2019–2020 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

In keeping with section 72 of the Privacy Act, each year the head of every government institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act. 

The following report is tabled in Parliament under the direction of the Minister of National Revenue. It describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2019, and March 31, 2020. It also discusses emerging trends, program delivery, and areas of focus for the year ahead.

The Privacy Act

The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of, and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) a right of access to their own personal information, with limited and specific exceptions, and a right of correction and or annotation. 

Individuals who are not satisfied with an institution’s handling of their personal information or of a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to ask for information online at canada.ca/en/revenue-agency or through the CRA’s toll-free phone lines.

 

ISSN: 2563-3465

About the Canada Revenue Agency

The Canada Revenue Agency (CRA) promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians. It does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies (at their request and by recovering any costs) to administer enhanced services. 

The Minister of National Revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Board of Management (established by the Canada Revenue Agency Act) is made up of 15 directors appointed by the Governor in Council, 11 of whom are nominated by the provinces and territories. The other four directors include the Chair; the Commissioner and Chief Executive Officer of the CRA; and two directors nominated by the Government of Canada. The Board oversees the administration and management of the CRA, including the development of the Corporate Business Plan and management of policies related to resources, services, property, and personnel. In fulfilling this role, the Board brings a forward-looking strategic perspective to the CRA’s administration, fosters sound management practices, and is committed to efficient and effective service delivery.

As the CRA’s Chief Executive Officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister’s delegated authority. The Commissioner ensures that operations are guided by the CRA’s vision to be trusted, to be helpful, and to put people first. As well, the Commissioner is accountable to the Board for the management of the CRA, which includes supervising employees, implementing policies, and managing budgets. The Commissioner also assists and advises the Minister regarding legislated authorities, duties, functions, and Cabinet responsibilities. 

The CRA is made up of 12 functional branches and four regional offices across the country:

Branches

  • Appeals
  • Assessment, Benefit, and Service
  • Audit, Evaluation, and Risk
  • Collections and Verification
  • Compliance Programs
  • Finance and Administration
  • Human Resources
  • Information Technology
  • Legal Services
  • Legislative Policy and Regulatory Affairs
  • Public Affairs
  • Service, Innovation, and Integration

Regions

  • Atlantic
  • Ontario
  • Quebec
  • Western

Chief Privacy Officer

The Assistant Commissioner of the Public Affairs Branch is the CRA’s Chief Privacy Officer. The Chief Privacy Officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the Chief Privacy Officer: 

  • oversees decisions related to privacy, including privacy impact assessments
  • champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
  • reports to the CRA’s senior management at least twice a year on the state of privacy management at the CRA

The CRA's Chief Privacy Officer is a member of the Conference Board of Canada Council for Chief Privacy Officers. 

Access to Information and Privacy Directorate

The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the directorate:

  • responds to requests and questions under the Access to Information Act and the Privacy Act
  • responds to consultations, complaints, and informal disclosure requests
  • offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
  • co-ordinates the privacy impact assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid or reduce risks
  • gives training and awareness sessions on access to information and privacy
  • responds to and manages privacy breaches, inquiries, and complaints
  • communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and audits
  • fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act

The Director of the Access to Information and Privacy Directorate has the full delegated authority of the Minister of National Revenue under the Access to Information Act and the Privacy Act. The Director also manages and coordinates the access to information and privacy program, leads strategic planning and development initiatives, and supports the Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer of the CRA in their role of privacy governance. The Director is supported by the Directorate Management Committee.

The directorate supports two main functions: processing and program support, which includes privacy management. In addition to the directorate’s headquarters office in Ottawa, the directorate has an office in Vancouver and an office in Montréal. In 2019–2020, an equivalent of 155 full-time employees administered the Access to Information Act and the Privacy Act.

Delegating responsibilities under the Privacy Act

As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers and complies with the Privacy Act, Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Section 73 of the Privacy Act gives the Minister the authority to designate one or more CRA officials to perform all or part of the Minister’s powers, duties, and functions under the Act.

The Minister of National Revenue signed the CRA’s current delegation order for the Privacy Act on January 14, 2016.Footnote 1  The order identifies specific provisions of the Privacy Act and its Regulations that the Minister delegated to various positions within the CRA.

The Access to Information and Privacy Directorate’s Director and assistant directors, as well as managers of the units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, and the Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer.

For the delegation order and schedule, see Appendix C.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Government of Canada. In addition, the CRA collects and manages the personal information for its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information and the CRA takes the protection of that information very seriously.

During the reporting period, the Access to Information and Privacy Directorate enhanced the CRA’s privacy management program. This enhancement included establishing the Privacy Management Framework, privacy governance structure, and privacy strategy. The framework is available in full at canada.ca/en/revenue-agency/corporate/security/privacy
-management-framework
. For more details, see the Privacy management program section of this report.

Although the number of requests received under the Privacy Act in 2019–2020 is consistent with the 2018–2019 fiscal year, it is still more than the Access to Information and Privacy Directorate has the capacity to process. In fact, the directorate processes among the largest volume of requests and pages of any federal institution. According to the most recent statistics from the Treasury Board of Canada Secretariat, in 2018–2019 the CRA processed the second largest volume of pages (over two million) of any federal institution and received the fourth largest number of requests.

As shown in this report, many employees in the directorate are also carrying out other workloads, such as consultations, complaints, and other privacy-related initiatives within the CRA. Because of this increasing demand on the access to information and privacy program, the CRA developed a workload management plan, known as ATIP Way Forward, in 2018–2019. In 2019–2020, a project manager led the implementation of key changes in the plan. Among these changes was a significant amendment to the organizational structure of the directorate, which will be implemented fully in 2020–2021. For more details, see the Organizational changes section in this report.

Image described below
Image description

Privacy Act requests trend

In 2015–2016, 3,048 requests were received, 2,723 were completed, 476,832 pages were processed

In 2016–2017, 3174 requests were received, 3,400 were completed, 1,086,917 pages were processed

In 2017–2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed

In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed

In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed

ATIP Way Forward - a workload management plan

In 2018–2019, the Access to Information and Privacy Directorate’s senior management team developed the ATIP Way Forward workload management plan. The plan is designed to resolve the high volume of requests and the CRA’s backlog by building sustainable, long-term solutions. 

In 2019–2020, key changes made to enhance productivity and efficiency in the Access to Information and Privacy Directorate included:

  • implementing Agile principles and practices in the Access to Information and Privacy Directorate like Lean continuous improvement, which is a methodology the directorate adopted in 2017
    • Agile means working in a highly responsive way that allows for the enhanced delivery of services and products; the project manager trained employees in Agile principles and practices, and most teams practised elements such as daily scrums
  • organizing and centralizing the administrative services in the headquarters’ Access to Information and Privacy office
  • enhancing reporting on the targets for the backlog and carryforward
  • expediting staffing processes
  • submitting two business cases and succeeding in getting more funding to enable staffing processes to increase the directorate’s workforce 
  • researching, (in collaboration with the Finance and Administration Branch and the Information Technology Branch) in support of the Government of Canada’s commitment to enhance digital services, whether the directorate could use epost to securely release records electronicallyFootnote 2 
  • establishing a new centralized complaints team pilot project – a team of employees in the headquarters and Montréal offices was tasked with addressing all non-administrative complaints
    • centralizing complaints allows analysts and managers to better focus on their main workload, improve consistency in addressing complaints, and enable better collection and analysis of complaint statistics

Organizational changes

As part of the ATIP Way Forward workload management plan, in 2019–2020 the Access to Information and Privacy Directorate extensively reviewed its organizational structure. Previously, the organizational structure had not been reviewed or updated since 2014. However, the directorate’s work has evolved significantly since then. Not only has the workload increased in volume and complexity, it is now more strategic in nature. The directorate also has an expanded role in the CRA in advising, monitoring, and supporting compliance of sound privacy and access to information management practices. 

As a result of the review, the directorate made temporary adjustments to its organizational structure in 2019–2020 to allow for a greater focus on data analytics, designing the new organizational structure, and managing the plan. 

After more review and consultation, a new organizational structure was proposed and approved. The initial changes come into effect early in the 2020–2021 fiscal year. The new structure will support the growth of the directorate, increase its productivity, and increase its capacity to address the expanded access and privacy role within the CRA. Among other changes, the new structure changed the Director of the Access to Information and Privacy Directorate’s level to a director-general-level and added two new director roles. Over the 2020–2021 fiscal year, the new structure will be implemented and hiring will take place to fulfill the new roles as well as other positions.

The Directive for the Disclosure of Taxpayer and Other Information outlines the accountabilities of CRA officials for informal and formal disclosures. To supplement the directive, in 2018–2019, the CRA launched an informal disclosure course. The course is targeted to subject-matter experts who need a comprehensive understanding of the disclosure of protected information to taxpayers under program legislation. Additionally, an informal disclosure page was launched on the CRA’s intranet site; this page provides guidance and resources in support of expanded informal disclosure.

Human resources

In 2019–2020, the Access to Information and Privacy Directorate undertook many staffing actions to increase its capacity to manage the growing workload. This included launching SP-04, SP-05, and SP-07 staffing processes.Footnote 3 The SP-07 staffing process was critical to staffing the directorate’s privacy team.

Outreach and recruitment with post-secondary institutions also took place during the fiscal year and focused on the paralegal and legal assistance fields.

In headquarters, a desk-sharing initiative was launched to maximize the use of space for new employees joining the directorate.

Modernizing the Access to Information Act and the Privacy Act

On June 21, 2019, Bill C-58, An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts, received royal assent.

Extensive work, including briefings and training, took place up to and upon royal assent to ensure the CRA was ready. Although the primary focus of the bill is on the Access to Information Act, it does include related amendments to the Privacy Act.

The amended Access to Information Act reinforces the Government of Canada’s commitment to improve accountability and increase openness and transparency by offering greater access to government records. This includes a new requirement to proactively publish a broad range of information known to be of interest to the public. This information includes the following records prepared for ministers or deputy heads: transition material, question period responses, parliamentary committee appearance briefing binders, travel and hospitality expenses, and titles and tracking numbers of briefing notes.

Although the amended Act allows for a more open and transparent government, the public’s right to know must be balanced by a person’s right to privacy, as outlined in the Privacy Act. This new legislation does not require the release of information that a response to an access to information request would normally withhold, such as Cabinet confidences, solicitor-client privilege, and personal information.

During the fiscal year, the Access to Information and Privacy Directorate provided oversight to make sure program areas posted their required proactive disclosures within the legislated timeline The directorate was also responsible for reviewing the briefing note titles and tracking numbers, transition material, and question period responses to determine if sensitive information needed to be protected according to legislation. The directorate also managed the publication of the briefing note titles and tracking numbers.

The Privacy Act is also being modernized. During the fiscal year, the Department of Justice Canada requested feedback from federal institutions, including the CRA, on the technical and legal considerations to consider in modernizing the Act. The departments were asked to base their feedback on their experiences and mandates involving the collection, use, and sharing of personal information. In support of the review, Justice Canada circulated five discussion papers for feedback. The Access to Information and Privacy Directorate took the lead on collaborating the development of a single submission for the CRA.

In 20202021, the CRA will continue to work closely with Justice Canada and other stakeholders on the Government of Canada’s commitment to modernize the Privacy Act.

Informal disclosure

The CRA continually explores ways to get information to clients in the fastest and most efficient way. One of these ways is informal disclosure. Informal disclosure provides information without the need to make a request under the Access to Information Act or the Privacy Act. Examples of information provided informally are copies of tax slips and CRA policies and manuals. The Access to Information and Privacy Directorate receives a significant number of Privacy Act requests that could potentially be redirected to informal channels. These are referred to as “fast-track requests”.

In April 2019, the Access to Information and Privacy Directorate, along with other government departments, met with the Office of the Privacy Commissioner of Canada to discuss ways to improve informal disclosure across government.

Training

The Access to Information and Privacy Directorate is committed to promoting and providing access to information and privacy training to CRA employees. This training varies depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service’s Fundamentals of Access to Information and Privacy course or its Access to Information in the Government of Canada course. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests. 

The CRA’s Legal Services Branch provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, on informal disclosure, and on the legal interpretation of the Access to Information Act and the Privacy Act for specialized CRA staff such as auditors.

In 2019–2020, more than 3,800 CRA employees across Canada participated in instructor-led in-person and online training related to access to information and privacy. In total, this fiscal year:

  • 1,222 employees participated in 50 training sessions given by the CRA
  • 823 employees took the Canada School of Public Service Fundamentals of Access to Information and Privacy course
  • 41 employees attended the Canada School of Public Service Access to Information in the Government of Canada course
  • 1,778 employees participated in specialized training given by the Legal Services Branch

As needed, members of the privacy team delivered interactive privacy sessions during the Public Affairs Branch onboarding events. Additionally, the Director of the Access to Information and Privacy Directorate gave a presentation to the Branch Management Committee on the importance of privacy management. The Chief Privacy Officer also delivered a presentation to the Security and Internal Affairs Directorate on how privacy and security are interconnected.

In 2019–2020, the CRA continued to offer its suite of 10 web-based modules, which consist of specialized technical training, to employees of the Access to Information and Privacy Directorate. This series of modules is the first of its kind for access to information and privacy professionals in the Government of Canada.

In November 2019, the Access to Information and Privacy Directorate participated in the International Association of Privacy Professionals certification training. The course prepares participants to become certified as information privacy professionals and focuses on Canadian privacy laws and practices.

Raising awareness

In 2019–2020, beyond the work the CRA completed to enhance its privacy management program, the Access to Information and Privacy Directorate worked on many projects to make employees more aware of their privacy-related roles and responsibilities. 

For the eighth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions internationally to promote Data Privacy Day. On that day, individuals are informed about the impact technology has on privacy rights and the importance of protecting personal information. 

In 2019–2020, the CRA’s Data Privacy Day campaign promoted the launch of its new Privacy Management Framework. This framework explains how the CRA manages privacy and includes its privacy vision, guiding principles, and privacy commitment. For more information about the Privacy Management Framework, see the Policies, guidelines, and procedures section.

Throughout the year, the Access to Information and Privacy Directorate also raised awareness about access to information and privacy and the role they play in supporting sound privacy management. This awareness includes multiple committee meetings and regular communication with CRA employees in the offices of primary interest.

Collaborating with oversight bodies and other organizations 

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat and other organizations to strengthen privacy at the CRA. Notably, in 2019–2020: 

  • the CRA communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects including privacy breaches, privacy impact assessments, and the COVID–19 benefit programs the CRA helped administer 
  • the CRA worked closely with the Treasury Board of Canada Secretariat to implement Bill C-58, develop draft corporate policy instruments, and collaborate on responding to the COVID–19 pandemic as it related to the access to information and privacy program 
  • the CRA participated in the Department of Justice Canada’s consultation process on the modernization of the Privacy Act
  • the CRA’s privacy and security officials met with Employment and Social Development Canada several times to share best practices on how to protect personal information. Both departments also worked closely together to ensure all privacy implications were considered in the implementation of the COVID–19 benefit programs
  • the Chief Privacy Officer met with his counterparts from several countries to discuss their respective privacy management programs

COVID–19

On March 11, 2020, COVID–19 was designated by the World Health Organization to be a controllable pandemic. On March 16, most CRA employees were asked to work from home in an effort to prevent the spread of the illness.

The CRA played a critical role in providing financial assistance and services to Canadians during the initial stage of the pandemic. Most employees across the CRA focused their efforts on facilitating benefit programs to assist Canadians. The Access to Information and Privacy Directorate’s privacy team played a critical role in ensuring that all privacy implications were considered when the benefit programs were implemented and that timely briefings took place across the CRA, with Employment and Social Development Canada, and with the Office of the Privacy Commissioner of Canada.

Since the CRA’s priority was critical services, the CRA temporarily suspended the processing of access to information and privacy requests. It did this for several other reasons as well, including employees being unable to physically enter the office, the lack of access to computer equipment, and the lack of access to records. 

During this period, the Access to Information and Privacy Directorate worked toward a business resumption plan to process requests, and it collaborated closely with the Treasury Board of Canada Secretariat and coordinators in the access to information and privacy community.

The impact of COVID–19 is very significant on operations and will further impact the backlog of privacy requests in the Access to Information and Privacy Directorate. The reduction of the backlog will continue to be a high priority for the directorate moving forward.

See Appendix B for more information about how this period from March 14 to March 31, 2020, affected the processing of privacy requests. 

Privacy management program

Enhancing the privacy management program 

The privacy landscape has evolved dramatically over the past few years and continues to change at an increasing pace. Some of these changes include:

  • new technologies such as business and artificial intelligence, biometrics, quantum computing, cloud computing, and others that present new challenges for the protection of personal information
  • recent national and international privacy breaches that have created a heightened awareness of potential privacy issues and caused government institutions to evaluate their privacy practices 
  • the modernization of privacy legislation worldwide in response to these developments (for example, General Data Protection Regulation, California Consumer Privacy Act, and Privacy Act review)

The CRA is aware of the necessity to adapt its privacy management program as the privacy landscape evolves. In 2019–2020, enhancing the CRA’s privacy management program under the leadership of the CRA’s Chief Privacy Officer was a major focus for the CRA. 

During the year, the CRA enhanced the program based on Privacy by Design principles, where privacy is systemically embedded into business practices and systems. After extensive CRA-wide and external consultations, the CRA established the CRA Privacy Management Framework, privacy governance structure, privacy strategy, as well as other components, such as proposed staffing and training plans. CRA-wide privacy breach procedures were also drafted.

In 2020–2021, the CRA plans to enhance the privacy content on the CRA’s webpages, including the CRA’s privacy statement, to provide Canadians with information on how their information is managed. The CRA also plans to finalize the updated privacy breach procedures. For more details, see the next section, Managing privacy breaches.

During the fiscal year, after several external national and international high-profile privacy breaches, the Personal Information Incident Working Group was established. The mandate of the working group is to facilitate horizontal collaboration and decision-making on emerging issues related to suspicious activities and incidents involving personal information. The working group played a key role in the consultation phase to develop CRA privacy breach procedures.

Significant work also took place during the fiscal to launch the Agency Privacy Council. The mandate of the council, an assistant-commissioner-level committee, is to facilitate a horizontal approach to privacy governance, identify privacy risks, and outline mitigation strategies for the CRA. The inaugural meeting of the council will take place early next fiscal.

The Access to Information and Privacy Oversight Review Committee, an assistant-commissioner-level committee chaired by the CRA’s Chief Privacy Officer, met just once early in the fiscal as the CRA reviewed its privacy governance needs. The structure and mandate of this committee will be reviewed in 2020–2021.

Also, next fiscal, to further support privacy management in the CRA, there will be significant organizational changes within the privacy team. The new organizational structure of the privacy team will require additional resources to better address the demands on the CRA because of the changing privacy landscape.

Managing privacy breaches

One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and the protection of taxpayers’ information very seriously and keeps its controls and sanctions very strong to prevent privacy breaches. Despite the effectiveness of the many controls in place, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system. 

Following an external high-profile privacy breach, the CRA’s Chief Privacy Officer was called to participate in a meeting in July 2019 in front of the Standing Committee on Public Safety and National Security. During the appearance, the Chief Privacy Officer described the strong protocols the CRA has in place to protect the personal information of Canadians.

This year, the CRA’s Security and Internal Affairs Directorate informed the Access to Information and Privacy Directorate of 39 incidents of alleged or confirmed improper access or disclosure of personal information by CRA employees. Founded misconduct is dealt with promptly and appropriately. If criminal activity is suspected, the matter is referred to the proper authorities. All CRA employees receive mandatory and ongoing security training which includes the protection of taxpayer information.

The Access to Information and Privacy Directorate also received 32 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada. For more information, see Part 8 – Complaints and investigation notices received.

In 2019–2020, most privacy breaches at the CRA resulted from misdirected mail, that is, mail that has been incorrectly addressed or sent to the wrong person. Misdirected mail incidents represent 0.003% of the 110 million pieces of mail the CRA handles each year.

The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2019–2020, the CRA reported six significant privacy breaches to these departments. Of these, four involved loss of information, one involved the unauthorized use of taxpayer information, and one involved the unauthorized access of taxpayer information by a CRA employee.

The CRA continues to improve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information, limiting employees’ access permissions to only the information required to carry out their job, and regularly reviewing employee access to CRA systems.

Policies, guidelines, and procedures

The Access to Information and Privacy Directorate dedicated significant time in 2019–2020 to the review of CRA corporate documents, including policy instruments, to make sure that the role of the CRA’s Chief Privacy Officer and privacy implications were considered. 

Furthermore, the CRA continues to provide feedback to the Treasury Board of Canada Secretariat on draft corporate policy instruments and promote compliance once those policy instruments are implemented.

Privacy Management Framework

In January 2020, the CRA launched the CRA Privacy Management Framework. The framework is a reference document for Canadians and explains the CRA’s vision, objective, and commitment to privacy.

In the framework, the CRA introduces its five privacy guiding principles. These principles are embedded into the development, operation, and management of all programs, processes, solutions, and technologies involving personal information. The principles are:

  • We value and respect the client data in our possession and help our clients clearly understand how and why we are using it.
  • We support our employees in understanding their data handling responsibilities, and we respond to our clients’ requests promptly and helpfully to drive a seamless and efficient experience.
  • We put our clients at the heart of all changes and improvements to our service delivery by adopting innovative practices and including Privacy by Design principles into all that we do.
  • We collaborate with our employees and integrate effective and secure client data management across the CRA to foster a holistic approach to building and maintaining client trust.
  • We decide how we handle client data in line with legislative obligations and leading privacy practices and based on ethical standards.

The framework also defines the CRA’s commitment to promote collaboration across all branches and the adoption of the Privacy by Design principles. Privacy management is described in the framework as a responsibility shared by all CRA employees.

The framework is available in full at canada.ca/en/revenue-agency/corporate/security/privacy-management-framework.

Internal procedures manual

The internal procedures manual is an Access to Information and Privacy Directorate guide for all major procedures involved in processing requests made under the Access to Information Act and the Privacy Act. The purpose of the manual is to promote consistent practices across the directorate. 

In 2019–2020, the Access to Information and Privacy Directorate drafted an online version of the manual. In 2020–2021, the directorate plans to make the final version of the online manual available to employees.

Updating Info Source 

Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. Info Source also provides guidance to individuals on how to access information held by government institutions to exercise their rights under these acts. 

Each institution subject to the Access to Information Act and the Privacy Act must update its Info Source chapter annually by the due date set by the Treasury Board of Canada Secretariat, normally in June.

Because of COVID–19’s impact and the operational realities that faced government institutions, the Treasury Board of Canada Secretariat recognized that institutions may be unable to meet the June publishing deadline in 2020. Since many of its program areas were focused on providing critical services, the CRA decided not to task them with the Info Source update. Therefore, the Access to Information and Privacy Directorate updated the Treasury Board of Canada Secretariat on the information the directorate had already reviewed during the fiscal year.

The CRA's Info Source chapter can be found at canada.ca/cra-info-source.

Monitoring compliance

The Access to Information and Privacy Directorate produces several monthly reports that capture key statistics about the CRA’s inventory of access to information and privacy requests. Management regularly uses the reports to monitor trends, measure the directorate’s performance, and identify any process changes needed to improve performance. The reports are presented monthly to senior management at the Commissioner-chaired Corporate Management Committee.

In 2019–2020, the access to information and privacy business analytics team reviewed the existing reports and introduced new reports to improve awareness of outstanding access to information and privacy requests. The reports monitor active and closed requests, the status of requests broken down by branch and region, the carryforward inventory, and deemed refusal volumes. 

In addition to the monitoring and reporting mechanisms in place, the CRA’s work to develop enhanced business analytics for its access to information and privacy program continued in 2019–2020. The directorate’s database, which is used for monitoring and reporting, is primarily designed for workload management.

To improve the capability of business analytics, the business analytics team acquired the open analytics solution SAS Viya and made sure all team members were trained in the SAS Enterprise and SAS Viya tools. As well, the team developed the use of SQL coding to query the database and access data that was unavailable using the standard interface. Each month, they ran a database cleanup and established a routine of running a weekly anomaly report to ensure the best maintenance of the database. 

In 2020–2021, the team plans to pursue the ability to query the database directly from the SAS software. An overall goal is to use business analytics to develop the directorate as a more data-driven organization.

Privacy impact assessments

Canada Revenue Agency Privacy Impact Assessment Plan

   

The CRA has completed 61 privacy impact assessments since implementing the Privacy Impact Assessment Plan in 2014.

Summaries of completed privacy impact assessments

The CRA completed 12 privacy impact assessments during the 2019–2020 reporting period. As well, it reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, threat and risk assessments, local application solutions, and written collaborative arrangements.

In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA publishes summaries of completed privacy impact assessments. These summaries are available at canada.ca/en
/revenue
-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.

The following is an overview of the summaries the CRA completed and sent to the Office of the Privacy Commissioner of Canada and to the Treasury Board of Canada Secretariat for review in 2019–2020.

Business Intelligence Research and Development Environment version 2.0

To fulfill its mandate and manage the organization internally, the CRA collects and creates a significant amount of data. The CRA uses the data to gain insight into its programs and activities, make strategic changes, and take appropriate actions in support of its mandate. The information from the data also helps the CRA support the fairness and integrity of Canada’s tax system by enabling it to better enforce compliance. To be able to detect, deter, predict, and correct the behaviours of non-compliant taxpayers and benefit recipients, the CRA needs to be aware of their behaviours.

The first privacy impact assessment (version 1.0) of the Business Intelligence Research and Development Environment was completed in the 2016–2017 fiscal year. It has been updated this fiscal year (version 2.0) to assess recent program activities related to the business intelligence research and development environment.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-intelligence-research-development
-environment-v2
.

Business Number and Program Account Registration Program

The Business Number and Program Account Registration Program provides and administers business numbers. The business number, which the CRA introduced in 1994, allows the CRA to identify a specific business (or other organization such as a charity) for tax matters. As well, the business number system stores information about businesses. Other CRA programs, as well as other federal and provincial government departments, use this system as a central source to retrieve that data.

The privacy impact assessment identifies, assesses, and lessens any privacy risks associated with this program. These risks include collecting, using, and disclosing personal information with federal, provincial, and municipal partners.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-number-program-account
-registration.htm
l.  

Corporation Returns and Payment Processing Program version 2.0

The Corporation Returns and Payment Processing Program assesses T2 corporation income tax returns for resident and non-resident corporations, and processes special elections and returns. The program also processes the payments for those returns and administers provincial taxes and credits harmonized with the federal T2 return for all provinces except Quebec and Alberta. As well, the program is responsible for administering information specific to treaty agreements with foreign governments, under the authority of a tax treaty, so that corporations are not double-taxed.

The first privacy impact assessment (version 1.0) of the Corporation Income Tax Return Assessment Program was completed in the 2017–2018 fiscal year. It has been updated (version 2.0) to reflect the use of a new system to capture special elections forms and returns and to more accurately reflect operating practices.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/corporation-returns-payment-processing
-program
.

Corporations and GST/HST compliance programs

Corporations and GST/HST compliance programs, administered under the CRA’s returns compliance framework, encourage businesses and trusts to file on time and educate them about their tax obligations. The programs conduct the following activities: 

  • review GST/HST and corporation returns after assessment
  • review new business number registrations
  • promote the registration, filing, and remitting requirements of GST/HST accounts and of other levies accounts (for example, cannabis, fuel charge, and air travellers security charge)
  • conduct examinations of GST/HST accounts and other levies accounts

The privacy impact assessment on these programs was completed to register a new personal information bank because the CRA’s program structure and activities were reorganized. As well, because of recent legislative changes related to cannabis and fuel charges, the inventory for these programs now includes additional business return types.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/corporations-gst-hst-compliance-programs.

Film and Media Tax Credits Program

Film and media tax credits are federal and provincial tax incentives designed to encourage the film and media production industry in Canada. More specifically, they are designed to encourage the film and media production industry to hire Canadians since most of the tax credits are labour based. 

The privacy impact assessment of this program assessed all its activities that relate to the provisions of the Income Tax Act regarding the film and media production industry in Canada.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/film-media-tax-credits.

Individual Returns Assessment Program

This program helps individuals voluntarily comply with Canada’s tax laws by processing their information and payments as quickly and accurately as possible, and by giving them the results of their assessment or reassessment. 

The privacy impact assessment identifies and assesses the privacy risks to personal information from processing individual taxpayer income tax returns for the federal government and for most provinces and territories. The processing includes initial assessments, payments, validations, accounting, and adjustments, as well as determining eligibility for various refundable amounts.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-returns-assessment-program
.

Leads Program version 2.0

The main role of the Leads Program is to coordinate and review all domestic leads received from the public to help the CRA identify taxpayers who are not complying with their tax obligations. The Leads Program gives the public the chance to come forward and anonymously report suspected cases of non-compliance with the tax laws the CRA administers. 

The CRA completed the first privacy impact assessment (version 1.0) of the Leads Program in the 2011–2012 fiscal year. It updated the assessment this fiscal year to address the changes to the program, including new procedures and a modern records retention strategy.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/leads-program-v2
.

Monitoring of Electronic Access to Taxpayer Information version 2.0

The CRA monitors internal electronic access to taxpayer information to prevent, monitor, and detect internal fraud or misuse and unauthorized access to electronic taxpayer information. The CRA has procured an Enterprise Fraud Management solution tool that enables the CRA to proactively identify questionable user activities. This tool uses business intelligence, such as detection models and data matching, to perform trend and pattern analysis.

Version 1.0 of the privacy impact assessment was completed in the 2017–2018 fiscal year. It has been updated (version 2.0) to assess the use of the Enterprise Fraud Management solution tool and the new sources of employee personal information being captured.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/monitoring-electronic-access-taxpayer
-information-v2
.

Office of the Taxpayers’ Ombudsman Program

The Office of the Taxpayers' Ombudsman program impartially examines unresolved service complaints from taxpayers and benefit recipients who feel the CRA has treated them unfairly. The office generally receives complaints online, by mail, or by fax. As well, plaintiffs can call the Office of the Taxpayers’ Ombudsman’s general inquiry line for information before submitting a complaint. Details of the call will be logged in the General Enquiry phone log. 

The privacy impact assessment identifies and assesses privacy risks involved in collecting personal information relating to the Office of the Taxpayers’ Ombudsman program activities.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/office-taxpayers-ombudsman.

Scientific Research and Experimental Development Program version 3.0

The Scientific Research and Experimental Development Program is a federal tax incentive program. It is designed to encourage Canadian businesses of all sizes and in all sectors to conduct scientific research and experimental development in Canada. 

The first privacy impact assessment (version 1.0) of this program was completed in the 2016–2017 fiscal year and version 2.0 in 2017–2018. The privacy impact assessment has been updated (version 3.0) to reflect changes to the program. These changes include new retention and disposition authorities, Footnote 5 new data sources, and new data disclosures.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental
-development-v3.

VidCruiter Pilot

The CRA’s Human Resources Management Program enables effective people management by providing services that support the workforce and workplace excellence. The program is exploring video interview technology as a way to be more flexible in evaluating candidates in a staffing process. We contracted the Canadian company VidCruiter Inc. to provide online recorded video interviewing services.

The privacy impact assessment was completed to assess privacy risks to personal information relating to asynchronous (recorded) video interviewing in a staffing process.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/vidcruiter.

Voluntary Disclosures Program 

The purpose of the Voluntary Disclosures Program is to promote voluntary compliance with the provisions regarding the accounting and payment of duty and tax provisions in the Income Tax Act; Excise Tax Act; Excise Act, 2001; Air Travellers Security Charge Act; and the Softwood Lumber Products Export Charge Act, 2006. The Voluntary Disclosures Program encourages taxpayers to come forward and correct errors or omissions so they meet their legal obligations.

The privacy impact assessment identifies and assesses privacy risks to personal information that relate to administering the Voluntary Disclosures Program’s activities.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada
-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/voluntary-disclosures-program.

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2019, to March 31, 2020. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.

Notes

Some totals may be more than 100% due to rounding.

Due to COVID–19, the Access to Information and Privacy Directorate did not close any personal information requests received under the Privacy Act from March 14 to 31, 2020. 

Part 1 – Requests under the Privacy Act

During the reporting period, the CRA received 4,895 new requests under the Privacy Act. This is an increase of 106 requests (2%) from last year’s total of 4,789 requests. Including the 703 requests carried forward from the 2018–2019 reporting period, the CRA had 5,598 active requests in its inventory.

The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past five fiscal years. The number of requests received has increased significantly and the number of pages processed has more than doubled since 2015–2016.

The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past five fiscal years. The number of requests received has increased significantly and the number of pages processed has more than doubled since 2015–2016.
Fiscal year Requests received Requests completed Pages processed
2015–2016 3,048 2,723 476,832
2016–2017 3,174 3,400 1,086,917
2017–2018 3,791 3,821 920,251
2018–2019 4,789 4,599 896,837
2019–2020 4,895 4,728 1,115,075

Other requests and workload

Beyond the 4,895 requests received under the Privacy Act, the CRA processes a high volume of other requests. The additional volume significantly affects operations since resources must be diverted to manage this workload. These additional requests include external and internal consultations, general enquiries, and complaints. For instance, during the fiscal year, the Intake Team of the Access to Information and Privacy Directorate responded to 3,905 emails and 1,013 phone enquiries received through the general enquiries mailbox and toll-free phone line.

Part 2 – Requests closed during the reporting period

Disposition and completion time

The CRA continues to complete a record number of privacy requests. The disposition of the 4,728 requests closed is as follows:

  • 2,078 were fully disclosed (44%)
  • 1,747 were disclosed in part (37%)
  • 2 were exempted in their entirety (0.04%)
  • 36 resulted in no existing records (0.8%)
  • 862 were abandoned by requesters (18%)
  • 3 were neither confirmed nor denied (0.06%)

   

129 (3%) more requests 
were closed in 2019–2020 
than in 2018–2019.

The following chart shows the completion times for the 4,728 requests closed

Image described below
Image description

Completion time

2,354 (50%) in 30 days or under

1,775 (38%) from 31 to 60 days

344 (7%) from 61 to 120 days

255 (5%) in 121 days or more

For more details, see table 2.1 of Appendix A.

Exemptions

The Privacy Act allows an institution to refuse access to specific information when necessary. For example, information about an individual other than the requester cannot be disclosed if the individual has not given consent. For detailed information on each of the exemptions that may be applied, consult section 18 of the Privacy Act

In 2019–2020, the CRA applied the following exemptions, in full or in part, for the 4,728 requests closed during the reporting period:

  • section 19 – Personal information obtained in confidence (27 times)
  • section 22 – Law enforcement and investigation (625 times)
  • section 25 – Safety of individuals (1 time)
  • section 26 – Information about another individual (1,316 times)
  • section 27 – Solicitor-client privilege (452 times)
  • section 28 – Physical or mental health of individuals (3 times)

Exclusions

The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the Act does not apply to Cabinet confidences.

In 2019–2020, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.

Format of information released

Requesters can choose to receive their response package in paper or DVD format. Persons with disabilities may request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically (in DVD format) significantly reduces manual processes and paper consumption.

   

In 2019–2020, of the 3,825 requests for which information was disclosed in full or in part, 2,742 requests (72%) were released in electronic format.

Complexity

   

In 2019–2020, the directorate processed an average of 238 pages per request.

The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process, and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests. 

For example, to respond to the 4,728 requests closed during the fiscal year, the CRA processed 1,115,075 pages. Of the 3,825 requests for which records were disclosed, 1,236 (32%) involved processing more than 100 pages: 206 of these involved processing more than 1,000 pages and 15 involved processing more than 5,000 pages, including one request that required the review of 45,530 pages. For more details, see table 2.5.2 of Appendix A.

Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see table 2.5.3 of Appendix A.

Closed requests

The Access to Information and Privacy Directorate closed 4,199 (89%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline. 

Deemed refusals and requests closed beyond legislated timelines

A deemed refusal is a request closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.

Of the 4,728 requests closed during the reporting period, 529 were closed after the deadline, resulting in a deemed refusal rate of 11%. 

Requests for translation

Records are normally released in the language they exist in. However, records may be translated to an official language when requested and when the institution considers a translation or interpretation to be necessary to enable the individual to understand the information.

The CRA received two requests for translation in 2019–2020 and both were fulfilled.

Part 3 – Disclosures under subsections 8(2) and 8(5)

Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent for limited and specific circumstances. For example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), notice must be provided to the Privacy Commissioner of Canada.

During the reporting period, there were no disclosures of personal information under paragraphs 8(2)(e) and (m) and subsection 8(5) of the Privacy Act. For more details, see Part 3 of Appendix A.

Part 4 – Requests for correction of personal information and notations

Under the Privacy Act, an individual who believes their personal information contains an error or omission can request for it to be corrected. When a request for correction has been refused, a notation must be attached to the information reflecting that a correction was requested, but it was refused.

The CRA received two requests to correct personal information in 2019–2020. One request was accepted, while the other did not meet the criteria for a records correction and, as such, a notation was attached to the information and the requester was notified.

Part 5 – Extensions 

The Privacy Act sets the required timelines for responding to privacy requests. Time extensions are allowed under these circumstances:

  • meeting the original time limit would unreasonably interfere with operations
  • there is a need to consult (for example, with a government institution or third party)
  • there is a need to translate or convert records into another format

Of the 4,728 requests closed in 2019–2020, the CRA applied extensions to 2,008 (42%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining instances were for internal consultation, translation purposes, and to convert the records into other formats.

Of the 2,008 extensions, eight were for 1 to 15 days in length, while the remaining 2,000 were for 16 to 30 days in length.

Part 6 – Consultations received from other Government of Canada institutions and organizations

In 2019–2020, the Access to Information and Privacy Directorate received and closed eight external consultation requests from other government institutions and organizations. To respond to these requests, 928 pages were reviewed. For more details, including disposition and completion times, see tables 6.1 and 6.2 of Appendix A.

Internal consultations

In 2019–2020, 289 internal privacy consultation requests were completed, an 8% decrease from the previous reporting period. To respond to these requests, the directorate reviewed a total of 10,318 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.

The following chart shows the trend for internal privacy consultation requests received over the past five years.

alt= described below
Image description

Internal Privacy Consultation Trends

In 2015–2016, 202 internal privacy consultation requests were received, 5,837 pages were processed.

In 2016–2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.

In 2017–2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.

In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.

In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.

Part 7 – Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services office to determine if requested information should be excluded. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2019–2020, the CRA did not apply any exclusions for Cabinet confidences.

Part 8 – Complaints and investigation notices received

In 2019–2020, the CRA received 39 complaints under the Privacy Act related to privacy requests – this represents a decrease of 17% compared to 2018–2019. The complaints received were related to the following issues: 

  • time delay (27)
  • non-disclosure (8)
  • refusal due to exemption (1)
  • refusal due to general reasons (1)
  • time extensions (2)

In addition, the CRA received 38 early resolution complaints: 23 of those were escalated to formal complaints, 6 were closed because the Office of Privacy Commissioner of Canada determined in the early resolution process that there was no need to complete a formal investigation, and 9 were carried over to the next fiscal year.

During the fiscal year, the CRA closed 53 complaints – this represents a 152% increase in the number of complaints closed compared to the previous fiscal year. No complaints were pursued to the Federal Court.

The following chart shows the disposition of the 53 complaints closed during the fiscal year.

Image described below
Image description

Complaint dispositions

1 (2%) Settled

9 (17%) Not well-founded

3 (6%) Resolved

40 (75%) Well-founded

For definitions of the disposition categories, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf/.

The Access to Information and Privacy Directorate received 32 privacy related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada during the reporting period. These complaints were not related to Privacy Act requests. The directorate closed 42 complaints and allegations during the reporting period, which included outstanding complaints and allegations from previous reporting periods.

Part 9 – Privacy impact assessments and personal information banks

During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is given earlier in this report.

A personal information bank must be created in Info Source for any collection or grouping of personal information under the control of a government institution that has been used, is being used, or is available for use for an administrative purpose by a program or activity of an institution. The personal information bank must include how the information is organized and retrieved (for example, a person's name, an identifying number or symbol, or other means). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 45 active personal information banks. In the same period, two were created and six were modified.

Part 10 – Material privacy breaches

The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2019–2020, the CRA reported six material privacy breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. 

Part 11 – Resources related to the Privacy Act

Costs

During the 2019–2020 fiscal year, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $8,629,697. This does not include significant support and resources from CRA branches and regions. For more details, see table 11.1 in Appendix A.

Human resources

In 2019–2020, an equivalent of 98 full-time employees were dedicated to administering the Privacy Act.

Interpretation and explanation of Appendix B – Supplemental statistical report

New data on requests affected by COVID–19 measures

In 2019–2020, the Treasury Board of Canada Secretariat included a new requirement to help identify the impact of COVID–19 measures on institutional performance for the 2019–2020 fiscal period. 

For all 3 tables in Appendix B, the period identified as affected by COVID–19 was March 14 to March 31, 2020. More analysis of the effects of COVID–19 on the productivity of the CRA’s Access to Information and Privacy Directorate will be included in the 2020–2021 annual report. The following is a brief overview of the tables included in Appendix B

  • Requests received: Table 1 of Appendix B shows how many requests were received before March 14 and during the affected period. During the affected period, the CRA received 155 requests.
  • Requests closed: Table 2 shows that no requests were closed during the affected period.
  • Requests carried over: Table three shows that, in addition to the 715 requests carried over to the 2020–2021 fiscal period, an additional 155 requests were carried over from the affected period.

Conclusion

The CRA takes privacy and the safeguarding of personal information very seriously. 

In 2019–2020, the CRA continued to make significant progress in addressing challenges to the protection of personal information and in the processing of privacy requests. It did this by: 

  • implementing key changes in the ATIP Way Forward workload management plan 
  • addressing the backlog of requests received under the Privacy Act 
  • collaborating with partners across the CRA to make sure privacy implications are considered for new or revised initiatives involving personal information by building Privacy by Design into the process
  • continuing to enhance the CRA’s privacy management program
  • collaborating with partners to share ways to respond to the changing privacy landscape 

In 2020–2021, the CRA will continue its work to safeguard personal information. Beyond the day-to-day privacy management, the privacy team plans to finalize the CRA wide privacy breach procedures and enhance the privacy information published on the Canada.ca website. Finally, the team will continue to work closely with the Department of Justice Canada and other stakeholders on the Government’s commitment to modernize the Privacy Act.

Regarding the processing of requests, the CRA will continue its work to enhance access to information at the CRA and to make operations more efficient. It will do this by implementing the new organizational structure to further advance the ATIP Way Forward workload management plan and by incorporating Lean principles to process requests. More work to implement epost, other innovative solutions, and digital services to address the workload is also planned for the next fiscal period. This work is even more critical given the additional backlog because of the COVID–19 pandemic.

Appendix A – Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2019, to March 31, 2020

Part 1 – Requests under the Privacy Act

1. 1    Number of requests

Part 1 - Requests under the Privacy Act
Requests Number of requests
Received during reporting period 4,895
Outstanding from previous reporting period 703
Total 5,598
Closed during reporting period 4,728
Carried over to next reporting period 870

Part 2 - Requests closed during the reporting period

2.1    Disposition and completion time

Part 2 - Requests closed during the reporting period - 2.1 Disposition and completion time
Disposition of requests 1 to 15
days
16 to 30
days
31 to 60
days
61 to 120
days
121 to 180
days
181 to 365
days
More than
365 days
Total

All disclosed

262 910 837 59 8 2 0 2,078
Disclosed in part 42 327 888 265 79 90 56 1,747
All exempted 0 0 2 0 0 0 0 2
All excluded 0 0 0 0 0 0 0 0
No records exist 6 14 14 1 0 0 1 36
Request abandoned 743 48 34 18 4 1 14 862
Neither confirmed nor denied 1 1 0 1 0 0 0 3
Total 1,054 1,300 1,775 344 91 93 71 4,728

2.2   Exemptions

Part 2 - Requests closed during the reporting period - 2.2 Exemptions
Section Number of requests
18(2) 0
19(1)(a) 9
19(1)(b) 1
19(1)(c) 16
19(1)(d) 1
19(1)(e) 0
19(1)(f) 0
20 0
21 0
22(1)(a)(i) 1
22(1)(a)(ii) 12
22(1)(a)(iii) 0
22(1)(b) 612
22(1)(c) 0
22(2) 0
22.1 0
22.2 0
22.3 0
22.4 0
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 1
26 1,316
27 452
27.1 0
28 3

2.3   Exclusions

Part 2 - Requests closed during the reporting period - 2.3 Exclusions
Section Number of requests
69(1)a) 0
69(1)b) 0
69.1 0
70(1) 0
70(1)a) 0
70(1)b) 0
70(1)c) 0
70(1)d) 0
70(1)e) 0
70(1)f) 0
70.1 0

2.4   Format of information released

Part 2 - Requests closed during the reporting period - 2.4 Format of information released
Paper Electronic Other
1,083 2,742 0

2.5    Complexity

2.5.1    Relevant pages processed and disclosed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.1 Relevant pages processed and disclosed
Number of pages
processed
Number of pages
disclosed
Number of
requests
1,115,075 877,780 4,692

2.5.2    Relevant pages processed and disclosed by size of requests

Less than 100 pages processed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.2 Relevant pages processed and disclosed by size of requests - Less than 100 pages processed
Disposition of requests Number of requests Pages disclosed
All disclosed 1,950 59,243
Disclosed in part 639 30,785
All exempted 2 0
All excluded 0 0
Request abandoned 862 0
Neither confirmed nor denied 3 4
Total 3,456 90,032

101 - 500 pages processed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.2 Relevant pages processed and disclosed by size of requests - 101 - 500 pages processed
Disposition of requests Number of requests Pages disclosed
All disclosed 123 20,596
Disclosed in part 679 148,312
All exempted 0 0
All excluded 0 0
Request abandoned 0 0
Neither confirmed nor denied 0 0
Total 802 168,908

501 - 1000 pages processed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.2 Relevant pages processed and disclosed by size of requests - 501 - 1000 pages processed
Disposition of requests Number of requests Pages disclosed
All disclosed 2 1,511
Disclosed in part 226 164,880
All exempted 0 0
All excluded 0 0
Request abandoned 0 0
Neither confirmed nor denied 0 0
Total 228 166,391

1001 - 5000 pages processed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.2 Relevant pages processed and disclosed by size of requests - 1001 - 5000 pages processed
Disposition of requests Number of requests Pages disclosed
All disclosed 3 3,963
Disclosed in part 188 347,349
All exempted 0 0
All excluded 0 0
Request abandoned 0 0
Neither confirmed nor denied 0 0
Total 191 351,312

More than 5000 pages processed

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.2 Relevant pages processed and disclosed by size of requests - More than 5000 pages processed
Disposition of requests Number of requests Pages disclosed
All disclosed 0 0
Disclosed in part 15 101,137
All exempted 0 0
All excluded 0 0
Request abandoned 0 0
Neither confirmed nor denied 0 0
Total 15  101,137

2.5.3    Other complexities

Part 2 - Requests closed during the reporting period - 2.5 Complexity - 2.5.3 Other complexities
Disposition of requests Consultation required Legal advice sought Interwoven information Other Total
All disclosed 0 0 3 4 7
Disclosed in part 8 0 2 15 25
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 2 0 3 51 56
Neither confirmed nor denied 0 0 0 0 0
Total 10 0 8 70 88

2.6    Closed requests

2.6.1    Number of requests closed within legislated timelines

Part 2 - Requests closed during the reporting period - 2.6 - 2.6.1 Number of requests closed within legislated timelines
- Requests closed within legislated timelines
Number of requests closed within legislated timelines 4,199
Percentage of requests closed within legislated timelines (%) 88.8%

2.7    Deemed refusals

2.7.1 Reasons for not meeting legislated timelines

Part 2 - Requests closed during the reporting period - 2.7 - 2.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated deadline Principal reason - Interference with operations / workload Principal reason - External consultation Principal reason - Internal consultation Principal reason - Other
529 443 11 1 74

2.7.2   Number of days past legislated timeline (including any extension taken)

Part 2 - Requests closed during the reporting period - 2.7 - 2.7.2 Number of days past legislated timeline (including any extension taken)
Number of days past legislated timeline Number of requests past legislated timeline where no extension was taken Number of requests past legislated timeline where an extension was taken Total
1 to 15 61 64 125
16 to 30 39 31 70
31 to 60 25 33 58
61 to 120 42 62 104
121 to 180 18 27 45
181 to 365 34 30 64
More than 365  17 46 63
Total 236 293 529

2.8    Requests for translation

Part 2 - Requests closed during the reporting period - 2.8 Requests for translation
Translation requests Accepted Refused Total
English to French 2 0 2
French to English 0 0 0
Total 2 0 2

Part 3 - Disclosures under subsections 8(2) and 8(5)

Part 3 - Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e) Paragraph 8(2)(m) Subsection 8(5) Total
0 0 0 0

Part 4 – Requests to correct personal information and notations

Part 4 - Requests to correct personal information and notations
Disposition for correction requests received Number
Notations attached 1
Requests for correction accepted 1
Total 2

Part 5 – Extensions

5.1    Reasons for extensions and disposition of requests

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken 15(a)(i) Interference with operations - Further review required to determine exemptions 15(a)(i) Interference with operations - Large volume of pages 15(a)(i) Interference with operations - Large volume of requests 15(a)(i) Interference with operations - Documents are difficult to obtain
2,008 15 130 1,815 35
Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests (part 2)
15(a)(ii) Consultation - Cabinet Confidences (Section 70) 15(a)(ii) Consultation- External 15(a)(ii) Consultation- Internal 15(b) Translation purposes or conversion 
0 0 1 12

5.2   Length of extensions

Part 5 Extensions - 5.2 Length of extensions
Length of extensions (days) 15(a)(i) - Interference with operations - Further review required to determine exemptions 15(a)(i) - Interference with operations - Large volume of pages 15(a)(i) - Interference with operations - Large volume of requests Documents are difficult to obtain
1 to 15 2 0 5 1
16 to 30 13 130 1,810 34
Total 15 130 1,815 35
Part 5 Extensions - 5.2 Length of extensions (part 2)
15(a)(ii) Consultation
Cabinet Confidences (Section 70)
15(a)(ii) Consultation
External
15(a)(ii) Consultation
Internal
15(b) Translation purposes 
or conversion
0 0 0 0
0 0 1 12
0 0 1 12

Part 6 – Consultations received from other institutions and organizations

6.1    Consultations received from other Government of Canada institutions and organizations

Part 6 - Consultations received from other institutions and organizations - 6.1 Consultations received from other Government of Canada institutions and organizations
Consultations  Other Government of Canada institutions Number of pages to review Other organizations Number of pages to review
Received during reporting period 8 928 0 0
Outstanding from the previous reporting period 0 0 0 0
Total 8 928 0 0
Closed during the reporting period
8 928 0 0
Carried over to next reporting period 0 0 0 0

6.2    Recommendations and completion time for consultations received from other Government of Canada institutions

Part 6 - Consultations received from other institutions and organizations - 6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation Completion time - 1 to 15 days Completion time - 16 to 30 days Completion time - 31 to 60 days Completion time - 61 to 120 days Completion time - 121 to 180 days Completion time - 181 to 365 days Completion time - More than 365 days Total
Disclose entirely 0 2 0 0 0 0 0 2
Disclose in part 0 1 1 1 0 0 0 3
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 3 0 0 0 0 3
Total 0 3 4 1 0 0 0 8


6.3    Recommendations and completion time for consultations received from other organizations

Part 6 - Consultations received from other institutions and organizations - 6.3 Recommendations and completion time for consultations received from other organizations
Recommendation  Completion time -
1 to 15 days
Completion time -
16 to 30 days
Completion time -
31 to 60 days
Completion time -
61 to 120 days
Completion time -
121 to 180 days
Completion time -
181 to 365 days
Completion time -
More than 365 days
Total
Disclose entirely 0 0 0 0 0 0 0 0
Disclose in part 0 0 0 0 0 0 0 0
Exempt entirely 0 0 0 0 0 0 0 0
Exclude entirely 0 0 0 0 0 0 0 0
Consult other organization 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7 – Completion time of consultations on Cabinet confidences

7.1   Requests with Legal Services

Part 7 - Completion time of consultations on Cabinet confidences - 7.1 Requests with Legal Services
Number of days Less than 100 pages processed - Number of requests Less than 100 pages processed - Pages disclosed 101 - 500 pages processed - Number of requests 101 - 500 pages processed - Pages disclosed 501 - 1000 pages processed - Number of requests 501 - 1000 pages processed - Pages disclosed 1001 - 5000 pages processed - Number of requests 1001 - 5000 pages processed - Pages disclosed More than 5000 pages processed - Number of requests More than 5000 pages processed - Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

7.2    Requests with Privy Council Office

Part 7 - Completion time of consultations on Cabinet confidences - 7.2 Requests with Privy Council Office
Number of days Less than 100 pages processed - Number of requests Less than 100 pages processed - Pages disclosed 101 - 500 pages processed - Number of requests 101 - 500 pages processed - Pages disclosed 501 - 1000 pages processed - Number of requests 501 - 1000 pages processed - Pages disclosed 1001 - 5000 pages processed - Number of requests 1001 - 5000 pages processed - Pages disclosed More than 5000 pages processed - Number of requests More than 5000 pages processed - Pages disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8 – Complaints and investigations notices received

Part 8 - Complaints and investigations notices received
Section 31 Section 35 Section 37 Court action Total
39 0 91 0 130

Part 9 – Privacy impact assessments and personal information banks

9.1   Privacy impact assessments

Part 9 - Privacy impact assessments and personal information banks - 9.1 Privacy impact assessments
Number of privacy impact assessments completed 12

9.2 Personal information banks

Part 9 - Privacy impact assessments and personal information banks - 9.2 Personal information banks
Active Created Terminated Modified
45 2 0 6

Part 10 – Material privacy breaches

Part 10 - Material privacy breaches
Number of material privacy breaches reported to Treasury Board of Canada Secretariat 6
Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada 6

Part 11 – Resources related to the Privacy Act

11.1    Costs

Part 11 - Resources related to the Privacy Act - 11.1 Costs
Expenditures Amount
Salaries $7,451,594
Overtime $316,591
Goods and Services $861,512
  • Professional services contracts
$72,100
  • Other
$789,412
Total $8,629,697

11.2    Human Resources

Part 11 - Resources related to the Privacy Act - 11.2 Human Resources
Resources Person years dedicated to privacy activities
Full-time employees 98
Part-time and casual employees 0
Regional staff 0
Consultants and agency personnel 4
Students 3
Total 105

Appendix B – Supplemental statistical report

Requests affected by COVID–19 measures

In 2019–2020, the Treasury Board of Canada Secretariat included a new requirement to help identify the impact of COVID–19 measures on institutional performance for the 2019–2020 fiscal period.

Table 1 – Requests received

The following table reports the total number of formal requests received during two periods: 2019-04-01 to 2020-03-13 and 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:

The following table reports the total number of formal requests received during two periods: 2019-04-01 to 2020-03-13 and 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
- Number of requests
Received from 2019-04-01 to 2020-03-13 4,740
Received from 2020-03-14 to 2020-03-31 155
Total 4,895

Table 2 – Requests closed

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:

The following table reports the total number of requests closed within the legislated timelines and the number of closed requests that were deemed refusals during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
- Number of requests closed within the legislated timelines Number of requests closed past the legislated timelines
Received from 2019-04-01 to 2020-03-13 and outstanding from previous reporting periods 4,199 529
Received from 2020-03-14 to 2020-03-31 0 0
Total 4,199 529

Table 3 – Requests carried over

The following table reports the total number of requests carried over during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:

The following table reports the total number of requests carried over during two periods: 2019-04-01 to 2020-03-13 and 2020-03-14 to 2020-03-31:
- Number of requests
Requests from 2019-04-01 to 2020-03-13 and outstanding requests from previous reporting period carried over to the 2020–2021 reporting period 715
Requests from 2020-03-14 to 2020-03-31 carried over to the 2020–2021 reporting period 155
Total 870

Appendix C – Delegation order

Image described below
Image description

Privacy Act

Delegation Order

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders.

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 14th day of January, 2016

The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:

Commissioner

  • Full authority

Deputy Commissioner

  • Full authority

Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer

  • Full authority

Director, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority

Assistant Directors, Access to Information and Privacy Directorate, Public Affairs Branch

  • Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)

Managers, Access to Information and Privacy Directorate, Public Affairs Branch

  • Authority for subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2), 35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: