|---|---|---|---|---|---|---|---|
| Disclose entirely | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 2 |
| Disclose in part | 0 | 1 | 1 | 1 | 0 | 0 | 0 | 3 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 3 |
| Total | 0 | 3 | 4 | 1 | 0 | 0 | 0 | 8 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Completion time - 1 to 15 days |
Completion time - 16 to 30 days |
Completion time - 31 to 60 days |
Completion time - 61 to 120 days |
Completion time - 121 to 180 days |
Completion time - 181 to 365 days |
Completion time - More than 365 days |
Total |
|---|---|---|---|---|---|---|---|---|
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other organization | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7 – Completion time of consultations on Cabinet confidences
7.1 Requests with Legal Services
| Number of days | Less than 100 pages processed - Number of requests | Less than 100 pages processed - Pages disclosed | 101 - 500 pages processed - Number of requests | 101 - 500 pages processed - Pages disclosed | 501 - 1000 pages processed - Number of requests | 501 - 1000 pages processed - Pages disclosed | 1001 - 5000 pages processed - Number of requests | 1001 - 5000 pages processed - Pages disclosed | More than 5000 pages processed - Number of requests | More than 5000 pages processed - Pages disclosed |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of days | Less than 100 pages processed - Number of requests | Less than 100 pages processed - Pages disclosed | 101 - 500 pages processed - Number of requests | 101 - 500 pages processed - Pages disclosed | 501 - 1000 pages processed - Number of requests | 501 - 1000 pages processed - Pages disclosed | 1001 - 5000 pages processed - Number of requests | 1001 - 5000 pages processed - Pages disclosed | More than 5000 pages processed - Number of requests | More than 5000 pages processed - Pages disclosed |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8 – Complaints and investigations notices received
| Section 31 | Section 35 | Section 37 | Court action | Total |
|---|---|---|---|---|
| 39 | 0 | 91 | 0 | 130 |
Part 9 – Privacy impact assessments and personal information banks
9.1 Privacy impact assessments
| Number of privacy impact assessments completed | 12 |
9.2 Personal information banks
| Active | Created | Terminated | Modified |
|---|---|---|---|
| 45 | 2 | 0 | 6 |
Part 10 – Material privacy breaches
| Number of material privacy breaches reported to Treasury Board of Canada Secretariat | 6 |
| Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada | 6 |
| Expenditures | Amount |
|---|---|
| Salaries | $7,451,594 |
| Overtime | $316,591 |
| Goods and Services | $861,512 |
|
$72,100 |
|
$789,412 |
| Total | $8,629,697 |
11.2 Human Resources
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 98 |
| Part-time and casual employees | 0 |
| Regional staff | 0 |
| Consultants and agency personnel | 4 |
| Students | 3 |
| Total | 105 |
Appendix B – Supplemental statistical report
Requests affected by COVID–19 measures
In 2019–2020, the Treasury Board of Canada Secretariat included a new requirement to help identify the impact of COVID–19 measures on institutional performance for the 2019–2020 fiscal period.
Table 1 – Requests received
The following table reports the total number of formal requests received during two periods: 2019-04-01 to 2020-03-13 and 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
| - | Number of requests |
|---|---|
| Received from 2019-04-01 to 2020-03-13 | 4,740 |
| Received from 2020-03-14 to 2020-03-31 | 155 |
| Total | 4,895 |
Table 2 – Requests closed
The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
| - | Number of requests closed within the legislated timelines | Number of requests closed past the legislated timelines |
|---|---|---|
| Received from 2019-04-01 to 2020-03-13 and outstanding from previous reporting periods | 4,199 | 529 |
| Received from 2020-03-14 to 2020-03-31 | 0 | 0 |
| Total | 4,199 | 529 |
Table 3 – Requests carried over
The following table reports the total number of requests carried over during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
| - | Number of requests |
|---|---|
| Requests from 2019-04-01 to 2020-03-13 and outstanding requests from previous reporting period carried over to the 2020–2021 reporting period | 715 |
| Requests from 2020-03-14 to 2020-03-31 carried over to the 2020–2021 reporting period | 155 |
| Total | 870 |
Image description
Privacy Act
Delegation Order
I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
This designation replaces all previous delegation orders.
Diane Lebouthillier
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 14th day of January, 2016
The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:
Commissioner
- Full authority
Deputy Commissioner
- Full authority
Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer
- Full authority
Director, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority
Assistant Directors, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)
Managers, Access to Information and Privacy Directorate, Public Affairs Branch
- Authority for subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2), 35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations
Page details
- Date modified: