2022-2023 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

In keeping with section 72 of the Privacy Act, each year the head of every Government of Canada institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.

The following report is tabled in Parliament under the direction of the Minister of National Revenue. The report describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2022, and March 31, 2023. The report also discusses emerging trends, program delivery, and areas of focus for the year ahead.

Privacy Act

The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of, and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) the right to access (with a few and specific exceptions), correct, and add notes to their information.

Individuals who are not satisfied with the way an institution handles their personal information or their Privacy Act request are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other ways of getting federal government information. The CRA encourages individuals and their representatives to get proactively disclosed taxpayer information through online self-service channels, such as My Account and Represent a Client. The CRA also promotes other informal channels, such as requesting information directly from the CRA through its automated and toll-free phone lines.

About the Canada Revenue Agency

Operational environment

Privacy Management Program

Monitoring compliance

Privacy impact assessments

Interpretation and explanation of Appendix A – Statistical report

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Conclusion

Appendix A – Statistical report

Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Appendix C – Delegation order

ISSN: 2563-3465

About the Canada Revenue Agency

The Canada Revenue Agency promotes and ensures compliance with Canada’s tax legislation and regulations, and plays an important role in the economic and social well-being of Canadians. The CRA does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies to share information, and for a fee, can administer enhanced services at the request of provinces and territories.

The minister of national revenue is accountable to Parliament for all the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Board of Management, which was established by the Canada Revenue Agency Act, is made up of 15 directors appointed by the Governor in Council. Each province nominates one director, and the territories take turns nominating one director. The other four directors include the Chair, the commissioner, and two directors nominated by the Government of Canada. The Board is responsible for overseeing the organization and the administration of the Agency, and the management of its resources, services, property, personnel and contracts. This includes the development of the corporate business plan, as well as the approval of the CRA’s departmental results report and its audited financial statements. In fulfilling this role, the Board brings a forward-looking, strategic perspective to the CRA’s administration, fosters sound management practices, and commits to delivering efficient and effective services.

As the CRA’s chief executive officer, the commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the minister of national revenue’s delegated authority. The commissioner is supported by the deputy commissioner, and together they make sure that operations are guided by the CRA’s vision to be a world-class tax and benefit administration that is trusted, fair, and helpful by putting people first. The commissioner is accountable to the minister and must assist and advise that individual with respect to legislated authorities, duties, functions, and Cabinet responsibilities. The commissioner is also an ex-officio member of the Board and is accountable to it for the daily administration of the Agency, the supervision of its employees, and the implementation of management policies.

The CRA is made up of 14 functional branches and 4 regional offices across the country:

Branches

Appeals
Assessment, Benefit, and Service
Audit, Evaluation, and Risk
Collections and Verification
Compliance Programs
Digital Transformation Program
Finance and Administration
Human Resources
Information Technology
Legal Services
Legislative Policy and Regulatory Affairs
Public Affairs
Security
Service, Innovation, and Integration

Regions

Atlantic
Ontario
Quebec
Western

Chief Privacy Officer

The assistant commissioner of the Public Affairs Branch is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the officer:

oversees decisions related to privacy, including privacy assessments
champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
reports to the CRA’s senior management quarterly on the state of privacy management at the CRA

Agency Security and Privacy Executive Council

The agency Security and Privacy Executive Council includes 14 key senior officers. The chief privacy officer and the Agency security officer are joint chairs.

The mandate of the Council is to:

facilitate a horizontal approach to oversee governance, management, and risk mitigation activities relating to security and privacy at the CRA
act as a steering committee to set the direction on privacy and security matters
recommend courses of action to the respective senior management committees

During the reporting period, the Council met three times. Some of the privacy issues it considered related to:

approaches to major privacy breaches and updates to procedures
renewal of privacy management tracking across the Agency
approval of the Privacy and Access to Information Training and Awareness Strategy
privacy risk assessment requirements and the use of privacy gating mechanisms
regulatory changes and Agency impacts

Director General Security and Privacy Committee

The Director General Security and Privacy Committee combines the governance and oversight of privacy and security matters. The Committee was formed in June 2022 and meets monthly.

The mandate of the Committee is to:

support the Agency Security and Privacy Executive Council
provide oversight and guidance on security and privacy risks and issues

During the fiscal year, nine meetings were held. Some of the privacy issues the Committee considered related to:

approaches to major privacy breaches and an update to procedures
renewal of privacy management tracking across the Agency
approval of the Privacy and Access to Information Training and Awareness Strategy
privacy risk assessment requirements and the use of privacy gating mechanisms
regulatory changes and Agency impacts

Access to Information and Privacy Directorate

The Access to Information and Privacy (ATIP) Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the ATIP Directorate:

responds to requests and questions under the Access to Information Act and the Privacy Act
responds to consultations, complaints, and informal disclosure requests
offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
reviews and, if applicable, publishes information to be proactively disclosed, including briefing note titles and committee material
gives ATIP training and awareness sessions
coordinates the privacy assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid and reduce risks
responds to and manages privacy breaches, enquiries, and complaints
communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints, and investigations
fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act

The director general of the ATIP Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. As well, the director general:

manages and coordinates the ATIP program
leads strategic planning and development initiatives
supports the assistant commissioner of the Public Affairs Branch and chief privacy officer of the CRA in the role of ATIP governance

The ATIP Directorate supports three main functions: processing, privacy management and the overall improvement of the directorate. Directorate employees are located in Ottawa, Montréal, and Vancouver. In the 2022–2023 fiscal year, an equivalent of 196 full-time employees and 18 consultants administered the Access to Information Act and the Privacy Act.

The following chart shows the structure of the ATIP Directorate.

Image description

First row Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer

Second row Director General of the Access to Information and Privacy Directorate

The three areas of responsibility of the Director General of the Access to Information and Privacy Directorate are listed in the three circles below. They are:

First the Privacy and Access Policy Division, Second the Access, Operations, and Analysis Division, and third, the Access to Information and Privacy Way Forward Initiative

The four areas of responsibility of the Director of the Privacy and Access Policy Division are listed in the four boxes to the right. They are: the Access to Information Policy and Governance Section, the Privacy Risk and Incident Management Section, the Program Support Section and the Privacy Policy and Governance Section.

The six areas of responsibility of the Director of the Access, Operations, and Analysis Division are listed in the six boxes at the bottom. They are: the Corporate and Complex Case Section, the Vancouver Regional Operations Section, the Montréal Regional Operations Section, the Complaints and Intake Section, the Strategic Compliance Section, and the Legislative & Headquarters Operations Case Section.

The two areas of responsibility of the Director, ATIP Way Forward Modernization Initiative are listed in the two boxes to the far right column. They are: the Business Transformation and Analytics Section, and the Innovation and System Support Section

Delegating responsibilities under the Privacy Act

As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Subsection 73(1) of the Privacy Act gives the minister the authority to designate one or more CRA officials to perform all or part of the minister’s powers, duties, and functions under the Act.

The Honourable Diane Lebouthillier, Minister of National Revenue, signed the CRA’s current delegation order for the Privacy Act on May 15, 2020. The order identifies specific provisions of the Privacy Act and its regulations that the Minister delegated to various positions within the CRA.

The ATIP Directorate’s director general, directors, assistant directors, managers, and reviewers approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner and the assistant commissioner of the Public Affairs Branch and chief privacy officer.

For the delegation order and schedule, see Appendix C – Delegation order.

Operational environment

As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information of its workforce of over 52,000 individuals. Canadians trust the CRA with their personal information, and the CRA takes the protection of that information very seriously. In support of this, during the fiscal year the CRA enhanced its Identity Verification and Authorization Procedures and implemented its Privacy and Access to Information Training and Awareness Strategy.

The ATIP Directorate processes one of the largest volumes of requests and pages of any federal institution. According to the latest statistics from the Treasury Board of Canada Secretariat, in 2021–2022 the CRA processed the fourth largest volume of pages of any federal institution to respond to Privacy Act requests and closed the fourth largest number of requests.

Request volumes are at an all-time high, adding pressure on staff to increase production, reduce backlog, and improve compliance.

The number of requests the CRA received under the Privacy Act in 2022–2023 (11,572) was 32% higher than in 2021–2022 (8,763). The number of requests completed (10,960) was 28% higher than in 2021–2022 (8,558). A large proportion of requests seek personal tax information that is accessible through existing CRA self-service channels. The volume of these types of requests has grown by 174% since fiscal year 2018–2019. During the reporting period, these requests represented 78% of all requests received.

Beyond large page and request volumes, the CRA continues to respond to very complex requests. Complaints and consultations also represent a significant workload for the ATIP Directorate.

To address the large volume of requests, during the fiscal year the CRA continued to implement many Lean initiatives to modernize processes and technology with an aim to improve productivity and efficiency in the ATIP program. For more information, see the Continuous improvement initiatives section.

During this reporting period, the CRA’s operations were not affected by the COVID-19 pandemic. However, the Treasury Board of Canada Secretariat requires institutions to provide specific statistics related to any impact of COVID-19 on operations, see the Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act.

The following chart shows the trend of requests received under the Privacy Act over the past five years.

Privacy Act request trends

Image description

Privacy Act requests trend

In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed

In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed

In 2020–2021, 4,120 requests were received, 4,023 were completed, 653,853 pages were processed

In 2021–2022, 8,763 requests were received, 8,558 were completed, 951,414 pages were processed

In 2022–2023, 11,572 requests were received, 10,960 were completed, 888,080 pages were processed

Continuous improvement initiatives

In 2022–2023, key changes made to enhance productivity and efficiency in the ATIP Directorate included implementing the following initiatives.

Level 1 request initiative

The ATIP Directorate routinely receives requests for tax information that do not require redactions (Level 1 requests) and are available through other channels. Although these requests are not complex, they represent a significant volume of labour for the ATIP Directorate. Throughout the fiscal year, the ATIP Directorate worked on a plan to redirect these requests to more efficient channels such as My Account and Represent a Client. The plan will be implemented in 2023–2024. By redirecting these types of requests to existing service channels outside of the ATIP program, the CRA will be able to focus on providing more timely responses to ATIP requests for information not readily available through other channels.

Backlog elimination plan

The ATIP Directorate has been working diligently to eliminate its backlog inventory while balancing the requirement to respond on time to a steadily increasing workload of requests received under the Access to Information Act and the Privacy Act, as well as other related inventory such as consultation files and complaints. In the fall of 2021, the ATIP Directorate put a backlog elimination plan in place to address the backlog.

Key accomplishments

The first phase involved closing all late requests that the CRA received before March 31, 2019 (186 requests). This phase was completed on September 30, 2022.
Phase 2 focused on closing the 108 late requests received between April 2019 and March 2020. This phase was completed on March 31, 2023.

Phase 3 is in progress and focuses on closing the 189 late requests received between April 1, 2020, and March 31, 2021. The CRA aims to complete this phase by December 31, 2023. Responding to requesters in a timely manner and eliminating the backlog remains an ongoing focus.

Secure drop zone

The ATIP Directorate collaborated with the Information Technology Branch on the pilot project for the secure drop zone. The secure drop zone provides a secure, standardized, single-point of delivery for the ad-hoc transmission of documents. This project aligned with the Government of Canada’s priorities of increasing digital options for external clients and supporting their digital needs.

ATIP Case Management Modernization project

During the reporting period, the ATIP Directorate worked on the implementation of the ATIP Case Management system that will be launched in 2024–2025. The solution will maintain the CRA’s ability to process ATIP requests past the life of its current aging system, while also reducing processing time and administrative work.

ATIP Online Request System

The ATIP Directorate prepared for the early 2023–2024 onboarding to the ATIP Online Request System, which is built by the Treasury Board of Canada Secretariat. The system provides ATIP requesters with a portal to submit their requests, track request progress, and receive responses. This solution improves two-way communication with requesters, reducing request holds, and turn-around times in receiving and sending ATIP request information.

E-fax migration project

The e-fax migration project delivered a new solution to enable the ATIP Directorate to convert incoming faxes into digital PDF documents. This Lean solution facilitates remote processing of correspondence.

ATIP quality assurance dashboard

The ATIP quality assurance dashboard was developed to identify trends in file processing and fix gaps in business processes. It also helps to determine training requirements.

Lean Centre of Expertise

The ATIP Directorate implemented the Lean Centre of Expertise that teaches and promotes Lean principles within the ATIP Directorate. Lean workshops were conducted with multiple teams to analyze existing business processes and identify areas of improvement. As a result of these workshops, process improvements were made that contributed to:

increased manager capacity
improved file quality through the addition of quality check points
identifying employee training and learning needs
improved monitoring and reporting

These efforts, along with ongoing leadership coaching, have been crucial to building a culture of continuous improvement.

Human resources

In 2022–2023, the ATIP Directorate launched six selection processes ranging from SP-06^{Footnote 1} to MG-06^{Footnote 2} levels, resulting in pools of qualified candidates. The CRA also participated and recruited in the multilevel ATIP Community Development Office selection process launched by the Treasury Board of Canada Secretariat.

The ATIP Directorate is committed to promoting the one-office model by recruiting the best qualified people regardless of where they are physically located in Canada. It also fully supports creating a respectful, inclusive, and diverse workplace.

Footnote 1

The abbreviation SP indicates the Services and Programs occupational group within the CRA. This group comprises positions that are mainly involved in planning, developing, assisting with, or delivering CRA policies, programs, or services, or involved in other activities directed to the public or to internal clients.

Return to footnote1 referrer

Footnote 2

The abbreviation MG indicates the Management/Gestion occupational group within the CRA. This group comprises positions that are considered a part of the organization's management team and, as such, are accountable for exercising managerial authority to accomplish the objectives of the organization, responsible for managing human resources, communicating, and promoting the corporate values and culture of the CRA, and for leading and managing change within the organization.

Return to footnote2 referrer

Protection of Personal Information Vulnerability Review

At the beginning of fiscal year 2022–2023, there were two recommendations remaining to be completed as part of the Protection of Personal Information Vulnerability Review, which was finalized in March 2021. The objectives of the review were to identify key risks relating to the protection of personal information, assess those risks, identify mitigating controls and activities, test select controls in place, and issue recommendations to strengthen control gaps.

The following recommendations were completed during the fiscal year:

Recommendation 4: The Public Affairs Branch should establish a formal quality assurance process on ATIP files to ensure quality and consistency of the application of procedures.

Status: In June 2022, the ATIP Directorate implemented the ATIP Quality Assurance Program. The quarterly reviews monitor and report on whether:

client and personal information were safeguarded at all times
all responsive records were received
ATIP requests were completed within legislative time frames
exemptions and exclusions were applied appropriately
severance was considered
consultations were conducted in a timely manner
the principles of Duty to Assist were followed

The quarterly findings, including best practices and opportunities for improvements, were documented and communicated to the directorate.

Recommendation 14: The Public Affairs Branch should update procedures to verify delivery information before mailing ATIP responses and regularly communicate these updates to employees.

Status: In August 2022, the ATIP Directorate revised the procedures manual to include the updated confirmation of address procedure and communicated the change to the processing teams.

Training

The ATIP Directorate is committed to promoting and providing ATIP training to CRA employees. This training varies depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service course called “Fundamentals of Access to Information and Privacy.” Subject matter experts are advised to take more specific training, for example, on how to provide complete recommendations in response to requests. Privacy management training is also delivered throughout the year.

The CRA’s Legal Services Branch also provides training related to the Access to Information Act and the Privacy Act.

In 2022–2023, the CRA continued to offer its suite of 10 web-based modules, which consist of specialized technical training, to ATIP Directorate employees.

During the reporting period, directorate employees participated in privacy training offered by the International Association of Privacy Professionals. Several directorate employees took part in the Association’s training to maintain their certification with the Association as information privacy professionals and as privacy managers.

The ATIP Directorate also holds regular technical review meetings. These meetings enable communication and consultation between the operations, policy, and business support teams within the directorate. The purpose of the meetings is to maintain a forum for sharing policy and process changes, Lean initiatives, and improvements to the ATIP case management system, and to provide supplementary tools.

During the reporting period, the ATIP Directorate delivered the following technical training and information sessions:

customized privacy training to over 800 Human Resource Branch employees
30 privacy awareness products on InfoZone
16 ATIP information sessions to 3,750 participants
4 teleconferences to 650 participants

As part of the CRA-wide privacy and access to information training and awareness strategy, mandatory ATIP training is being implemented for all CRA employees during the 2023–2024 fiscal year. This supports the new Treasury Board of Canada Secretariat’s policy requirements outlining that all federal government employees must receive training on their obligations related to the Access to Information Act and the Privacy Act. As required, this training will be supported by information sessions for all CRA employees.

Raising awareness

Every year, the CRA celebrates Data Privacy Week, an international initiative, which promotes awareness of the effects of technology on privacy rights and the importance of valuing and protecting personal information.

In January 2023, the CRA celebrated Data Privacy Week by hosting a CRA-wide virtual event with guest speaker Elizabeth Denham, former United Kingdom Information Commissioner and former Information and Privacy Commissioner of British Columbia. The presentation focused on technology regulation trends and how innovation can be promoted while protecting privacy.

During the reporting period, the ATIP Directorate also created and published a fact sheet on Privacy by Design. The Privacy by Design concept is a cornerstone of the CRA’s Privacy Management Framework.

The directorate also collaborated on many internal communications to further awareness, including the use of leveraging privacy cartoons published on the website of the Office of the Privacy Commissioner of Canada. Additionally, two career showcases were published on the CRA’s intranet. The showcases detail the career paths of two ATIP Directorate employees who are passionate about privacy and make it a cornerstone of their day-to-day work. A privacy pop-quiz was also published on the CRA intranet.

Throughout the year, the ATIP Directorate continued to promote awareness of the role that privacy plays in supporting sound privacy management, by participating in committees and working groups, providing advice, and regularly communicating with employees in the offices of primary interest across the CRA.

Collaborating with oversight bodies and other organizations

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy at the CRA.

Beyond many collaborations referenced earlier in this report, in 2022–2023, the CRA:

communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects, including privacy breaches, privacy investigations, and new or amended initiatives that involve the use of personal information
worked closely with the Treasury Board of Canada Secretariat on various items, including privacy breaches, privacy assessments, corporate policy instruments, processing software solutions for ATIP requests, Treasury Board of Canada Secretariat policy suite updates, privacy implementation notices and implementations of requirements
actively participated in initiatives launched by the ATIP Communities Development Office, including training and selection processes
collaborated with the ATIP community by sharing best practices on the subjects of security, ID validation, and authentication of ATIP requesters seeking client-specific information
co-chaired the ATIP Interdepartmental Modernization Committee. This committee identifies and pilots modernization initiatives that impact the entire ATIP community and that other agencies and departments can use to improve their processes and modernization solutions
continued to work with federal departments on an ad hoc basis to share strategies and solutions with the aim of maximizing each department’s ability to process ATIP requests and promote privacy and transparency
collaborated with other institutions including the Canada Border Services Agency and the Canada School of Public Service for the corporate mandatory ATIP training approval process
collaborated with Correctional Service of Canada to share the CRA’s internal ATIP self-paced training material
participated in the Department of Justice of Canada’s Privacy Act review inter-departmental working group

Privacy Management Program

Enhancing the privacy management program, including policies, guidelines and procedures

The privacy landscape continues to evolve significantly with ever-expanding digital technologies and automated decision-making.

In 2022–2023, in consultation with the Agency Security and Privacy Executive Council, the Director General Security and Privacy Committee, and other Agency officials, the CRA continued to enhance its privacy management framework by:

implementing an Agency-wide privacy training and awareness strategy
updating the CRA Procedures for Privacy Breaches
furthering the implementation of privacy gating mechanisms throughout the Agency

The CRA Privacy Management Framework, published in 2019–2020, is available at canada.ca/en/revenue-agency/corporate/security/privacy-management-framework.

Managing privacy breaches

One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and protection of taxpayers’ information very seriously and has strong controls in place to prevent privacy breaches. Despite the effectiveness of those controls, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.

The CRA investigates all internal and external incidents involving potentially compromised information. When a privacy breach occurs, the ATIP Directorate works closely with stakeholders to contain and manage the breach, assess the impacts to affected individuals, and identify and apply corrective measures to prevent reoccurrence.

When warranted, the CRA notifies and offers credit protection services to help individuals affected by a privacy breach.

Unauthorized access or disclosure by CRA employees

This year, the CRA’s Internal Affairs Directorate informed the ATIP Directorate of 98 incidents of improper access or disclosure of personal information by CRA employees.

Founded employee misconduct is dealt with promptly and appropriately, and any incident involving suspected criminal activity is referred to the proper authorities. All CRA employees receive mandatory and ongoing security training that highlights the importance of protecting taxpayer information. Furthermore, CRA employees are subject to its strict Code of Integrity and Professional Conduct. Employees who breach the Code can face disciplinary measures up to and including termination of employment, and a review of their security clearance.

Misdirected mail and security incidents

In 2022–2023, the CRA recorded 904 privacy breaches as a result of misdirected mail, that is, mail that was incorrectly addressed or sent to the wrong person in error.

Misdirected mail incidents occur for only 0.003% of the 110 million pieces of mail the CRA handles each year.

In addition, 223 CRA privacy breaches resulted from security incidents including, loss, theft, or improper disclosure of personal information.

Compromised credentials

Over the past few years, the CRA has noted a significant increase in the unauthorized use of taxpayer information and attempts to gain unauthorized access. This increase can likely be attributed to the CRA’s delivery of COVID-19 benefits, combined with a noticeable increase in external data breaches and cyber threats, as external bad actors tried to capitalize on a unique and lucrative set of circumstances.

The vast majority of these incidents are a result of bad actors using previously obtained personal information to indirectly alter individuals’ personal information (unauthorized creation of personal information) without directly accessing CRA accounts, for example, using CRA paper returns or CRA enquiries phone lines, or through trusted partners such as financial institutions. In these cases, no personal information has been accessed via CRA systems.

Privacy breach mitigation measures

The CRA continually strives to monitor and improve its internal processes and systems to further protect taxpayer information. This includes ongoing monitoring of employee access to taxpayer information, limiting employees’ access permissions to only the information they need to do their job, and regularly reviewing employee access to CRA systems.

In addition, the CRA has implemented additional security measures to protect the personal information of Canadians and to ensure that they can use the CRA’s online services with confidence and safety. These measures include the use of multifactor authentication for CRA login services, and proactively revoking credentials (user IDs and passwords) that may have been obtained by unauthorized third parties through a variety of external sources.

Canadians’ vigilance in protecting account information is also an essential layer of security. The CRA reminds all Canadians to change their passwords regularly and to monitor their online accounts for any signs of suspicious activity, such as: unsolicited changes to contact and banking information, changes of representatives or directors, or tax return filings resulting in refunds made on their behalf.

For more information, see Part 11 – Privacy breaches.

Updating Information about Programs and Information Holdings

Information about Programs and Information Holdings provides information about the functions, programs, activities, and related information holdings of federal government institutions subject to the Access to Information Act and the Privacy Act. This resource also offers guidance to individuals on how they can access the information that government institutions hold so they can exercise their rights under these acts.

Each institution subject to the Access to Information Act and the Privacy Act must update its chapter annually by the due date set by the Treasury Board of Canada Secretariat. In accordance with this requirement, in June 2022, the CRA published the update of its personal information bank and class of records information. The list of reading room manuals was also reviewed and updated.

The CRA's Information about Programs and Information Holdings chapter can be found at canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/access-information-privacy-canada-revenue-agency/info-source-sources-federal-government-employee-information.

Key issues and actions taken on complaints

The CRA regularly communicates with the offices of the information and privacy commissioners of Canada to simplify processes and apply continuous improvement Lean methods to close complaint files as soon as possible.

During the reporting period, the CRA worked with those offices to simplify the complaint resolution process by focusing on resolving complaints at the early resolution stage. To this end, the CRA centralized the complaint resolution process. When the CRA is required to justify its rationale for the protection of specific information, it works closely with the respective offices to specify time frames.

Monitoring compliance

The ATIP Directorate produces multiple reports that capture key statistics about the CRA’s inventory of ATIP requests. The reports show active and closed requests, the status of requests by branch and region, the carry-forward inventory, complaints, and deemed refusal volumes.

Management regularly uses the reports to ensure timely processing of ATIP requests, monitor trends of frequently requested types of information, measure the directorate’s performance, and identify any process changes needed to improve performance and opportunities to make information available by other means. Management presents the reports monthly to senior management at the commissioner-chaired Corporate Management Committee.

During the reporting period, the ATIP Directorate:

improved its ability to query the ATIP database by using Power Business Intelligence software, which enabled more efficient and effective retrieval of information
developed automated reports directly linked to source data, which significantly reduced manual intervention and potential errors, and resulted in more reliable and timely reports
created new dynamic and interactive dashboards to provide stakeholders with direct and real-time access to data and statistics

These improvements aimed to enhance the efficiency, accuracy, and accessibility of information within the Agency. By using advanced technology, automating processes and providing user-friendly tools, the Agency ensured that management had access to vital data and statistics in a more timely and reliable manner.

Privacy impact assessments

In compliance with the Directive on Privacy Impact Assessment, the CRA conducts privacy impact assessments when new programs or services raise privacy issues. It also does this when changes to programs or services affect the way it collects, uses, or discloses personal information.

Summaries of completed privacy assessments

The CRA completed seven privacy impact assessments during the 2022–2023 reporting period.

As well, the CRA reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, Treasury Board of Canada Secretariat submissions, threat-and-risk assessments, local application solutions, and written collaborative arrangements.

The CRA publishes summaries of completed privacy impact assessments at canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.

The following is an overview of the privacy assessments the CRA completed in 2022–2023.

Authentication and Credential Management V3

This privacy impact assessment provides information related to the collection and use of personal information required to access CRA external secure online program services and applications, including services from government departments that use the CRA’s authentication services.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy /privacy-impact-assessment/authentication-credential-management.

Canada Dental Benefit

This privacy impact assessment covers the administration of the Canada dental benefit. On behalf of Health Canada, the CRA is responsible for administering the Canada dental benefit until a long-term solution is in place. The Canada dental benefit is an application-based upfront payment to eligible Canadians with an adjusted family net income of less than $90,000.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue -agency/services/about-canada-revenue-agency-cra/protecting-your-privacy /privacy-impact-assessment/canada-dental-benefit.

Canada Dental Benefit V2

This privacy impact assessment has been updated to reflect program changes in how the CRA is authorized to administer the services and activities required to issue Canada dental benefit payments.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/canada-dental-benefit-v2.

Insider Risk Management (Guardian) Program – Phase 1

This privacy impact assessment focuses on the implementation of Phase I of the Guardian Program, which includes the description and analysis of the collection, use, disclosure, and retention of personal information. The Guardian Program aims to create a holistic and comprehensive continuous assurance approach to mitigating insider risks.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/insider-risk-management-guardian-program-phase1.

One-Time Top-Up to the Canada Housing Benefit

This privacy impact assessment covers the administration of the one-time top-up to the Canada housing benefit. The one-time top-up is a tax-free payment of $500 to directly support low-income renters who are experiencing housing affordability challenges.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/one-time-top-up-canada-housing-benefit.

Recovery Benefits V2.0

This privacy impact assessment has been updated to include the Canada workers lockdown benefit and reflect extended qualifying periods and enhanced validation on the application for the Canada recovery benefit, the Canada recovery caregiving benefit, and the Canada recovery sickness benefit.

Vaccination Policy for the Canada Revenue Agency

This privacy impact assessment assessed privacy risks associated with the operationalism of the Policy on COVID-19 Vaccination, describes and analyzes how an employee submits an accommodation request via Employee Self-Service, how a manager records a decision in the application, and who has access to the portal entry through direct access or a report.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/vaccination-policy-canada-revenue-agency.

Public interest disclosure

In 2022–2023, the CRA made no disclosures under section 8(2)(m) of the Privacy Act and no section 8(5) written notifications were made to the Office of the Privacy Commissioner.

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2022, to March 31, 2023. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.

Notes

Some totals may be more than 100% due to rounding.

Part 1 – Requests under the Privacy Act

During the reporting period, the CRA received 11,572 new requests under the Privacy Act. This is an increase of 2,809 requests (32%) from last year’s total of 8,763 requests. Including the 1,170 requests carried forward from the 2021–2022 reporting period, the CRA had 12,742 active requests in its inventory.

The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years.

The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years
Fiscal year	Requests received	Requests closed	Pages processed
2018–2019	4,789	4,599	896,837
2019–2020	4,895	4,728	1,115,075
2020–2021	4,120	4,023	653,853
2021–2022	8,763	8,558	951,414
2022–2023	11,572	10,960	888,080

The following table shows the channels of the 11,572 requests received during the 2022–2023 reporting period.

The following table shows the channels of the 11,572requests received during the 2022–2023 reporting period.
Channel	Number of requests	Percentage
Online	9,013	77.9%
E-mail	437	3.8%
Mail	925	8.0%
In person	0	0%
Phone	7	0.01%
Fax	1,190	10.3%

Other requests and workload

Beyond the 11,572 requests received under the Privacy Act, the CRA processed a high volume of other requests. The additional volume significantly affected operations, since resources had to be diverted to manage the workload. The additional requests included external and internal consultations, general enquiries and complaints. During the fiscal year, the ATIP directorate responded to 2,630 emails, and 1,740 phone enquiries were received through the general enquiries mailbox and toll-free phone line.

Part 2 – Informal requests

The CRA did not receive or close any informal requests under the Privacy Act in 2022–2023.

Part 3 – Requests closed during the reporting period

Disposition and completion time

The CRA continues to complete a large number of requests received under the Privacy Act. The disposition of the 10,960 requests closed during the fiscal year is as follows:

5,975 were fully disclosed (54.5%)
872 were disclosed in part (8%)
1 was exempted in its entirety (0.01%)
534 resulted in no existing records (4.9%)
3,576 were abandoned by requesters (32.6%)
2 were neither confirmed nor denied (0.02%)

In 2022–2023, there were 2,402 (28%) more requests closed than in
2021–2022.

The following chart shows the completion times for the 10,960 requests closed in 2022–2023.

Completion time

Image description

Completion time

9,406 (86%) in 30 days or under

828 (8%) from 31 to 60 days

453 (4%) from 61 to 120 days

273 (2%) in 121 days or more

For more details, see Table 3.1 of Appendix A.

Exemptions

As set out in section 18 of the Privacy Act, an institution can refuse access to specific information when necessary. For example, the CRA can refuse to give a requester information about another individual if that individual has not given consent. For detailed information on each of the exemptions that may be applied, see section 18 of the Privacy Act.

In 2022–2023, the CRA applied the following exemptions, in full or in part, to the 10,960 requests closed during the reporting period:

section 19 – Personal information obtained in confidence (21 times)
section 22 – Law enforcement and investigation (259 times)
section 25 – Safety of individuals (9 times)
section 26 – Information about another individual (622 times)
section 27 – Solicitor client privilege (64 times)

Exclusions

The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the Act does not apply to Cabinet confidences. In 2022–2023, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.

Format of information released

Requesters can choose to receive their response package on paper or electronically. Persons with disabilities may ask for information in alternative formats, such as braille, although the CRA did not receive any such requests this fiscal year.

Providing documents electronically is more efficient because it significantly reduces manual processes, and it is environmentally friendly and secure. There was a 3% decrease in the volume of requests sent electronically in 2022–2023 compared to 2021–2022.

In 2022–2023, of the 6,847 requests for which information was disclosed, 6,217 requests (91%) were released in electronic format.

Complexity

The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests. For example, to respond to the 10,423 requests it closed during the fiscal year (excluding requests where no records exist), the CRA processed 888,080 pages. Of these requests:

9,624 involved processing less than 100 pages
559 involved processing between 100 and 500 pages
98 involved processing between 501 and 1,000 pages
122 involved processing between 1,001 and 5,000 pages
20 involved processing more than 5,000 pages

In 2022–2023, the ATIP Directorate processed an average of 85 pages per request.

Of note, four requests involved processing more than 10,000 pages, of which one involved processing more than 45,000 pages.

In addition to paper records, the CRA also processes requests for audio and video records. In 2022–2023 there were seven requests for audio records, four of which involved processing less than 60 minutes and three involved processing over 120 minutes. Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see tables 3.5.1 to 3.5.7 of Appendix A.

Closed requests

The ATIP Directorate closed 10,271 (94%) requests within the timelines required by law. This means that it provided responses within 30 calendar days or within an extended deadline. This compliance rate accounts for a 1% increase compared to 2021–2022 and is the highest for the CRA since 2013–2014.

Deemed refusals

A deemed refusal is a request closed after the deadline of 30 calendar days, or after the extended deadline if a time extension was taken.

Of the 10,960 requests closed during the reporting period, 689 were closed after the deadline. This resulted in a deemed refusal rate of 6%.

Requests for translation

Records are normally released in their original language. However, an institution may translate records to an official language if requested, or if the institution considers a translation to be necessary so the individual can understand the information.

The CRA received and fulfilled one request for translation in 2022–2023.

Part 4 – Disclosures under subsections 8(2) and 8(5)

Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, an institution may disclose personal information without consent for limited and specific circumstances. This is the case, for example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), the institution must notify the Privacy Commissioner of Canada.

During the reporting period, there were no disclosures of personal information under paragraph 8(2)(e) and (m) or subsection 8(5) of the Privacy Act.

Part 5 – Requests for correction of personal information and notations

Under the Privacy Act, an individual who believes their personal information contains an error or omission can ask for it to be corrected. When a request for correction has been refused, a notation must be attached to the information reflecting that a correction was requested and refused.

During the 2022–2023 reporting period, the CRA did not receive any requests to correct personal information.

Part 6 – Extensions

The Privacy Act sets the required timelines for responding to requests for personal information. The Act allows time extensions under the following circumstances:

meeting the original time limit would unreasonably interfere with operations
there is a need to consult (for example, with a government institution or another third party)
there is a need to translate or convert records into another format

Of the 10,960 requests closed in 2022–2023, the CRA applied extensions to 732 (7%) of them. It applied those extensions 96% of the time because of the workload, and because meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The CRA applied the remaining extensions because of the need for internal and external consultations, translation, and converting records into other formats.

Of the 732 extensions, 5 were for 1 to 15 days in length, and 727 were for 16 to 30 days in length.

Part 7 – Consultations received from other institutions and organizations

In 2022–2023, the ATIP Directorate received and closed one external consultation request from another Government of Canada organization. To respond to this request, the directorate reviewed two pages.

Internal consultations

In 2022–2023, 252 internal privacy consultation requests were completed, a 40% increase from the previous reporting period. To respond to these requests, the directorate reviewed a total of 4,564 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.

The following chart shows the trends for internal privacy consultation requests received over the past five years.

Internal privacy consultation trends

Image description

Internal privacy consultation trends

In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.

In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.

In 2020–2021, 105 internal privacy consultation requests were received, 5,824 pages were processed.

In 2021–2022, 180 internal privacy consultation requests were received, 2,288 pages were processed.

In 2022–2023, 252 internal privacy consultation requests were received, 4,564 pages were processed.

Part 8 – Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), Treasury Board of Canada Secretariat policies require agencies and departments to consult with their legal services office to determine if they should exclude requested information. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2022–2023, the CRA did not have to consult with legal services of the Privy Council Office for Cabinet confidences.

Part 9 – Complaints and investigation notices received

In 2022–2023, the CRA received 23 complaints under the Privacy Act related to privacy requests. The complaints it received related to the following issues:

time delay (13)
non-disclosure (2)
refusal due to exemption (6)
refusal due to general reason (2)

In addition, the CRA received 39 early-resolution complaints:

5 were escalated to a formal complaint
23 were closed because the Office of Privacy Commissioner of Canada determined in the early-resolution process that there was no need to complete a formal investigation
1 was discontinued
12 were carried over to the next fiscal year

During the fiscal year, the CRA closed 26 complaints. This represents an 18% increase in the number of complaints closed compared the previous fiscal year. In addition, the CRA completed 20 early-resolution complaints.

The following chart shows the disposition of the 26 complaints closed during the fiscal year.

Complaint disposition

Image description

The following chart shows the disposition of the 20 complaints closed during the fiscal year.

Complaint dispositions

2 (8%) Not well-founded

9 (34%) Resolved

2 (8%) Discontinued

13 (50%) Well-founded

Additionally, the ATIP Directorate received 10 early-resolution and 7 formal privacy-related complaints from the Office of the Privacy Commissioner of Canada on behalf of individuals. These were not related to Privacy Act requests. The complaints received related to the following issues:

accuracy of personal information (2)
unauthorized collection of personal information (4)
unauthorized use and disclosure (11)

Of these complaints:

5 are in progress
1 was discontinued
2 were not well-founded
9 were resolved

For the definitions of disposition categories from the Office of the Privacy Commissioner of Canada, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf.

In 2022–2023, there were no complaints pursued to the Federal Court.

Part 10 – Privacy impact assessments and personal information banks

During the reporting period, the CRA sent seven privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is described in the Privacy impact assessments section of this report.

For any collection or grouping of personal information under the control of a Government of Canada institution, which has been used, is being used, or is available for use in the program or activity of an institution, a personal information bank must be created in Information about Programs and Information Holdings.

The personal information bank must state how the information is organized and retrieved (for example, by a person’s name, or by an identifying number or symbol). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 98 active personal information banks. In the same period, two were created and two were modified.

Part 11 – Privacy breaches

The CRA follows Treasury Board of Canada Secretariat policy instruments to determine which privacy breaches meet the threshold of a material breach, requiring notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

In October 2022, the Treasury Board of Canada Secretariat updated its privacy policy instruments, including the definition of a material privacy breach, resulting in an increase in the number of material privacy breaches that the CRA reported to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat.

This year, the CRA reported 58 material privacy breaches^{Footnote 3} to the two foregoing organizations. Of these:

13 involved unauthorized access or disclosure of taxpayer information by CRA employees
3 involved misdirected mail
14 involved security incidents, including loss and the improper disclosure of personal information
28 involved compromised business credentials, resulting in the disclosure of personal information, such as employee information

Part 12 – Resources related to the Privacy Act

Costs

During the 2022–2023 fiscal year, the ATIP Directorate’s cost to administer the Privacy Act was $16,911,722. This included $78,386.95 in credit protection services provided to individuals affected by privacy breaches. However, the cost does not include significant support and resources from CRA branches and regions. For more details, see Table 12.1 of Appendix A.

Human resources

In 2022–2023, the CRA dedicated an equivalent of 171 full-time employees to administering the Privacy Act. In addition to this, there were nine consultants and agency personnel, as well as five students. Many of the employees simultaneously administer the Access to Information Act.

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

The following is a brief overview of the tables included in Appendix B:

Table 1: The CRA had full capacity to receive access to information and privacy requests during 2022–2023.
Table 2.1 and 2.2: The CRA had full capacity to process unclassified, Protected B, Secret, and Top-Secret paper and electronic records throughout the 2022–2023 reporting period.
Table 3.1: At the end of the fiscal year, the CRA had 1,286 Access to Information Act requests outstanding: 705 of these were within legislated timelines, while 581 were beyond legislated timelines. The CRA received 302 of these requests before 2022–2023, and it will address many of these through its backlog elimination plan.
Table 3.2: At the end of the fiscal year, the CRA had 197 open complaints with the Information Commissioner of Canada.
Table 4.1: At the end of the fiscal year, the CRA had 1,782 Privacy Act requests outstanding: 1,453 of these were within legislated timelines, while 329 were beyond legislated timelines. The CRA received 92 of these requests before 2022–2023, and it will address many of these through its backlog elimination plan.
Table 4.2: At the end of the fiscal year, the CRA had 51 open complaints with the Privacy Commissioner of Canada.
Table 5: The CRA reported that it received authority for a new collection of social insurance numbers in 2022–2023.
Table 6: During the 2022–2023 reporting period, the CRA received 40 requests from confirmed foreign nationals under the Privacy Act.

Conclusion

Despite the growing demands on the ATIP program and the ever-challenging privacy landscape, the CRA continued to make significant progress in addressing the challenges of protecting personal information and of processing Privacy Act requests. The CRA did this by:

processing ATIP requests using Lean methodology
addressing the backlog through the CRA backlog elimination plan
developing the ATIP Quality Assurance Review Plan
promoting Privacy by Design across the CRA
reporting on the state of privacy with new key performance indicators
implementing the Privacy and Access to Information Training and Awareness Strategy

In 2023–2024, the ATIP Directorate will also continue to implement the backlog elimination plan with a focus on completing phase 3, which has a planned completion date of December 31, 2023. In support of this, a key priority during the fiscal year will be to continue to develop and implement innovative solutions to address requests for taxpayer information that can be provided by more efficient channels, such as My Account, My Business Account, and Represent a Client, rather than through the Access to Information Act or the Privacy Act.

Appendix A – Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2022 to March 31, 2023

Part 1 – Requests under the Privacy Act

1. 1 Number of formal requests

Part 1 - Requests under the Privacy Act - 1.1 Number of formal requests
		Number of requests
Received during reporting period		11,572
Outstanding from previous reporting periods		1,170
Outstanding from previous reporting period	905
Outstanding from more than one reporting period	265
Total		12,742
Closed during reporting period		10,960
Carried over to next reporting period		1,782
Carried over within legislated timeline	1,453
Carried over beyond legislated timeline	329

1.2 Channels of formal requests

Part 1 – Requests under the Privacy Act, 1.2 Channels of formal requests
Channel	Number of requests
Online	9,013
E-mail	437
Mail	925
In Person	0
Phone	7
Fax	1,190
Total	11,572

Part 2 – Informal requests

2.1 Number of informal requests

Part 2 – Informal requests - 2.1 Number of informal requests
		Number of requests
Received during reporting period		0
Outstanding from previous reporting periods		0
Outstanding from previous reporting period	0
Outstanding from more than one reporting period	0
Total		0
Closed during reporting period		0
Carried over to next reporting period		0

2.2 Channels of requests

Part 2 – Informal requests - 2.1 Number of informal requests
Channel	Number of requests
Online	0
E-mail	0
Mail	0
In Person	0
Phone	0
Fax	0
Total	0

2.3 Completion time of informal requests

Part 2 - Informal requests - 2.3 Completion time of informal requests
Completion Time (Days)
1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
0	0	0	0	0	0	0	0

2.4 Pages released informally

Part 2 - Informal requests - 2.4 ges released informally
Less than 100 pages processed		101 to 500 pages processed		501 to 1000 pages processed		1001 to 5000 pages processed		More than 5000 pages processed
Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed
0	0	0	0	0	0	0	0	0	0

Part 3 ‑ Requests closed during the reporting period

3.1 Disposition and completion time

Part 3 Requests closed during the reporting period - 3.1 Disposition and completion time
Disposition of requests	Completion Time (Days)
Disposition of requests	1 to 15	16 to 30	31 to 60	61 to 120	121 to 180	181 to 365	More than 365	Total
All disclosed	3,531	1,940	396	92	13	3	0	5,975
Disclosed in part	33	216	298	132	48	70	75	872
All exempted	0	0	1	0	0	0	0	1
All excluded	0	0	0	0	0	0	0	0
No records exist	423	65	18	24	3	1	0	534
Request abandoned	3,047	150	114	205	28	11	21	3,576
Neither confirmed nor denied	0	1	1	0	0	0	0	2
Total	7,034	2,372	828	453	92	85	96	10,960

3.2 Exemptions

Part 3 Requests closed during the reporting period - 3.2 Exemptions
Section	Number of requests	Section	Number of requests	Section	Number of requests
18(2)	0	22(1)(a)(i)	0	23(a)	0
19(1)(a)	8	22(1)(a)(ii)	2	23(b)	0
19(1)(b)	0	22(1)(a)(iii)	0	24(a)	0
19(1)(c)	12	22(1)(b)	257	24(b)	0
19(1)(d)	1	22(1)(c)	0	25	0
19(1)(e)	0	22(2)	0	26	622
19(1)(f)	0	22.1	0	27	64
20	0	22.2	0	27.1	0
21	0	22.3	0	28	0
-	-	22.4	0	-	-

3.3 Exclusions

Part 3 Requests closed during the reporting period - 3.2 Exemptions
Section	Number of requests	Section	Section
69(1)(a)	0	70(1)	70(1)(d)
69(1)(b)	0	70(1)(a)	70(1)(e)
69.1	0	70(1)(b)	70(1)(f)
-	-	70(1)(c)	70.1

3.4 Format of information released

Part 3 Requests closed during the reporting period - 3.4 Format of information released
Paper	Electronic				Other
Paper	E-record	Data Set	Video	Audio	Other
634	6,210	0	0	7	0

3.5 Complexity

3.5.1 Relevant pages processed and disclosed for paper and e-record formats

Part 3 Requests closed during the reporting period - 3.5.1 Relevant pages processed and disclosed for paper and e-record formats
Number of pages processed	Number of pages disclosed	Number of requests
888,080	715,280	10,423

3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of requests

Part 3 Requests closed during the reporting period - 3.5.2 Relevant pages processed and disclosed by request disposition for paper and e-record formats by size of requests
Disposition of requests	Less than 100 pages processed		101 to 500 pages processed		501 to 1,000 pages processed		1001 to 5,000 pages processed		More than 5,000 pages processed
Disposition of requests	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed	Number of requests	Number of pages disclosed
All disclosed	5,698	165,617	255	39,200	17	11,812	4	5,844	0	0
Disclosed in part	359	17,868	300	69,451	80	56,708	113	258,457	18	197,025
All exempted	1	8	0	0	0	0	0	0	0	0
All excluded	0	0	0	0	0	0	0	0	0	0
Request abandoned	3,564	235	4	594	1	589	5	10,878	2	53,794
Neither confirmed nor denied	2	0	0	0	0	0	0	0	0	0
Total	9,624	183,728	559	109,245	98	69,109	122	275,179	20	250,819

3.5.3 Relevant minutes processed and disclosed for audio formats

Part 3 Requests closed during the reporting period - 3.5 3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed	Number of minutes disclosed	Number of requests
632	632	7

3.5.4 Relevant minutes processed per request disposition for audio formats by size of request

Part 3 Requests closed during the reporting period - 3.5.4 Relevant minutes processed per request disposition for audio formats by size of request
Disposition of requests	Less than 60 minutes processed		60-120 minutes processed		More than 120 minutes processed
Disposition of requests	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	1	18	0	0	1	198
Disclosed in part	3	47	0	0	2	369
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	4	65	0	0	3	567

3.5.5 Relevant minutes processed and disclosed for video formats

Part 3 Requests closed during the reporting period - 3.5 3 Relevant minutes processed and disclosed for audio formats
Number of minutes processed	Number of minutes disclosed	Number of requests
0	0	0

3.5.6 Relevant minutes processed per request disposition for video formats by size of request

Part 3 Requests closed during the reporting period - 3.5.6 Relevant minutes processed per request disposition for video formats by size of request
Disposition of requests	Less than 60 minutes processed		60-120 minutes processed		More than 120 minutes processed
Disposition of requests	Number of requests	Minutes processed	Number of requests	Minutes processed	Number of requests	Minutes processed
All disclosed	0	0	0	0	0	0
Disclosed in part	0	0	0	0	0	0
All exempted	0	0	0	0	0	0
All excluded	0	0	0	0	0	0
Request abandoned	0	0	0	0	0	0
Neither confirmed nor denied	0	0	0	0	0	0
Total	0	0	0	0	0	0

3.5.7 Other complexities

Part 3 Requests closed during the reporting period - 3.5.7 Other complexities
Disposition of requests	Consultation required	Legal advice sought	Interwoven information	Other	Total
All disclosed	10	2	21	5	38
Disclosed in part	3	2	10	5	20
All exempted	0	0	0	0	0
All excluded	0	0	0	0	0
Request abandoned	2	1	5	15	23
Neither confirmed nor denied	0	0	0	0	0
Total	15	5	36	25	81

3.6 Closed requests

3.6.1 Number of requests closed within legislated timelines

Part 3 Requests closed during the reporting period - 3.6.1 Number of requests closed within legislated timelines
	Requests closed within legislated timelines
Number of requests closed within legislated timelines	10,271
Percentage of requests closed within legislated timelines (%)	93.71350365

3.7 Deemed refusals

3.7.1 Reasons for not meeting legislated timelines

Part 3 Requests closed during the reporting period - 3.7.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated timelines	Principal reason
Number of requests closed past the legislated timelines	Interference with operations/workload	External consultation	Internal consultation	Other
689	572	6	17	94

3.7.2 Number of days past legislated timeline (including any extension taken)

Part 3 Requests closed during the reporting period - 3.7.2 Number of days past legislated timeline (including any extension taken)
Number of days past legislated timeline	Number of requests past legislated timeline where no extension was taken	Number of requests past legislated timeline where an extension was taken	Total
1 to 15	152	52	204
16 to 30	72	27	99
31 to 60	69	27	96
61 to 120	72	31	103
121 to 180	17	19	36
181 to 365	38	24	62
More than 365	60	29	89
Total	480	209	689

3.8 Requests for translation

Part 3 Requests closed during the reporting period - 3.8 Requests for translation
Translation requests	Accepted	Total
English to French	1	1
French to English	0	0
Total	1	1

Part 4 ‑ Disclosures under subsections 8(2) and 8(5)

Part 4 - Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e)	Paragraph 8(2)(m)	Subsection 8(5)	Total
0	0	0	0

Part 5 – Requests for correction of personal information and notations

Part 5 – Requests to correct personal information and notations
Disposition for correction requests received	Number
Notations attached	0
Requests for correction accepted	0
Total	0

Part 6 ‑ Extensions

6.1 Reasons for extensions and disposition of requests

Part 6: Extensions 6.1 Reasons for extensions
Number of requests where an extension was taken	15(a)(i) Interference with operations				15a)(ii) Consultation			15(b) Translation purposes or conversion
Number of requests where an extension was taken	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain	Cabinet Confidences (Section 70)	External	Internal	15(b) Translation purposes or conversion
732	3	39	640	20	0	0	2	28

6.2 Length of extensions

Part 6 Extensions - 6.2 Length of extensions
Length of extension (days)	15(a)(i) Interference with operations				15(a)(ii) Consultation			15(b) Translation purposes or conversion
Length of extension (days)	Further review required to determine exemptions	Large volume of pages	Large volume of requests	Documents are difficult to obtain	Cabinet Confidences (Section 70)	External	Internal	15(b) Translation purposes or conversion
1 à 15	0	0	2	2	0	0	1	0
16 à 30	3	39	638	18	0	0	1	28
31 days or greater	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A
Total	3	39	640	20	0	0	2	28

Part 7 – Consultations received from other institutions and organizations

7.1 Consultations received from other Government of Canada institutions and organizations

Part 7 – Consultations received from other institutions and organizations, 7.1 Consultations received from other Government of Canada institutions and organizations
Consultations	Other Government of Canada institutions	Number of pages to review
Received during reporting period	1	2
Outstanding from the previous reporting period	0	0
Total	1	2
Closed during the reporting period	1	2
Carried over to next reporting period	0	0
Carried over beyond negotiated timelines	0	0

7.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Part 7 - Consultations received from other institutions and organizations - 7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation	Number of days required to complete consultation requests
Recommendation	1 to 15	16 to 30	31 to 60	61 to 120	121 to 180	181 to 365	More than 365	Total
Disclose entirely	1	0	0	0	0	0	0	1
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	1	0	0	0	0	0	0	1

7.3 Recommendations and completion time for consultations received from other organizations

Part 7 - Consultations received from other institutions and organizations - 7.3 Recommendations and completion time for consultations received from other organizations
Recommendation	Number of days required to complete consultation requests
Recommendation	1 to 15	16 to 30	31 to 60	61 to 120	121 to 180	181 to 365	More than 365	Total
Disclose entirely	0	0	0	0	0	0	0	0
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other institution	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0

Part 8 – Completion time of consultations on Cabinet confidences

8.1 Requests with Legal Services

Part 8 – Completion time of consultations on Cabinet confidences 8.1 Requests with Legal Services
Number of days	Less than 100 pages processed		101 - 500 pages processed		501 - 1000 pages processed		1001 - 5000 pages processed		More than 5000 pages processed
Number of days	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

8.2 Requests with Privy Council Office

Part 8 – Completion time of consultations on Cabinet confidences 8.1 Requests with Legal Services
Number of days	Less than 100 pages processed		101 - 500 pages processed		501 - 1000 pages processed		1001 - 5000 pages processed		More than 5000 pages processed
Number of days	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed	Number of requests	Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

Part 9 ‑ Complaints and investigations notices received

Part 9 - Complaints and investigations notices received
Section 31	Section 33	Section 35	Court action	Total
23	0	26	0	49

Part 10 ‑ Privacy impact assessments and personal information banks

10.1 Privacy impact assessments

Part 10 - Privacy impact assessments and personal information banks - 10.1 Privacy impact assessments
Number of privacy impact assessments completed	4
Number of privacy impact assessments modified	3

10.2 Personal information banks

Part 10 - Privacy impact assessments and personal information banks - 10.2 Personal information banks
Personal Information Banks	Active	Created	Modified
Institution-specific	50	2	2
Central	48	0	0
Total	98	2	2

Part 11 – Privacy breaches

11.1 Material Privacy Breaches reported

Part 11 – Privacy breaches, 11.1 Material Privacy Breaches reported
Material privacy breaches	Amount
Number of material privacy breaches reported to the Treasury Board of Canada Secretariat	58
Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada	58

11.2 Non-Material Privacy Breaches

Part 11 – Privacy breaches, 11.2 Non-Material Privacy Breaches
Non-material privacy breaches	Amount
Number of non-material privacy breaches	1,167

Part 12 – Resources related to the Privacy Act

12.1 Costs

Part 12 - Resources related to the Privacy Act - 12.1 Costs
Expenditures		Amount
Salaries		$14,601,991
Overtime		$401,545
Goods and Services		$1,908,186
Professional services contracts	$952,805
Other	$955,381
Total		$16,911,722

12.2 Human resources

Part 12 - Resources related to the Privacy Act - 12.2 Human Resources
Resources	Person years dedicated to privacy activities
Full-time employees	171
Part-time and casual employees	0
Regional staff	0
Consultants and agency personnel	9
Students	5
Total	185

Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Part 1 : Capacity to receive requests

Table 1 - Capacity to receive requests
-	Number of weeks
Able to receive requests by mail	52
Able to receive requests by email	52
Able to receive requests through the digital request service	52

Part 2 : Capacity to process records under the Access to Information Act and the Privacy Act

Table 2.1 - Capacity to process paper records

Table 2.1 - Capacity to process paper records
-	Full capacity	Total
Unclassified paper records	52	52
Protected B paper records	52	52
Secret and top secret paper records	52	52

Table 2.2 - Capacity to process electronic records

Table 2.2 - Capacity to process electronic records
-	Full capacity	Total
Unclassified paper records	52	52
Protected B paper records	52	52
Secret and top secret paper records	52	52

Part 3 : Open requests and complaints under the Access to Information Act

Table 3.1 - Open requests outstanding from previous reporting periods

Table 3.1 - Open requests outstanding from previous reporting periods
Fiscal year open requests were received	Open requests that are within legislated timelines as of March 31, 2023	Open requests that are beyond legislated timelines as of March 31, 2023	Total
2022–2023	681	303	984
2021–2022	21	209	230
2020–2021	1	69	70
2019–2020	2	0	2
2018–2019 or earlier	0	0	0
Total	705	581	1,286

Table 3.2 - Open complaints with the Information Commissioner of Canada outstanding from previous reporting periods

Table 3.2 - Open complaints with the Information Commissioner of Canada outstanding from previous reporting periods
Fiscal year open requests were received	Number of open complaints
2022–2023	115
2021–2022	36
2020–2021	14
2019–2020	7
2018–2019	15
2017–2018	6
2016–2017	0
2015–2016	1
2014–2015	2
2013–2014 or earlier	1
Total	197

Part 4 : Open requests and complaints under the Privacy Act

Table 4.1 - Open requests outstanding from previous reporting periods

Table 4.1 - Open requests outstanding from previous reporting periods
Fiscal year open requests were received	Open requests that are within legislated timelines as of March 31, 2023	Open requests that are beyond legislated timelines as of March 31, 2023	Total
2022–2023	1,449	241	1,690
2021–2022	4	69	73
2020–2021	0	18	18
2019–2020	0	1	1
2018–2019 or earlier	0	0	0
Total	1,453	329	1,782

Table 4.2 - Open complaints with the Privacy Commissioner of Canada outstanding from previous reporting periods

Table 4.2 - Open complaints with the Privacy Commissioner of Canada outstanding from previous reporting periods
Fiscal year open requests were received	Number of open complaints
2022–2023	25
2021–2022	10
2020–2021	2
2019–2020	4
2018–2019	5
2017–2018	1
2016–2017	0
2015–2016	0
2014–2015	3
2013–2014 or earlier	1
Total	51

Part 5 : Authority received for a new collection of the social insurance number (SIN)

Table 5 - Authority received for a new collection of the social insurance number (SIN)
Did your institution receive authority for a new collection or new consistent use of the SIN in 2022–2023?	Yes

Part 6 : Universal Access under the Privacy Act

Table 6 - Universal access under the Privacy Act
How many requests were received from confirmed foreign nationals outside of Canada in 2022–2023?	40

Appendix C – Delegation order

Image description

Privacy Act

Delegation Order

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to subsection 73(1) of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders.

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 15th day of May, 2020

The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:

Commissioner

Full authority

Deputy Commissioner

Full authority

Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer

Full authority

Director General of the Access to Information and Privacy Directorate in the Public Affairs Branch

Full authority

Directors in the Access to Information and Privacy Directorate of the Public Affairs Branch

Full authority

Assistant directors, managers, technical reviewers/advisors in the Access to Information and Privacy Directorate of the Public Affairs Branch

Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)

Page details

Date modified:: 2023-10-10

2022-2023 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

Privacy Act

Table of contents

About the Canada Revenue Agency

Branches

Regions

Chief Privacy Officer

Agency Security and Privacy Executive Council

Director General Security and Privacy Committee

Access to Information and Privacy Directorate

Delegating responsibilities under the Privacy Act

Operational environment

Continuous improvement initiatives

Level 1 request initiative

Backlog elimination plan

Key accomplishments

Secure drop zone

ATIP Case Management Modernization project

ATIP Online Request System

E-fax migration project

ATIP quality assurance dashboard

Lean Centre of Expertise

Human resources

Protection of Personal Information Vulnerability Review

Training

Raising awareness

Collaborating with oversight bodies and other organizations

Privacy Management Program

Enhancing the privacy management program, including policies, guidelines and procedures

Managing privacy breaches

Unauthorized access or disclosure by CRA employees

Misdirected mail and security incidents

Compromised credentials

Privacy breach mitigation measures

Updating Information about Programs and Information Holdings

Key issues and actions taken on complaints

Monitoring compliance

Privacy impact assessments

Summaries of completed privacy assessments

Authentication and Credential Management V3

Canada Dental Benefit

Canada Dental Benefit V2

Insider Risk Management (Guardian) Program – Phase 1

One-Time Top-Up to the Canada Housing Benefit

Recovery Benefits V2.0

Vaccination Policy for the Canada Revenue Agency

Public interest disclosure

Interpretation and explanation of Appendix A – Statistical report

Part 1 – Requests under the Privacy Act

Other requests and workload

Part 2 – Informal requests

Part 3 – Requests closed during the reporting period

Exemptions

Exclusions

Format of information released

Complexity

Closed requests

Deemed refusals

Requests for translation

Part 4 – Disclosures under subsections 8(2) and 8(5)

Part 5 – Requests for correction of personal information and notations

Part 6 – Extensions

Part 7 – Consultations received from other institutions and organizations

Internal consultations

Part 8 – Completion time of consultations on Cabinet confidences

Part 9 – Complaints and investigation notices received

Part 10 – Privacy impact assessments and personal information banks

Part 11 – Privacy breaches

Part 12 – Resources related to the Privacy Act

Costs

Human resources

Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act

Conclusion

Appendix A – Statistical report

Statistical report on the Privacy Act

Part 1 – Requests under the Privacy Act

1. 1 Number of formal requests

1.2 Channels of formal requests

Part 2 – Informal requests