2021–2022 Annual Report to Parliament on the Administration of the Privacy Act
Introduction
In keeping with section 72 of the Privacy Act, each year the head of every government institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.
The following report is tabled in Parliament under the direction of the Minister of National Revenue. It describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2021, and March 31, 2022. It also discusses emerging trends, program delivery, and areas of focus for the year ahead.
Privacy Act
The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of, and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) the right to access (with a few and specific exceptions), correct, or add notes to their own information.
Individuals who are not satisfied with the way an institution handled their personal information or a formal request they made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.
The Privacy Act’s formal processes do not replace other ways of getting federal government information. The CRA actively encourages individuals and their representatives to get information informally through its online self-service channels, such as My Account and Represent a Client. The CRA continually updates these portals to provide access to more information, which reduces the burden on Canadians to make Privacy Act requests. Also, the CRA actively promotes other informal channels, such as requesting information directly from the CRA through its automated and toll free phone lines, as alternatives.
Table of contents
About the Canada Revenue Agency
Operational environment including the impact of the COVID-19 pandemic
Interpretation and explanation of Appendix A – Statistical report
Appendix A – Statistical report
Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
ISSN: 2563-3465
About the Canada Revenue Agency
The Canada Revenue Agency (CRA) promotes and ensures compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well being of Canadians. The CRA does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies to share information, and for a fee, can administer enhanced services at the request of provinces and territories.
The minister of national revenue is accountable to Parliament for all the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.
The Board of Management, which was established by the Canada Revenue Agency Act, is made up of 15 directors appointed by the Governor in Council. Each province nominates one director, and the territories take turns nominating one director. The other four directors include the chair, the commissioner and chief executive officer of the CRA, and two directors nominated by the Government of Canada. The board oversees the administration and management of the CRA, including the development of the corporate business plan and management of policies related to resources, services, property, and personnel. In fulfilling this role, the board brings a forward looking strategic perspective to the CRA’s administration, fosters sound management practices, and commits to delivering efficient and effective service.
As the CRA’s chief executive officer, the commissioner is responsible for the day to day administration and enforcement of the program legislation that falls under the minister of national revenue’s delegated authority. They ensure that operations are guided by the CRA’s vision to be trusted, fair, and helpful by putting people first. As well, they are accountable to the board for the management of the CRA, which includes supervising employees, implementing policies, and managing budgets. They also assist and advise the minister about legislated authorities, duties, functions, and Cabinet responsibilities.
The CRA is made up of 12 functional branches and four regional offices across the country:
Branches
- Appeals
- Assessment, Benefit, and Service
- Audit, Evaluation, and Risk
- Collections and Verification
- Compliance Programs
- Finance and Administration
- Human Resources
- Information Technology
- Legal Services
- Legislative Policy and Regulatory Affairs
- Public Affairs
- Service, Innovation, and Integration
Regions
- Atlantic
- Ontario
- Quebec
- Western
Chief Privacy Officer
The assistant commissioner of the Public Affairs Branch is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, they:
- oversee decisions related to privacy, including privacy assessments
- champion personal privacy rights, including managing internal privacy breaches, according to legislation and policy
- report to the CRA’s senior management at least twice a year on the state of privacy management at the CRA
Agency Privacy Council
The Agency Privacy Council was inaugurated in July 2020. It has nine key senior officers, including the chief privacy officer as the chair.
The mandate of the council is to:
- facilitate a horizontal approach to privacy governance
- identify privacy risks
- outline mitigation strategies for the CRA
- act as a steering committee to set the direction on privacy matters and recommend courses of action to senior management committees
During the reporting period, the council met three times. Some of the issues it considered related to:
- approaches to major privacy breaches
- tracking how privacy is managed across the agency
- the Privacy and Access to Information Training and Awareness Strategy
- the Protection of Personal Information Vulnerability Review
In January 2022, the Agency Privacy Council and the AC Security Steering Committee merged to form the Agency Security and Privacy Executive Council. The new executive council:
- acts as a steering committee to set the direction on security and privacy matters
- recommends courses of action to the Planning and Priorities Committee about agency wide objectives and strategies, business enablers, and investment priorities, and
- recommends courses of action to the Corporate Management Committee for corporate related issues and initiatives
Personal Information Incident Working Group
The Personal Information Incident Working Group was created in July 2019 to help branches and regions collaborate and make decisions on emerging issues related to suspicious activities and incidents involving personal information.
During the reporting period, the working group provided input on the Privacy and Access to Information Training and Awareness Strategy.
However, the working group was dissolved during the reporting period and replaced with a combined privacy and security director general-level committee that meets monthly.
Access to Information and Privacy Directorate
The Access to Information and Privacy (ATIP) Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the ATIP Directorate:
- responds to requests and questions under the Access to Information Act and the Privacy Act
- responds to consultations, complaints, and informal disclosure requests
- offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
- reviews and, if applicable, publishes information to be proactively disclosed, including briefing note titles and committee material
- gives ATIP training and awareness sessions
- coordinates the privacy assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid or reduce risks
- responds to and manages privacy breaches, enquiries, and complaints
- communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and investigations
- fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act
The director general of the ATIP Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. As well, the director general:
- manages and coordinates the ATIP program
- leads strategic planning and development initiatives, and
- supports the assistant commissioner of the Public Affairs Branch and chief privacy officer of the CRA in the role of ATIP governance
The ATIP Directorate supports two main functions: processing and program support, which includes privacy management. Directorate employees are located in Ottawa, Montréal, and Vancouver. In the 2021–2022 fiscal year, an equivalent of 194 full time employees administered the Access to Information Act and the Privacy Act.
The following chart shows the structure of the ATIP Directorate.
Image description
First row Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer
Second row Director General of the Access to Information and Privacy Directorate
The three areas of responsibility of the Director General of the Access to Information and Privacy Directorate are listed in the three circles below. They are:
First the Privacy and Access Policy Division, Second the Access, Operations, and Analysis Division, and third, the Access to Information and Privacy Way Forward Initiative
The four areas of responsibility of the Director of the Privacy and Access Policy Division are listed in the four boxes to the right. They are: the Access to Information Policy and Governance Section, the Privacy Risk and Incident Management Section, the Program Support Section and the Privacy Policy and Governance Section.
The six areas of responsibility of the Director of the Access, Operations, and Analysis Division are listed in the six boxes at the bottom. They are: the Corporate and Complex Case Section, the Vancouver Regional Operations Section, the Montréal Regional Operations Section, the Complaints and Intake Section, the Strategic Compliance Section, and the Legislative & Headquarters Operations Case Section.
The two areas of responsibility of the Director, ATIP Way Forward Modernization Initiative are listed in the two boxes to the far right column. They are: the Business Transformation and Analytics Section, and the Innovation and System Support Section
Delegating responsibilities under the Privacy Act
As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Subsection 73(1) of the Privacy Act gives the minister the authority to designate one or more CRA officials to perform all or part of the minister’s powers, duties, and functions under the Act.
The Honourable Diane Lebouthillier, Minister of National Revenue, signed the CRA’s current delegation order for the Privacy Act on May 15, 2020. The order identifies specific provisions of the Privacy Act and its regulations that the Minister delegated to various positions within the CRA.
The ATIP Directorate’s director general, directors, assistant directors, and managers of the units approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner and the assistant commissioner of the Public Affairs Branch and chief privacy officer.
For the delegation order and schedule, see Appendix C – Delegation order.
Operational environment including the impact of the COVID-19 pandemic
As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information of its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information, and the CRA takes the protection of that information very seriously.
During the COVID-19 pandemic, the CRA noticed that unauthorized third parties tried to access Canadians’ personal information using sophisticated technologies to take advantage of emergency relief measures. This created a significant workload for privacy management. ATIP Directorate employees had to work very closely with other CRA areas, oversight bodies, and other federal institutions to apply and enhance privacy and confidentiality safeguards while upholding the principles of open and transparent government.
Other impacts of the pandemic included demonstrations that blocked employees from working onsite to open and send mail for five weeks. The CRA’s innovative efforts at the beginning of the pandemic to put solutions in place to send requests electronically lessened this impact. Instead, it leveraged Canada Post’s Connect service. For more information about the impact of COVID-19 on operations, see Appendix B.
The ATIP Directorate processes among the largest volume of requests and pages of any federal institution. According to the latest statistics from the Treasury Board of Canada Secretariat, in 2020–2021 the CRA processed the second largest volume of pages of any federal institution to respond to Privacy Act requests and closed the fourth largest number of requests.
The number of requests the CRA received under the Privacy Act in 2021–2022 (8,763) was 113% higher than in 2020–2021 (4,120). The number of requests completed (8,558) was also 113% higher than in 2020-2021 (4,023). Beyond large page and request volumes, the CRA continues to respond to very complex requests, including many COVID-19-related requests. Complaints and consultations also represent a significant workload for the ATIP Directorate.
The following table shows the trend of requests received under the Privacy Act over the past five years.
Image description
Privacy Act requests trend
In 2017–2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed
In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed
In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed
In 2020–2021, 4,120 requests were received, 4,023 were completed, 653,853 pages were processed
In 2021–2022, 8,763 requests were received, 8,558 were completed, 951,414 pages were processed
ATIP Way Forward Modernization Initiative
The ATIP Way Forward Initiative is a project designed to modernize processes and technology to improve productivity and efficiency in the ATIP Directorate. The goal of the initiative is to standardize and re engineer business processes that support the directorate and make it more efficient. It did this by developing a project management office and governance structure, and by staffing a Lean Centre of Expertise and a Business Intelligence and Reporting Centre.
In 2021–2022, key changes made to enhance productivity and efficiency in the ATIP Directorate included implementing the following initiatives:
Backlog elimination plan
The ATIP Directorate has been working diligently to eliminate its backlog inventory while balancing the requirement to respond on time to a steadily increasing workload of requests received under the Access to Information Act and the Privacy Act, as well as other related inventory such as consultation files and complaints. In the fall of 2021, the ATIP Directorate put a backlog elimination plan in place to address the backlog. The first phase involves closing by September 30, 2022, all requests that the CRA received before March 31, 2019 (186 requests). At the end of the reporting period, 43 requests remained. Phase 2 will focus on closing requests received between April 2019 and March 2020. Responding to requesters in a timely manner and eliminating the backlog remains an ongoing focus of our work.
Level 1 request initiative
The ATIP Directorate routinely receives requests for tax information that does not require redactions (level 1 files). Although each of these requests are not labour intensive, together they represent a significant volume for the ATIP Directorate. Using Lean methodology and working with local tax service offices, the ATIP Directorate was able to significantly reduce the workload associated with these types of files.
During the reporting period, the ATIP Directorate reduced the average processing time for these requests from 26 days to 11 days. It did this by removing 10 of the 16 steps from the process. This represents a savings of over 1,800 working hours annually.
The ATIP Directorate also communicated with specific frequent requesters and directed them to other more efficient channels, such as My Account and Represent a Client, to get their information.
Audio redaction software
In the past, the CRA had to transcribe any audio recordings before redacting and releasing the transcript. The new audio redaction software implemented during the reporting period, allows the CRA to redact the information and release it in the original format.
PDF conversion tool
Rather than manually converting records into a PDF so it can process them, the ATIP Directorate created a program to help offices of primary interest prepare the documents for processing by automatically converting the records to PDF. The ATIP Directorate continues to look into enhancements to this software.
Upgraded server supporting the ATIP tracking system
The ATIP Directorate upgraded from one server in each of its three offices to one centralized server. This server is more stable, is easier to upgrade, and has more available space than the individual servers.
Upgraded tracking system to manage privacy breaches
The ATIP Directorate created a new database to manage privacy breaches. The new system provides more stability and has better reporting capabilities.
Lean Centre of Expertise
The ATIP Directorate implemented a centre of expertise that teaches and promotes Lean principles within the directorate. All employees have obtained their Lean white belt certifications, and the directorate sends out videos regularly to reinforce Lean concepts. It also conducts Lean workshops to identify and plan how to implement improvements to its business processes.
Access to Information and Privacy Strategic Plan 2021-2024
The Access to Information and Privacy Strategic Plan 2021-2024 was implemented during the reporting period. The plan outlines the ATIP Directorate’s vision and purpose, strategic priorities, and initiatives. The plan supports service excellence and flows from the Public Affairs Branch’s and the CRA’s strategic plans. The plan focuses on two key priorities: transforming business and information technology and creating a culture of privacy and accountability. It outlines the initiatives planned over the next three years that will help develop plans, projects, and activities to move the ATIP Directorate forward, including working in a paperless environment.
Human resources
In 2021–2022, the ATIP Directorate launched eight selection processes ranging from SP-031 and SP-09 levels and created pools of qualified candidates.
The ATIP Directorate is committed to promoting the one-office model by recruiting the best qualified people regardless of where they are physically located across Canada. It also fully supports creating a respectful, inclusive, and diverse workplace.
Modernizing the Privacy Act
Led by the Department of Justice of Canada, the Privacy Act is in the process of being reviewed. The CRA is an active participant in the interdepartmental working group, which reconvened in early 2022. The group’s discussions focused on possible revisions to the Act, following the Department of Justice’s public consultations in early 2021, in which CRA stakeholder feedback was sought and provided.
In 2022–2023, the CRA will continue to work closely with the Treasury Board of Canada Secretariat, the Department of Justice, and other stakeholders on the Government of Canada’s commitment to modernize the Act.
Protection of Personal Information Vulnerability Review
In March 2021, the Audit, Evaluation, and Risk Branch completed a vulnerability review on the protection of personal information at the CRA. The objectives of the review were to identify key risks relating to the protection of personal information, assess those risks, identify mitigating controls and activities, test select controls in place, and issue recommendations to strengthen control gaps.
CRA management agreed with all the recommendations in the final report and committed to making the necessary amendments to address them.
The following summarizes the ATIP-related recommendations and the corresponding status of each:
Recommendation 3: The Public Affairs Branch should centralize the information needed to perform ATIP reviews and update procedures so that all employees conducting reviews have access to training products, legal opinions, and jurisprudence.
Status: The Access to Information Policy and Governance Section in the ATIP Directorate was established with a mandate to be the centre of expertise for the ATIP Directorate’s operations, including developing and delivering training. Also, the ATIP Directorate centralized its legal opinion repository and made it accessible to all directorate employees. This recommendation has been completed.
Recommendation 4: The Public Affairs Branch should establish a formal quality assurance process on ATIP files to ensure quality and consistency of the application of procedures.
Status: The Public Affairs Branch developed a quality assurance plan that it will pilot by June 2022 and fully implement by March 2023.
Recommendation 14: The Public Affairs Branch should update procedures to verify delivery information before mailing ATIP responses and regularly communicate these updates to employees.
Status: The ATIP Directorate mitigated this risk by digitizing the mail out process. For electronic delivery, the ATIP Directorate is continually monitoring risks when sending documents electronically to requesters. It will update the procedures in August 2022, at which point the recommendation will be fully implemented.
Training
The ATIP Directorate is committed to promoting and providing ATIP training to CRA employees. This training varies depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service’s Fundamentals of Access to Information and Privacy course or the Access to Information in the Government of Canada course. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests. Privacy management training is also delivered throughout the year.
The CRA’s Legal Services Branch also provides training related to the Access to Information Act and the Privacy Act.
In 2021–2022, the CRA continued to offer its suite of 10 web based modules, which consist of specialized technical training, to ATIP Directorate ATIP employees.
In October 2021, as part of the ATIP Way Forward Initiative, directorate employees took part in mandatory Lean White Belt training. Employees who could not attend the training and new hires will participate in the training in 2022–2023.
During the reporting period, directorate employees also participated in privacy training offered by the International Association of Privacy Professionals. This training builds on similar training the employees took during the last reporting period. In previous reporting periods, several directorate employees took part in the association’s training to prepare participants to become certified by the International Association of Privacy Professionals as information privacy professionals (CIPP/C) and as privacy managers (CIPM).
In 2020–2021, the CRA established an agency-wide privacy and access to information training and awareness strategy. During the reporting period, activities took place toward implementing that strategy. These activities included agency-wide surveys and interviews to identify needs and gaps in existing privacy and access to information learning, and to shape new approaches to address them
During the reporting period, the ATIP Directorate delivered technical training as well as information and awareness sessions to:
- ATIP Directorate employees:
- Two-week training was delivered to seven new ATIP analysts
- Half-day training on an Introduction to the Privacy Act and the Access to Information Act was delivered to the Intake Team
- other CRA employees:
- 16 ATIP information sessions were delivered to 3,025 participants
- Information gathering and gap analysis on the state of ATIP training were conducted agency-wide
- offices of primary interest and outreach programs:
- Four teleconferences were delivered to 318 participants
In 2022–2023, the CRA will continue to implement the agency-wide privacy and access to information training and awareness strategy, including expanding training and awareness by offering monthly information sessions to all CRA employees.
Raising awareness
In 2021–2022, beyond the work the CRA completed to enhance its privacy management program, the ATIP Directorate worked on many projects to make employees more aware of their privacy‑related roles and responsibilities.
Every January 28, the CRA celebrates Data Privacy Day, an international initiative, which promotes awareness of the effects of technology on privacy rights and the importance of valuing and protecting personal information.
In January 2022, the CRA held its inaugural Data Privacy Week by extending the annual Data Privacy Day. The agency held a CRA-wide virtual event with guest speaker Nora Young, host of the CBC’s “The Spark.” She talked about data privacy in our current technological landscape, as well as emerging trends, in a presentation titled “From Big Data to Your Data: How Data-Driven Technologies are Shaping the Future.” Over 3,000 employees from across the agency participated in this event.
Also during the reporting period, the ATIP Directorate created and published a new central hub for privacy resources under a redeveloped Chief Privacy Officer page on the CRA’s intranet site. It also drafted a new fact sheet on Privacy by Design and will publish the fact sheet in 2022–2023. Privacy by Design is a cornerstone of the CRA’s Privacy Management Framework.
As well, the ATIP Directorate obtained a short bilingual video about “Access to information and privacy” from the Canadian School of Public Service and featured it in the CRA’s intranet Agency News. It also added the awareness video to the ATIP landing page.
Throughout the year, the ATIP Directorate continued to promote awareness of the role that privacy plays in supporting sound privacy management. It participated in various committees and working groups, provided advice to program areas, and regularly communicated with employees in the offices of primary interest across the CRA, and collaborated with the Office of the Privacy Commissioner of Canada to organize information sessions for CRA employees on privacy impact assessments.
Collaborating with oversight bodies and other organizations
The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy at the CRA. Notably beyond many collaborations referenced earlier in this report, in 2021–2022, the CRA:
- communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects, including privacy breaches, privacy investigations, and new or amended initiatives that involve the use of personal information including the COVID-19 benefit programs the CRA helped administer
- worked closely with the Treasury Board of Canada Secretariat on various items, including privacy breaches, privacy assessments, corporate policy instruments, ATIP request-processing software solutions, and COVID-19 benefit programs
- collaborated with the ATIP community by co-chairing the ATIP Coordinators Working Group. Through this group, departments that receive a large volume of requests share best practices
- co-chaired the ATIP Interdepartmental Modernization Committee. This group identifies and pilots modernization initiatives that impact the entire ATIP community and that other departments can use to improve their processes and modernization solutions
- hosted an innovations meeting with the ATIP team from the Royal Canadian Mounted Police. The primary goal of this meeting was to share best practices since each department is working on their own modernization initiatives
- continued to work with other departments on an ad hoc basis to share strategies and solutions with the aim of maximizing each department’s ability to process ATIP requests and promote privacy and transparency
Privacy Management Program
Enhancing the Privacy Management Program, including policies, guidelines and procedures
The privacy landscape continues to evolve dramatically with ever-expanding digital technologies and automated decision-making.
In 2021–2022, in consultation with the Agency Privacy Council, the Personal Information Incident Working Group, and other agency officials, the CRA implemented an enhanced privacy program that uses Privacy by Design principles, including the completion of the following deliverable from the corporate business plan:
- start reporting on privacy key performance indicators using the 12 metrics derived from best practices and mapped to the CRA’s Privacy Management Framework. These metrics are intended to provide an overview of how the CRA is managing privacy
- complete new procedures for investigative bodies
- implement an agency-wide privacy training and awareness strategy
As well, the CRA Privacy Management Framework, published in 2019–2020, continues to undergo an annual review. The Privacy Management Framework is available at canada.ca/content /dam/cra-arc/migration/cra-arc/scrty/pmf-eng.pdf.
Managing privacy breaches
One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and protection of taxpayers’ information very seriously and has strong controls in place to prevent privacy breaches. Despite the effectiveness of those controls, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.
The CRA conducts routine scans to identify at risk credentials (CRA user IDs and passwords) that may be available on the dark web for use by unauthorized individuals. In a number of instances, we found that unauthorized third parties and sources external to the CRA may have obtained the credentials of taxpayers. To detect, protect, and prevent potential instances of fraud and identity theft, the CRA routinely monitors taxpayer accounts for suspicious activity.
When a privacy breach occurs, the ATIP Directorate works closely with CRA program areas to contain and manage the breach and assess the impacts to affected individuals.
When warranted, the CRA notifies and offers credit protection services to help individuals affected by a breach.
This year, the CRA’s Security and Internal Affairs Directorate informed the ATIP Directorate of 55 incidents of alleged or confirmed improper access or disclosure of personal information by CRA employees. Founded misconduct is dealt with promptly and appropriately. And if it suspects criminal activity, the CRA refers the matter to the proper authorities. All CRA employees receive mandatory and ongoing security training that highlights the importance of protecting taxpayer information.
Also, the ATIP Directorate received 33 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada. For more information, see Part 9 – Complaints and investigation notices received.
In 2021–2022, most privacy breaches at the CRA resulted from misdirected mail, that is, mail that was incorrectly addressed or sent to the wrong person. However, misdirected mail incidents occurs in only 0.003% of the 110 million pieces of mail the CRA handles each year.
The CRA follows Treasury Board of Canada Secretariat guidelines to determine which privacy breaches meet the threshold for notifying the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2021–2022, the CRA reported seven significant privacy breaches to these organizations. Of those seven:
- five involved unauthorized access or disclosure of taxpayer information by CRA employees
- one involved the loss of an unencrypted portable storage device containing taxpayer information, and
- one involved unauthorized access to taxpayer information by unauthorized third parties
The CRA continually strives to monitor and improve its internal processes and systems to further protect taxpayer information. This includes ongoing monitoring of employee access to taxpayer information, limiting employees’ access permissions to only the information they need to do their job, and regularly reviewing employee access to CRA systems.
Updating Information about Programs and Information Holdings (formerly Info Source)
Information about Programs and Information Holdings provides information about the functions, programs, activities, and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. This resource also offers guidance to individuals on how they can access the information that government institutions so they can exercise their rights under these acts.
Each institution subject to the Access to Information Act and the Privacy Act must update its chapter annually by the due date set by the Treasury Board of Canada Secretariat, normally in June.
The CRA's Info Source chapter can be found at canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/access-information-privacy-canada-revenue-agency/information-programs-information-holdings-sources-federal-government-employee-information.
Monitoring compliance
The ATIP Directorate produces multiple reports that capture key statistics about the CRA’s inventory of ATIP requests. The reports show active and closed requests, the status of requests by branch and region, the carry-forward inventory, complaints, and deemed refusal volumes.
Management regularly uses the reports to monitor trends, measure the directorate’s performance, and identify any process changes needed to improve performance. Management presents the reports monthly to senior management at the commissioner chaired Corporate Management Committee.
During the reporting period, the ATIP Directorate:
- improved its ability to query the ATIP database by using Power Business Intelligence software
- developed automated reports directly linked to source data, which significantly reduced manual intervention and potential errors, and
- created new dynamic and interactive dashboards to provide stakeholders direct and real time access to data and statistics
Privacy assessments
At the start of any new initiative, the CRA consults with the Office of the Privacy Commissioner of Canada and submits privacy assessments to the office and the Treasury Board of Canada Secretariat so it can identify and mitigate any potential privacy implications.
Privacy impact assessment
In line with the Directive on Privacy Impact Assessment, the CRA conducts privacy impact assessments when new programs or services raise privacy issues. It also does this when changes to programs or services affect the way it collects, uses, or discloses personal information.
Privacy compliance evaluation
During the COVID-19 pandemic, the CRA used a privacy compliance evaluation in place of a full privacy impact assessment for urgent COVID-19-related initiatives that did not continue beyond March 31, 2021.
Privacy protocol assessment
A privacy protocol assessment is a privacy assessment process designed to assess initiatives that have a non-administrative purpose (for example, research, audit, evaluation, and statistical purposes). This assessment makes sure those initiatives comply with the CRA's privacy practices.
Summaries of completed privacy assessments
The CRA completed 14 privacy assessments during the 2021–2022 reporting period: 12 privacy impact assessments, 1 privacy compliance evaluation, and 1 privacy protocol assessment.
As well, the CRA reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, treasury board submissions, threat and risk assessments, local application solutions, and written collaborative arrangements.
The CRA publishes summaries of completed privacy assessments at canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.
The following is an overview of the privacy assessments the CRA completed in 2021–2022.
Anonymous Internal Fraud and Misuse Reporting Line Privacy Impact Assessment
This initiative provides individuals with a communication channel to report suspected internal fraud and misuse through the CRA Anonymous Internal Fraud and Misuse Reporting Line, which is administered by an independent third-party contractor.
The privacy impact assessment has been updated to include the ClearView Connects™ contract extension.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/anonymous-internal-misuse-reporting.
Business Refund Set-off Program v2.0
The Business Refund Set-off Program allows the CRA to set-off corporation income tax refunds, GST/HST refunds, and specialty business return refunds in accordance with the legislation the CRA administers. The CRA can set-off these refunds to other federal agencies and departments, Crown corporations, and provincial and territorial departments that participate in the program.
The CRA updated this privacy impact assessment to include excise duty refunds on cannabis products and fuel charge refunds.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-refund-program-privacy-impact-assessment-summary-business-returns-directorate-assessment-benefit-service-branch.
Canada Emergency Student Benefit
Employment and Social Development Canada established the Canada Emergency Student Benefit to support post secondary students, recent graduates, and recent high school graduates whose income was affected by the COVID-19 pandemic. The CRA is administering this benefit on behalf of Employment and Social Development Canada and is using existing taxpayer information to verify eligibility, compliance, and enforcement.
This privacy impact assessment covers only the administration of the Canada Emergency Student Benefit.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/canada-emergency-student-benefit-privacy-impact-assessment-summary.
Canada recovery benefits
Recovery benefits comprise the Canada Recovery Benefit, Canada Recovery Sickness Benefit, and Canada Recovery Caregiving Benefit. The Government created these benefits to support workers whose income was affected by the COVID-19 pandemic. The CRA administers these benefits on behalf of Employment and Social Development Canada and uses existing taxpayer information to verify eligibility, compliance, and enforcement.
This privacy impact assessment covers only the administration of the recovery benefits.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/canada-recovery-benefits.
Corporation Returns and Payment Processing Program v3.0
The Corporation Returns and Payment Processing Program is responsible for:
- assessing T2 corporation income tax returns for resident and non-resident corporations
- processing special elections and returns
- processing payments associated with those returns
- administering provincial taxes and credits harmonized with the federal T2 return for all provinces except Quebec and Alberta, and
- administering information specific to treaty agreements with foreign governments so that corporations are not double-taxed
The CRA revised this privacy impact assessment to reflect the updated agreement between Employment and Social Development Canada and the CRA to collect T2 information. The amendment allows the CRA to share protected taxpayer information.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/corporation-returns-payment-processing-program-v-3-0-pia-summary.
COVID-19 one-time disability payment
Issued on October 30, 2020, this payment to persons with disabilities was a non taxable, non reportable, one-time payment of up to $600. In 2020 and 2021, newly identified eligible individuals and individuals with updated contact information received the payment.
Employment and Social Development Canada administered this payment as a COVID-19 relief benefit using eligibility information from multiple government sources, including the CRA and Veterans Affairs Canada. Since this one-time benefit involved many potentially overlapping programs, the social insurance number was the most efficient and reliable form of identification to avoid duplicate payments. The CRA supported this one-time payment by identifying individuals who had a valid 2020 disability tax credit and disclosed that information to Employment and Social Development Canada.
As well, Veterans Affairs Canada gave the CRA a list of beneficiaries from its disability support programs who met the eligibility criteria for the one-time payment. The CRA performed matching methodology on these individuals to identify their social insurance number and added the number to the Veterans Affairs file. The CRA then forwarded the file to Employment and Social Development Canada to administer the payments.
This privacy compliance evaluation covered the CRA’s role in supporting this one-time payment, including the CRA’s collection of personal information from Veterans Affairs Canada and its disclosure to Employment and Social Development Canada.
For the complete privacy compliance evaluation summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/covid-19-one-time-disability-payment-provacy-compliance-evaluation-summary.
Contract for the COVID-19 benefits contact centre
The purpose of this contract was to provide short-term contact centre services to respond to a surge in general telephone enquiries about CRA-administered COVID-19 relief benefit programs.
Since the onset of the COVID-19 pandemic, the CRA administered the new benefit programs the Government introduced. These programs resulted in a significant surge in the volume of calls the CRA contact centre call received with no sign that this demand would subside.
Initially, to assist Canadians in their time of need, the CRA created a separate telephone line at the contact centre for general enquiries related to the suite of COVID-19 relief benefits. Thousands of CRA employees volunteered to staff this line so they could help deliver these benefits. However, as the CRA resumed business, the staffing levels on this line reached a critical level.
The CRA needed another solution to continue serving Canadians effectively and efficiently. Also, the CRA staffed thousands of frontline agents in an effort to support more complex and account-specific enquiries, but it needed more support for low complexity general enquiries. To maintain priority for the COVID-19 benefit phone enquiries, the CRA sought temporary assistance from a third-party service provider.
The Assessment, Benefit, and Service Branch engaged in a short-term contract for contact centre services to address these general and non-protected phone enquiries. The contractor was neither connected to nor had access to any internal CRA IT systems. Callers with complex and account specific enquiries were advised to call CRA contact centres where agents with the right experience and access would help them. The period of this short-term contract was from February 1, 2021, to August 31, 2021.
For the complete privacy protocol assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/covid-19-benefits-contract-center-contract-privacy-protocol-assessment-summary.
EFILE online services
The EFILE Online Services Program is responsible for registering, screening, and monitoring EFILE applicants, as well as managing the credentials used to allow access to secure online program applications related to EFILE. All EFILE applicants are evaluated and monitored to make sure they adhere to high standards of conduct and integrity in order to safeguard the system and maintain a high level of public confidence in electronic filing.
This CRA completed this privacy impact assessment to identify and assess any risks to personal information the EFILE Online Services Program collects, as well as to establish an action plan to reduce the impact of the risks identified during the assessment.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/efile-online-services.
Income Verification Services Program v3.0
The Income Verification Services Program helps federal, provincial, and territorial partners determine eligibility for income-tested programs, such as drug cost assistance, housing, and student loans and grants. The CRA provides taxpayer information to these programs with the consent of each applicant. The CRA sends proof of the applicant’s income electronically to the partner government organization, allowing for faster processing and reduced wait times for applicants.
The CRA completed an update to the privacy impact assessment in 2022 to include recent additions made to the different programs.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/income-verification-services-v-3.
Individual Refund Set-Off program
Under the Individual Refund Set-Off Program, the CRA applies an individual’s tax refunds and certain credits against debts the individual owes to the Crown. Any federal, provincial or territorial department, agency, or Crown corporation may participate in this program, subject to the CRA’s legislative and policy requirements.
The CRA updated the program’s privacy impact assessment to include two federal departments that recently joined the program: Natural Resources Canada and Public Safety Canada.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-return-set-off-program.
Individual Returns Assessment Program
This program helps individuals voluntarily comply with Canada’s tax laws by processing their information and payments as quickly and accurately as possible, and by giving them the results of their assessment or reassessment.
The privacy impact assessment identifies and assesses the privacy risks to personal information from processing individual taxpayer income tax returns for the federal government and for most provinces and territories. The processing includes initial assessments, payments, validations, accounting, and adjustments, as well as determining eligibility for various refundable amounts.
As the CRA continually seeks to provide a better experience for its clients, it updated the privacy impact assessment in 2021 to include recent improvements made to the operations of the program.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-returns-assessment-program-pia-summary.
Office of the Taxpayers' Ombudsperson Program v2.0
The Office of the Taxpayers' Ombudsperson Program conducts impartial examinations of unresolved service complaints from individual taxpayers and benefit recipients who feel that the CRA has treated them unfairly.
Under the program, taxpayers, benefit recipients or their representatives submit their service complaints to the Office of the Taxpayers' Ombudsperson by mail, fax, or that office’s online complaint form. In rare cases, the complaints may be hand delivered. Taxpayers, benefit recipients or their representatives may call the Office of the Taxpayers' Ombudsperson’s general enquiry line for information before submitting a complaint.
Taxpayers have to complete a Permission to Disclose form that enables the Office of the Taxpayers' Ombudsperson to share information with the CRA, and also permits the CRA to provide information to the Office of the Taxpayers' Ombudsperson.
Other requests are sent by encrypted email to a restricted mailbox at the Ombudsman Liaison Office in the Service, Innovation and Integration Branch. These requests include a Request for Information, Requests for Action, or Urgent Requests for Information within the Office of the Taxpayers' Ombudsperson’s mandate.
This privacy impact assessment identifies and assesses privacy risks to the collection of personal information relating to the Office of the Taxpayers’ Ombudsperson program activities. The CRA updated this assessment to notify the public about the office title change and the CRA’s plans to use epost Connect.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/office-taxpayers-ombudsman-v2.
Part XIII Non-Resident Withholding Program
The Part XIII Non-Resident Withholding Program is responsible for ensuring compliance with:
- the withholding, remitting, reporting, and filing obligations under Part XIII of the Income Tax Act
- various elections, and
- requests for refunds that are submitted by businesses, third parties, and individuals
The CRA updated the privacy impact assessment to reflect the CRA’s implementation of the Non Resident Source Deductions Identification Project. This project improves the functionality of registration and identification, and properly categorizes non-resident accounts to cross-reference them with their taxpayer entity.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/part-xiii-non-resident-withholding-program.
Pooled Registered Pension Plans Program
Pooled registered pension plans are professionally administered, defined contribution style pension plans targeted to employees and self-employed persons who do not have access to a workplace pension plan. These plans may pool the funds in the accounts of participating plan members to achieve low costs in relation to investment management and plan administration. Contributions and investment earnings are tax exempt until the plan starts to pay the benefits.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/pooled-registered-pension-plans-program.
Interpretation and explanation of Appendix A – Statistical report
Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2021, to March 31, 2022. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.
Notes
Some totals may be more than 100% due to rounding.
Part 1 – Requests under the Privacy Act
During the reporting period, the CRA received 8,763 new requests under the Privacy Act. This is an increase of 4,643 requests (113%) from last year’s total of 4,120 requests. Including the 964 requests carried forward from the 2020–2021 reporting period, the CRA had 9,727 active requests in its inventory.
The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years.
Fiscal year | Requests received | Requests closed | Pages processed |
---|---|---|---|
2017–2018 | 3,791 | 3,821 | 920,251 |
2018–2019 | 4,789 | 4,599 | 896,837 |
2019–2020 | 4,895 | 4,728 | 1,115,075 |
2020–2021 | 4,120 | 4,023 | 653,853 |
2021–2022 | 8,763 | 8,558 | 951,414 |
The following table shows the channels of the 8,763 requests received during the 2021–2022 reporting period.
Channel | Number of requests | Percentage |
---|---|---|
Online | 6,728 | 77% |
324 | 3.7% | |
874 | 10% | |
In person | 0 | 0% |
Phone | 3 | 0.03% |
Fax | 834 | 9.5% |
Other requests and workload
Beyond the 8,763 requests received under the Privacy Act, the CRA processed a high volume of other requests. The additional volume significantly affected operations, since resources had to be diverted to manage the workload. The additional requests included external and internal consultations, general enquiries and complaints. During the fiscal year, the Intake Team of the Access to Information and Privacy Directorate responded to 3,300 emails and 1,367 phone enquiries were received through the general enquiries mailbox and toll free phone line.
Part 2 – Informal requests
The CRA did not receive nor close any informal requests under the Privacy Act in 2021–2022.
Part 3 – Requests closed during the reporting period
The following chart shows the completion times for the 8,558 requests closed in 2021–2022.
Image description
Completion time
6,911 (86%) in 30 days or under
1,145 (13%) from 31 to 60 days
244 (3%) from 61 to 120 days
258 (3%) in 121 days or more
For more details, see table 3.1 of Appendix A.
Exemptions
The Privacy Act allows an institution to refuse access to specific information when necessary. For example, the CRA can refuse to give a requester information about another individual if that individual has not given consent. For detailed information on each of the exemptions that may be applied, see section 18 of the Privacy Act.
In 2021–2022, the CRA applied the following exemptions, in full or in part, to the 8,558 requests closed during the reporting period:
- section 19 – Personal information obtained in confidence (23 times)
- section 22 – Law enforcement and investigation (272 times)
- section 25 – Safety of individuals (1 time)
- section 26 – Information about another individual (871 times)
- section 27 – Solicitor client privilege (96 times)
Exclusions
The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the act does not apply to Cabinet confidences. In 2021–2022, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.
Format of information released
Requesters can choose to receive their response package on paper or electronically. Persons with disabilities may ask for information in alternative formats, such as braille, although the CRA did not receive any of these requests this fiscal year. Providing documents electronically is more efficient because it significantly reduces manual processes, and it is environmentally friendly and secure. Notably there was a 21% increase in the volume of requests sent electronically in 2021–2022 compared to 2020–2021.
In 2021–2022, of the 7,000 requests for which information was disclosed in full or in part, 6,589 requests (94%) were released in electronic format.
Complexity
The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests. For example, to respond to the 8,399 requests it closed during the fiscal year (excluding requests where no records exist), the CRA processed 951,414 pages. Of these requests, 1,091 involved processing more than 100 pages, 164 involved processing more than 1,000 pages, and 19 involved processing more than 5,000 pages.
Of note, 6 requests involved processing more than 10,000 pages, and 1 of these requests involved processing more than 50,000 pages.
In addition to paper records, the CRA also processes requests for audio and video records. There were no requests for these formats in 2021–2022 under the Privacy Act. Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see tables 3.5.2 to 3.5.7 of Appendix A.
In 2021–2022, the ATIP Directorate processed an average of 112 pages per request.
Closed requests
The ATIP Directorate closed 7,932 (93%) requests within the timelines required by law. This means that it provided responses within 30 calendar days or within an extended deadline. This is the highest compliance rate for the CRA since 2018–2019.
Deemed refusals
A deemed refusal is a request closed after the deadline of 30 calendar days, or after the extended deadline if a time extension was taken.
Of the 8,558 requests closed during the reporting period, 626 were closed after the deadline. This resulted in a deemed refusal rate of 7%.
Requests for translation
Records are normally released in the language they exist in. However, the institution may translate records to an official language if requested, or if the institution considers a translation to be necessary so the individual can understand the information.
The CRA received two requests for translation in 2021–2022. The CRA fulfilled both requests.
Part 4 – Disclosures under subsections 8(2) and 8(5)
Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, an institution may disclose personal information without consent for limited and specific circumstances. This is the case, for example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), the institution must notify the Privacy Commissioner of Canada.
During the reporting period, the CRA had one disclosure of personal information under paragraph 8(2)(e) of the Privacy Act. Paragraph 8(2)(e) permits disclosure without consent of the individual for which it pertains, to an investigative body specified in the Privacy Act regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed.
Part 5 – Requests for correction of personal information and notations
Under the Privacy Act, an individual who believes their personal information contains an error or omission can ask for it to be corrected. When a request for correction has been refused, a notation must be attached to the information reflecting that a correction was requested and refused.
The CRA received one request to correct personal information in 2021–2022. This request did not meet the criteria for a records correction; therefore, the CRA attached a notation to the information and notified the requester.
Part 6 – Extensions
The Privacy Act sets the required timelines for responding to requests for personal information. The Act allows time extensions under these circumstances:
- meeting the original time limit would unreasonably interfere with operations
- there is a need to consult (for example, with a government institution or another third party), and
- there is a need to translate or convert records into another format
Of the 8,558 requests closed in 2021–2022, the CRA applied extensions to 1,101 (13%) of them. It applied those extensions 99% of the time because of the workload and because meeting the original 30 day time limit would have resulted in unreasonable interference with CRA operations. The CRA applied the remaining extensions because of the need for internal and external consultations, translation, and converting records into other formats.
Of the 1,101 extensions, 7 were for 1 to 15 days in length and 1,094 were for 16 to 30 days in length.
Part 7 – Consultations received from other institutions and organizations
In 2021–2022, the ATIP Directorate received and closed five external consultation requests from other Government of Canada institutions and organizations. To respond to these requests, it reviewed 836 pages.
Internal consultations
In 2021–2022, 160 internal privacy consultation requests were completed, a 20% increase from the previous reporting period. To respond to these requests, the directorate reviewed a total of 2,288 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.
The following chart shows the trend for internal privacy consultation requests received over the past five years.
Image description
Internal Privacy Consultation Trends
In 2017–2018, 327 internal privacy consultation requests were received, 11,033 pages were processed.
In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.
In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.
In 2020–2021, 105 internal privacy consultation requests were received, 5,824 pages were processed.
In 2021–2022, 180 internal privacy consultation requests were received, 2,288 pages were processed.
Part 8 – Completion time of consultations on Cabinet confidences
Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), Treasury Board of Canada Secretariat policies require agencies and departments to consult with their legal services office to determine if they should exclude requested information. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.
In 2021–2022, the CRA did not have to consult with Legal Services of the Privy Council Office for Cabinet confidences.
Part 9 – Complaints and investigation notices received
In 2021–2022, the CRA received 13 complaints under the Privacy Act related to privacy requests. The complaints it received related to the following issues:
- time delay (2)
- non disclosure (4)
- refusal due to exemption (7)
In addition, the CRA received 24 early-resolution complaints:
- 1 of those was escalated to a formal complaint
- 11 were closed because the Office of Privacy Commissioner of Canada determined in the early-resolution process that there was no need to complete a formal investigation, and
- 12 were carried over to the next fiscal year
During the fiscal year, the CRA closed 22 complaints. This represents a 10% increase in the number of complaints it closed during the previous fiscal year. In addition, the CRA completed 12 early resolution complaints.
The following chart shows the disposition of the 22 complaints closed during the fiscal year.
Image description
The following chart shows the disposition of the 20 complaints closed during the fiscal year.
Complaint dispositions
12 (55%) Not well-founded
1 (4%) Resolved
9 (41%) Well-founded
For definitions of the disposition categories, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf.
The ATIP Directorate received 33 privacy related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada during the reporting period. These complaints were not related to Privacy Act requests. The directorate closed 32 complaints and allegations during the reporting period. These included outstanding complaints and allegations from previous reporting periods.
In 2021–2022, there were no complaints pursued to the Federal Court.
Part 10 – Privacy impact assessments and personal information banks
During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is described in the “Privacy assessments” section of this report.
A personal information bank must be created in the Information about Programs and Information Holdings (formerly InfoSource) for any collection or grouping of personal information under the control of a government institution that:
- has been used
- is being used, or
- is available for a program or activity of an institution to use for an administrative purpose
The personal information bank must include how the information is organized and retrieved (for example, by a person's name, or by an identifying number or symbol). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 96 active personal information banks. In the same period, three were created and nine were modified.
Part 11 – Privacy breaches
The CRA follows the Treasury Board of Canada Secretariat guidelines to determine which privacy breaches meet the threshold for notifying the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2021–2022, the CRA reported seven material privacy breaches to the office and the secretariat.
Part 12 – Resources related to the Privacy Act
Costs
During the 2021–2022 fiscal year, the ATIP Directorate’s direct cost to administer the Privacy Act was $15,311,390. This includes $78,773.06 in credit protection services provided to individuals affected by privacy breaches. However, it does not include significant support and resources from CRA branches and regions. For more details, see Table 12.1 of Appendix A.
Human resources
In 2021–2022, the CRA dedicated an equivalent of 158 full time employees, in addition to 2 consultants and agency personnel and 6 students, to administering the Privacy Act. Many of these employees simultaneously administer the Access to Information Act.
Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
The following is a brief overview of the tables included in Appendix B:
- Table 1: The CRA was able to receive requests by mail for 47 of the 52 weeks in 2021–2022. The CRA however had full capacity throughout the reporting period to process electronic records.
- Table 2.1 and 2.2: The CRA was able to process unclassified, Protected B, Secret, and Top -Secret paper records for 47 of the 52 weeks in 2021. The CRA however had full capacity throughout the reporting period to process electronic records.
Note: The CRA was unable to receive requests by mail or process paper records for a five week period because of the truck convoy that occupied the Ottawa downtown area.
- Table 3.1: At the end of the fiscal year, the CRA had 1,072 Access to Information Act requests outstanding: 610 of these were within legislated timelines, while 462 were beyond legislated timelines. The CRA received 269 of these requests before 2021–2022, and it will address many of these through the CRA backlog elimination plan.
- Table 3.2: At the end of the fiscal year, the CRA had 222 open complaints with the Information Commissioner of Canada.
- Table 4.1: At the end of the fiscal year, the CRA had 1,169 Privacy Act requests outstanding: 904 of these were within legislated timelines, while 265 were beyond legislated timelines. The CRA received 85 of these requests before
2021–2022, and it will address many of these through the CRA backlog elimination plan. - Table 4.2: At the end of the fiscal year, the CRA had 35 open complaints with the Privacy Commissioner of Canada.
- Table 5: The CRA has reported that it received the authority for a new collection of the social insurance number in 2021–2022.
Conclusion
Despite the growing demands on the ATIP program and the ever-challenging privacy landscape, the CRA continued to make significant progress in addressing any challenges in protecting personal information and in processing Privacy Act requests. The CRA did this by:
- processing ATIP requests using Lean methodology
- addressing the backlog through the backlog elimination plan
- developing a Quality Assurance Review Plan
- promoting Privacy by Design across the CRA
- reporting on the state of privacy with new key performance indicators
- drafting governance material in preparation to merge the Agency Privacy Council and the AC Security Steering Committee to form the Agency Security and Privacy Executive Council
- implementing the Privacy and Access to Information Training and Awareness Strategy
- implementing the Access to Information and Privacy Strategic Plan 2021-2024
In 2022–2023, the ATIP Directorate will focus on the priorities in its strategic plan, including leading the directorate’s business transformation and technology modernization and continuing to create a culture of privacy, transparency and accountability.
The directorate will also continue to implement the backlog elimination plan with a focus on completing Phase 1 by March 31, 2023, and starting Phase 2, which has a planned completion date of March 31, 2024. Another priority during the fiscal year will be to continue to develop and implement innovative solutions to address requests for taxpayer information that can be provided by more efficient channels, such as My Account, My Business Account, or Represent a Client than the Access to Information Act or the Privacy Act.
Appendix A – Statistical report
Statistical report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2021, to March 31, 2022
Part 1 – Requests under the Privacy Act
1. 1 Number of requests
Number of requests | ||
---|---|---|
Received during reporting period | 8,763 | |
Outstanding from previous reporting periods | 964 | |
Outstanding from previous reporting period | 700 | |
Outstanding from more than one reporting period | 264 | |
Total | 9,727 | |
Closed during reporting period | 8,558 | |
Carried over to next reporting period | 1,169 | |
Carried over within legislated timeline | 904 | |
Carried over beyond legislated timeline | 265 |
1.2 Channels of requests
Channel | Number of requests |
---|---|
Online | 6,728 |
324 | |
874 | |
In Person | 0 |
Phone | 3 |
Fax | 834 |
Total | 8,763 |
Part 2 – Informal requests
2.1 Number of informal requests
Number of requests | ||
---|---|---|
Received during reporting period | 0 | |
Outstanding from previous reporting periods | 0 | |
|
0 | |
|
0 | |
Total | 0 | |
Closed during reporting period | 0 | |
Carried over to next reporting period | 0 |
2.2 Channels of requests
Channel | Number of requests |
---|---|
Online | 0 |
0 | |
0 | |
In Person | 0 |
Phone | 0 |
Fax | 0 |
Total | 0 |
2.3 Completion time of informal requests
Completion Time (Days) | |||||||
---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
2.4 Pages released informally
Less than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|
Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed |
0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Disposition of requests |
Completion Time (Days) | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total | |
All disclosed | 1,256 | 3,187 | 641 | 65 | 3 | 5 | 2 | 5,159 |
Disclosed in part | 135 | 933 | 448 | 148 | 46 | 57 | 74 | 1,841 |
All exempted | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
No records exist | 13 | 51 | 13 | 1 | 0 | 3 | 0 | 81 |
Request abandoned | 1,235 | 101 | 42 | 30 | 23 | 5 | 40 | 1,476 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 2,639 | 4,272 | 1,145 | 244 | 72 | 70 | 116 | 8,558 |
3.2 Exemptions
Section | Number of requests | Section | Number of requests | Section | Number of requests |
---|---|---|---|---|---|
18(2) | 0 | 22(1)(a)(i) | 0 | 23(a) | 0 |
19(1)(a) | 9 | 22(1)(a)(ii) | 9 | 23(b) | 0 |
19(1)(b) | 0 | 22(1)(a)(iii) | 2 | 24(a) | 0 |
19(1)(c) | 12 | 22(1)(b) | 261 | 24(b) | 0 |
19(1)(d) | 2 | 22(1)(c) | 0 | 25 | 1 |
19(1)(e) | 0 | 22(2) | 0 | 26 | 871 |
19(1)(f) | 0 | 22.1 | 0 | 27 | 96 |
20 | 0 | 22.2 | 0 | 27.1 | 0 |
21 | 0 | 22.3 | 0 | 28 | 0 |
- | - | 22.4 | 0 | - | - |
3.3 Exclusions
Section | Number of requests | Section | Number of requests | Section | Number of requests |
---|---|---|---|---|---|
69(1)(a) | 0 | 70(1) | 0 | 70(1)(d) | 0 |
69(1)(b) | 0 | 70(1)(a) | 0 | 70(1)(e) | 0 |
69.1 | 0 | 70(1)(b) | 0 | 70(1)(f) | 0 |
- | - | 70(1)(c) | 0 | 70.1 | 0 |
3.4 Format of information released
Paper | Electronic | Other | |||
---|---|---|---|---|---|
E-record | Data Set | Video | Audio | ||
411 | 6,589 | 0 | 0 | 0 | 0 |
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of pages processed | Number of pages disclosed | Number of requests |
---|---|---|
951,414 | 759,893 | 8,477 |
3.5.2 Relevant pages processed and disclosed by request disposition for paper and e-record formats by size of requests
Disposition of requests |
Less than 100 pages processed | 101 to 500 pages processed | 501 to 1000 pages processed | 1001 to 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | |
All disclosed | 4,786 | 155,689 | 359 | 53,974 | 9 | 5,796 | 4 | 5,748 | 1 | 6,912 |
Disclosed in part | 1,129 | 48,306 | 455 | 93,882 | 101 | 72,954 | 138 | 289,868 | 18 | 208,699 |
All exempted | 1 | 14 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 1,470 | 123 | 1 | 403 | 2 | 1,636 | 3 | 7,410 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 7,386 | 204,132 | 815 | 148,259 | 112 | 80,386 | 145 | 303,026 | 19 | 215,611 |
3.5.3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed | Number of minutes disclosed | Number of requests |
---|---|---|
0 | 0 | 0 |
3.5.4 Relevant minutes processed per request disposition for audio formats by size of request
Disposition of requests |
Less than 60 minutes processed | 60-120 minutes processed | More than 120 minutes processed | |||
---|---|---|---|---|---|---|
Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 |
3.5.5 Relevant minutes processed and disclosed for video formats
Number of minutes processed | Number of minutes disclosed | Number of requests |
---|---|---|
0 | 0 | 0 |
3.5.6 Relevant minutes processed per request disposition for video formats by size of request
Disposition of requests |
Less than 60 minutes processed | 60-120 minutes processed | More than 120 minutes processed | |||
---|---|---|---|---|---|---|
Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 |
3.5.7 Other complexities
Disposition of requests | Consultation required |
Legal advice sought |
Interwoven information |
Other | Total |
---|---|---|---|---|---|
All disclosed | 0 | 0 | 0 | 13 | 13 |
Disclosed in part | 20 | 2 | 0 | 13 | 35 |
All exempted | 0 | 0 | 0 | 0 | 0 |
All excluded | 0 | 0 | 0 | 0 | 0 |
Request abandoned | 1 | 0 | 0 | 17 | 18 |
Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
Total | 21 | 2 | 0 | 43 | 66 |
3.6 Closed requests
3.6.1 Number of requests closed within legislated timelines
Requests closed within legislated timelines | |
---|---|
Number of requests closed within legislated timelines | 7,932 |
Percentage of requests closed within legislated timelines (%) | 92.69 |
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines | Principal reason | |||
---|---|---|---|---|
Interference with operations /workload | External consultation | Internal consultation | Other | |
626 | 549 | 2 | 3 | 72 |
3.7.2 Number of days past legislated timeline (including any extension taken)
Number of days past legislated timeline |
Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timeline where an extension was taken |
Total |
---|---|---|---|
1 to 15 | 94 | 49 | 143 |
16 to 30 | 69 | 20 | 89 |
31 to 60 | 65 | 29 | 94 |
61 to 120 | 76 | 19 | 95 |
121 to 180 | 24 | 9 | 33 |
181 to 365 | 52 | 17 | 69 |
More than 365 | 48 | 55 | 103 |
Total | 428 | 198 | 626 |
3.8 Requests for translation
Translation requests | Accepted | Refused | Total |
---|---|---|---|
English to French | 2 | 0 | 2 |
French to English | 0 | 0 | 0 |
Total | 2 | 0 | 2 |
Part 4 ‑ Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
---|---|---|---|
1 | 0 | 0 | 1 |
Part 5 – Requests to correct personal information and notations
Disposition for correction requests received | Number |
---|---|
Notations attached | 1 |
Requests for correction accepted | 0 |
Total | 1 |
Part 6 ‑ Extensions
6.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken | 15(a)(i) Interference with operations | |||
---|---|---|---|---|
Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | |
1,101 | 7 | 43 | 1,030 | 16 |
15(a)(ii) Consultation | 15(b) Translation purposes or conversion | ||
---|---|---|---|
Cabinet Confidences (Section 70) |
External | Internal | |
0 | 1 | 2 | 2 |
6.2 Length of extensions
Length of extensions (days) | 15(a)(i) Interference with operations | |||
---|---|---|---|---|
Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | |
1 to 15 | 0 | 0 | 7 | 0 |
16 to 30 | 7 | 43 | 1,023 | 16 |
31 days or greater | N/A | N/A | N/A | N/A |
Total | 7 | 43 | 1,030 | 16 |
Length of extensions (days) |
15(a)(ii) Consultation | 15(b) Translation purposes or conversion | ||
---|---|---|---|---|
Cabinet Confidences (Section 70) |
External | Internal | ||
1 to 15 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 1 | 2 | 2 |
31 days or greater | N/A | N/A | N/A | 0 |
Total | 0 | 1 | 2 | 2 |
Part 7 – Consultations received from other institutions and organizations
7.1 Consultations received from other Government of Canada institutions and organizations
Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
---|---|---|---|---|
Received during reporting period | 5 | 836 | 0 | 0 |
Outstanding from the previous reporting period | 0 | 0 | 0 | 0 |
Total | 5 | 836 | 0 | 0 |
Closed during the reporting period |
5 | 836 | 0 | 0 |
Carried over to next reporting period | 0 | 0 | 0 | 0 |
Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
Disclose entirely | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 3 |
Disclose in part | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Other | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
Total | 2 | 3 | 0 | 0 | 0 | 0 | 0 | 5 |
7.3 Recommendations and completion time for consultations received from other organizations
Recommendation | Number of days required to complete consultation requests | |||||||
---|---|---|---|---|---|---|---|---|
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total | |
Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8 – Completion time of consultations on Cabinet confidences
8.1 Requests with Legal Services
Number of days | Less than 100 pages processed | 101 - 500 pages processed | 501 - 1000 pages processed | 1001 - 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
8.2 Requests with Privy Council Office
Number of days | Less than 100 pages processed | 101 - 500 pages processed | 501 - 1000 pages processed | 1001 - 5000 pages processed | More than 5000 pages processed | |||||
---|---|---|---|---|---|---|---|---|---|---|
Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 9 ‑ Complaints and investigations notices received
Section 31 | Section 33 | Section 35 | Court action | Total |
---|---|---|---|---|
13 | 0 | 22 | 0 | 35 |
Part 10 ‑ Privacy impact assessments and personal information banks
10.1 Privacy impact assessments
Number of privacy impact assessments completed | 12 |
Number of privacy impact assessments modified | 8 |
10.2 Personal information banks
Personal Information Banks | Active | Created | Terminated | Modified |
---|---|---|---|---|
Institution-specific | 45 | 3 | 0 | 9 |
Central | 51 | 0 | 0 | 0 |
Total | 96 | 3 | 0 | 9 |
Part 11 – Privacy breaches
11.1 Material Privacy Breaches reported
Material privacy breaches | Amount |
Number of material privacy breaches reported to the Treasury Board of Canada Secretariat | 7 |
Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada | 7 |
11.2 Non-Material Privacy Breaches
Non-material privacy breaches | Amount |
Number of non-material privacy breaches | 1,215 |
Expenditures | Amount | |
---|---|---|
Salaries | $13,601,272 | |
Overtime | $555,022 | |
Goods and Services | $1,155,096 | |
|
$458,068 | |
|
$697,028 | |
Total | $15,311,390 |
12.2 Human resources
Resources | Person years dedicated to privacy activities |
---|---|
Full-time employees | 158 |
Part-time and casual employees | 0 |
Regional staff | 0 |
Consultants and agency personnel | 2 |
Students | 6 |
Total | 166 |
Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
Table 1 – Capacity to receive requests
The following table reports the total number of weeks the CRA was able to receive ATIP requests through different channels.
- | Number of weeks |
---|---|
Able to receive requests by mail | 47 |
Able to receive requests by email | 52 |
Able to receive requests through the digital request service | 52 |
Table 2.1
The following table reports the total number of weeks the CRA was able to process paper records in different classification levels.
- | No capacity | Partial capacity | Full capacity | Total |
---|---|---|---|---|
Unclassified paper records | 5 | 0 | 47 | 52 |
Protected B paper records | 5 | 0 | 47 | 52 |
Secret and top secret paper records | 5 | 0 | 47 | 52 |
Table 2.2
The following table reports the total number of weeks the CRA was able to process electronic records in different classification levels.
- | No capacity | Partial capacity | Full capacity | Total |
---|---|---|---|---|
Unclassified paper records | 0 | 0 | 52 | 52 |
Protected B paper records | 0 | 0 | 52 | 52 |
Secret and top secret paper records | 0 | 0 | 52 | 52 |
Table 3.1
The following table reports the total number of open Access to Information Act requests that are outstanding from previous reporting periods.
Fiscal year open requests were received |
Open requests that are within legislated timelines as of March 31, 2022 |
Open requests that are beyond legislated timelines as of March 31, 2022 |
Total |
---|---|---|---|
2021–2022 | 594 | 209 | 803 |
2020–2021 | 13 | 141 | 154 |
2019–2020 | 3 | 70 | 73 |
2018–2019 | 0 | 22 | 22 |
2017–2018 | 0 | 13 | 13 |
2016–2017 | 0 | 7 | 7 |
2015–2016 or earlier | 0 | 0 | 0 |
Total | 610 | 462 | 1,072 |
Table 3.2
The following table reports the total number of open complaints with the Information Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open requests were received | Number of open complaints |
---|---|
2021–2022 | 100 |
2020–2021 | 30 |
2019–2020 | 26 |
2018–2019 | 40 |
2017–2018 | 12 |
2016–2017 | 2 |
2015–2016 or earlier | 12 |
Total | 222 |
Table 4.1
The following table reports the total number of open Privacy Act requests that are outstanding from previous reporting periods.
Fiscal year open requests were received |
Open requests that are within legislated timelines as of March 31, 2022 |
Open requests that are beyond legislated timelines as of March 31, 2022 |
Total |
---|---|---|---|
2021–2022 | 904 | 180 | 1,084 |
2020–2021 | 0 | 46 | 46 |
2019–2020 | 0 | 38 | 38 |
2018–2019 | 0 | 1 | 1 |
2017–2018 | 0 | 0 | 0 |
2016–2017 | 0 | 0 | 0 |
2015–2016 or earlier | 0 | 0 | 0 |
Total | 904 | 265 | 1,169 |
Table 4.2
The following table reports the total number of open complaints with the Privacy Commissioner of Canada that are outstanding from previous reporting periods.
Fiscal year open requests were received | Number of open complaints |
---|---|
2021–2022 | 17 |
2020–2021 | 4 |
2019–2020 | 4 |
2018–2019 | 5 |
2017–2018 | 1 |
2016–2017 | 0 |
2015–2016 or earlier | 4 |
Total | 35 |
Table 5
The following table reports if there was authority received for a new collection of the social insurance number (SIN)
Authority received for a new collection of the social insurance number (SIN) | |
Did your institution receive authority for a new collection or new consistent use of the SIN in 2021–2022? |
Yes |
Image description
Privacy Act
Delegation Order
I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to subsection 73(1) of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
This designation replaces all previous delegation orders.
Diane Lebouthillier
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 15th day of May, 2020
The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:
Commissioner
- Full authority
Deputy Commissioner
- Full authority
Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer
- Full authority
Director General of the Access to Information and Privacy Directorate in the Public Affairs Branch
- Full authority
Directors in the Access to Information and Privacy Directorate of the Public Affairs Branch
- Full authority
Assistant directors, managers, technical reviewers/advisors in the Access to Information and Privacy Directorate of the Public Affairs Branch
- Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)
Page details
- Date modified: