2023-2024 Annual Report to Parliament on the Administration of the Privacy Act
Introduction
In keeping with section 72 of the Privacy Act, each year the head of every Government of Canada institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.
The following report is tabled in Parliament under the direction of the Minister of National Revenue. The report describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2023 and March 31, 2024. The report also discusses emerging trends, program delivery, and areas of focus for the year ahead.
Privacy Act
The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of and disclose individuals’ personal information. As well, it gives individuals or their authorized representatives the right to access (with a few specific exceptions), correct, and add notes to their information.
Individuals who are not satisfied with the way an institution handles their personal information or a Privacy Act request are entitled to complain to the Privacy Commissioner of Canada.
The formal processes in the Privacy Act do not replace other ways of getting federal government information. The CRA encourages individuals and their representatives to get proactively disclosed taxpayer information through online self-services channels, such as My Account and Represent a Client. The CRA also promotes other informal channels, such as requesting information directly from the CRA through its automated and toll-free phone lines.
Table of contents
About the Canada Revenue Agency
Interpretation and explanation of Appendix A – Statistical report
Appendix A – Statistical report
Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
ISSN: 2563-3465
About the Canada Revenue Agency
The Canada Revenue Agency promotes and ensures compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians. The CRA does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system.
In addition, the CRA has the authority to partner with the provinces, territories, and other government bodies to share information, and for a fee, can administer enhanced services at the request of provinces and territories.
The minister of national revenue is accountable to Parliament for all the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.
The Board of Management, which the Canada Revenue Agency Act established, is made up of 15 directors appointed by the Governor in Council. Each province nominates one director, and the territories take turns nominating one director. The other four directors include:
- the Chair
- the commissioner
- two directors nominated by the Government of Canada
The Board is responsible for overseeing the:
- organization and the administration of the CRA
- management of the CRA’s resources, services, property, personnel andcontracts
This responsibility includes developing the corporate business plan, and approving the CRA’s departmental results report and its audited financial statements.
In fulfilling its role, the Board:
- brings a forward-looking, strategic perspective to the CRA’s administration
- fosters sound management practices
- commits to delivering efficient and effective services
As the CRA’s chief executive officer, the commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the minister of national revenue’s delegated authority. The commissioner is accountable to the minister and must assist and advise them about legislated authorities, duties, functions, and Cabinet responsibilities.
The commissioner is also an ex-officio member of the Board and is accountable to it for the:
- daily administration of the CRA,
- supervision of its employees
- implementation of management policies
The commissioner is supported by the deputy commissioner, and together they make sure that operations are guided by the CRA’s vision to be a world-class tax and benefits administration that is trusted, fair, and helpful by putting people first.
The CRA is made up of 14 functional branches and 4 regional offices across the country:
Branches
- Appeals
- Assessment, Benefit, and Service
- Audit, Evaluation, and Risk
- Collections and Verification
- Compliance Programs
- Digital Transformation Program
- Finance and Administration
- Human Resources
- Information Technology
- Legal Services
- Legislative Policy and Regulatory Affairs
- Public Affairs
- Security
- Service, Innovation, and Integration
Regions
- Atlantic
- Ontario
- Quebec
- Western
Chief Privacy Officer
The assistant commissioner of the Public Affairs Branch is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the chief privacy officer:
- oversees decisions related to privacy, including privacy assessments
- champions personal privacy rights (for example, by managing internal privacybreaches) according to legislation and policy
- reports to the CRA’s senior management quarterly on the state of privacymanagement at the CRA
Agency Security and Privacy Executive Council
The Agency Security and Privacy Executive Council includes 14 key senior executives. The chief privacy officer and the agency security officer are joint chairs.
The mandate of the Council is to:
- facilitate a horizontal approach to oversee governance, management, and risk mitigation activities relating to security and privacy at the CRA
- act as a steering committee to set the direction on privacy and security matters
- recommend courses of action to the respective senior management committees
During the reporting period, the Council met four times. Some of the privacy issues it considered related to:
- key takeaways from the Special Report to Parliament by the Office of the PrivacyCommissioner of Canada on the findings of their investigation into the unauthorized disclosure and modification of personal information held by the CRA and Employment and Social Development Canada resulting from cyber-attacks
- internal consultations and feedback to the Department of Justice on the potentialimpacts of its proposals to modernize the Privacy Act
- issues pertaining to the reporting and handling of major privacy breaches andregulatory investigations
- key Treasury Board of Canada Secretariat updates, including a new privacyimplementation notice on de-identification, a newly published digital privacyplaybook tool, and highlights from a joint Office of the Privacy Commissioner andTreasury Board of Canada Secretariat webinar about privacy considerationswhen collecting publicly available information
Director General Security and Privacy Committee
The Director General Security and Privacy Committee is a director general level committee, co-chaired by the Public Affairs Branch and the Security Branch. The Committee was formed in June 2022 and meets monthly.
The mandate of the Committee is to:
- support the Agency Security and Privacy Executive Council
- provide oversight and guidance on security and privacy risks and issues
During the fiscal year, ten meetings were held. Some of the privacy issues the Committee considered related to:
- making the Canada School of Public Servants ATIP Fundamentals coursemandatory for CRA employees
- the Office of the Privacy Commissioner of Canada’s consultation on a new draft guidance on biometric technologies
- the roles of communication, training, and onboarding products to affirm security and privacy rules and mitigate the risk of privacy incidents
Access to Information and Privacy Directorate
The Access to Information and Privacy (ATIP) Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the ATIP Directorate:
- responds to requests under the Access to Information Act and the Privacy Act
- responds to enquires, consultations, complaints, and informal disclosure requests
- offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
- reviews and, if needed, publishes information to be proactively disclosed,including briefing note titles and committee material
- gives ATIP training awareness sessions
- coordinates the privacy assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid and reduce risks
- responds to and manages privacy breaches, enquiries, and complaints
- develops corporate policy instruments, procedures and practices related to the Access to Information Act and the Privacy Act
- communicates with the Treasury Board of Canada Secretariat and the offices ofthe information and privacy commissioners of Canada about policy and legislative requirements, complaints, and investigations
- fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to parliament on the administration of the Access to Information Act andthe Privacy Act
- produces multiple reports that capture key statistics about the CRA’s inventory ofATIP requests and key privacy performance indicators to assess, monitor and improve upon our access to information and privacy programs
The director general and deputy chief privacy officer of the ATIP Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. As well, they are responsible for:
- managing and coordinating the ATIP program
- leading strategic planning and development initiatives
- supporting the assistant commissioner of the Public Affairs Branch and chief privacy officer of the CRA in the role of ATIP governance
The ATIP Directorate supports three main functions:
- processing,
- privacy management
- the overall improvement of the directorate
Directorate employees are mainly located in Ottawa, Montréal, and Vancouver. In the 2023–2024 fiscal year, an equivalent of 233 full-time employees and 12 consultants administered the Access to Information Act and the Privacy Act at the CRA.
The following chart shows the structure of the ATIP Directorate.
Image description
First row Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer
Second row Director General of the Access to Information and Privacy Directorate
The three areas of responsibility of the Director General of the Access to Information and Privacy Directorate are listed in the three boxes below. They are:
First the Privacy and Access Policy Division, Second the Access, Operations, and Analysis Division, and third, the Business Transformation and Support DivisionThe four areas of responsibility of the Director of the Privacy and Access Policy Division are listed in the four boxes to the right. They are: the Privacy Risk Management Section, the Access to Information Policy and Governance Section, the Privacy Breach Management Section and the Privacy Policy and Governance Section.
The six areas of responsibility of the Director of the Access, Operations, and Analysis Division are listed in the six boxes at the bottom. They are: the Corporate and Complex Case Section, the Vancouver Regional Operations Section, the Strategic Compliance Section, the Montréal Regional Operations Section, the Legislative & Headquarters Operations Case Section and the Complaints and Intake Section.
The three areas of responsibility of the Director, Business Transformation and Support Division are listed in the three boxes to the far right column. They are: the Business Transformation and Analytics Section, the Innovation and system Support Section and the Program Support Section.
Delegating responsibilities under the Privacy Act
As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations, and related Treasury Board of Canada Secretariat policies. Subsection 73(1) of the Privacy Act gives the minister the authority to designate one or more CRA officials to perform all or part of the minister’s powers, duties, and functions under the Act.
The Honourable Marie-Claude Bibeau, Minister of National Revenue, signed the CRA’s current delegation order for the Privacy Act on December 15, 2023. The order identifies specific provisions of the Privacy Act and its regulations that the Minister delegated to various positions within the CRA.
The ATIP Directorate’s director general, directors, assistant directors, managers, analysts and senior analysts have been delegated to exercise certain powers, duties and functions of the minister under the provision of the Act and related regulations set out in the schedule.
For the delegation order and schedule, see Appendix C – Delegation order.
Operational environment
As the chief administrator of federal, provincial, and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information of its workforce of over 54,000 individuals. Canadians trust the CRA with their personal information, and the CRA takes the protection of that information very seriously.
The ATIP Directorate processes one of the largest volumes of requests and pages of any federal institution. According to the latest statistics from the Treasury Board of Canada Secretariat, in 2022–2023 the CRA:
- processed the fourth largest volume of pages of any federal institution to respondto Privacy Act requests
- closed the fourth largest number of requests
Request volumes are at an all-time high, adding pressure on staff to increase production, reduce backlog, and improve compliance.
The number of requests the CRA received under the Privacy Act in 2023–2024 (12,502) was 8% higher than in 2022–2023 (11,572). The number of requests completed (12,194) was 11% higher than in 2022–2023 (10,960). A large proportion of requests seek personal tax information that is accessible through existing CRA self-service channels. The volume of these types of requests has grown by 211% since fiscal year 2018–2019. During the reporting period, these requests represented 85% of all requests received under the Privacy Act.
Beyond large page and request volumes, the CRA continues to respond to very complex requests. Complaints and consultations also represent a significant workload for the ATIP Directorate.
During the fiscal year, to address the significant workload and the large volume of requests, the CRA continued to implement many Lean managementFootnote 1 initiatives to modernize processes and technology with an aim to improve productivity and efficiency in the ATIP program.
For more information, see the continuous improvement initiatives section.
The following chart shows the trends of requests received under the Privacy Act over the past five years.
Image description
Privacy Act requests trend
In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed
In 2020–2021, 4,120 requests were received, 4,023 were completed, 653,853 pages were processed
In 2021–2022, 8,763 requests were received, 8,558 were completed, 951,414 pages were processed
In 2022–2023, 11,572 requests were received, 10,960 were completed, 888,080 pages were processed
In 2023–2024, 12,502 requests were received, 12,194 were completed, 1,019,583 pages were processed
Continuous improvement initiatives
The ATIP Directorate continued to foster a culture of continuous improvement by promoting Lean mindsets and behaviours, which lead to significant process improvements. These improvements included completing process reviews that standardized the processing of client file and the manner in which regional offices managed their workload. These efforts empowered employees, supported management in leading change, strengthened the monitoring of projects and overall efficiency within the directorate.
In 2023–2024, key changes that enhanced productivity and efficiency in the ATIP Directorate included the following initiatives.
Fast Track Redirect Pilot
The ATIP Directorate developed a plan to initiate the fast track redirect pilot in 2024–2025. This pilot will redirect requests to CRA’s My Account when requesters are seeking the following information:
- proof of income statements from the past three assessed years
- notices of assessment
- benefits information
By doing this, the CRA seeks to improve efficiency and reduce processing times, thereby improving service to requesters.
Backlog elimination plan
Through the CRA’s ATIP backlog elimination plan, the CRA has been working diligently to reduce its ATIP backlog inventory.
Since starting the plan in the 2021–2022 fiscal year, the CRA:
- eliminated 722 aged backlog files
- reduced the average age of late files from 429 days late to 265 days late
While processing this backlog the ATIP Directorate strived to respond on time to a steadily increasing workload of requests and related complaints and consultations.
Secure drop zone
The secure drop zone project provides a secure, standardized, single point of delivery to transmit documents to external requesters, as needed. This project aligns with the Government of Canada’s priorities of increasing digital options for external clients and supporting their digital needs.
The ATIP Directorate collaborated with the Information Technology Branch and the Collections and Verifications Branch on the secure drop zone pilot project.
ATIP case management modernization
During the reporting period, the CRA worked to implement a new ATIP case management system that it will launch in 2024–2025. The new system, ATIPXpress, will:
- maintain the CRA’s ability to process ATIP requests past the life of its currentaging system
- reduce processing times and administrative work using automation features
The CRA developed and executed a robust plan, comprised of communications, training, and change management to support the implementation. The collaborative action of stakeholders across the CRA, such as a change agent network, offices of primary interest, and pilot users, was instrumental throughout this process.
ATIP Online Request System
In March 2023, the ATIP Directorate launched the ATIP Online Request System built by the Treasury Board of Canada Secretariat. The system provides ATIP requesters with a portal to:
- submit their requests
- track the progress of their requests
- receive responses
A comparative analysis of the data collected before and after launch found:
- a decrease in relying on physical formats
- faster processing times
- improved communication with requesters
Adobe Premiere Elements for video processing
In 2023–2024, the ATIP Directorate started using Adobe Premiere Elements, a video editing software, to support the ATIP process. With this software, the directorate can review and process video records.
ATIP digital mail project
The ATIP Digital Mail Project will help digitize the paper mail requests the ATIP Directorate receives. Modernizing practices to manage requests will benefit both the CRA and its clients because it will increase access to information and improve the CRA’s ability to address requests.
During the reporting period, the ATIP Directorate worked closely with Veteran Affairs Canada and with Public Service and Procurement Canada’s Document Imaging Solutions Centre and Pension Centre, on the development of the ATIP Digital Mail Project. The CRA will launch this project in 2024–2025.
Human resources
In 2023–2024, the ATIP Directorate launched two selection processes open to CRA and Government of Canada employees at the SP-08Footnote 2 and SP-09 levels, resulting in pools of qualified candidates.
The CRA also participated in the multilevel ATIP Communities Development Office selection process launched by the Treasury Board of Canada Secretariat. The ATIP Directorate is committed to promoting the one-office model by recruiting the best qualified people regardless of where they are physically located in Canada. It also fully supports creating a respectful, inclusive, and diverse workplace.
Organizational changes
To better address the everchanging privacy landscape and ensure a culture of continuous improvement, the ATIP Directorate has undergone some organizational changes in 2023–2024.
The ATIP Directorate originally formed the ATIP Way Forward Initiative, a temporary project team designated to modernize ATIP processes and technology. Over the past two years, the work of the team has immensely helped the directorate respond to requests with more efficiency. To ensure continuous improvement, it was critical that the work of this team transition from a project-based structure to a permanent one. In support of this, the new Business Transformation and Support Division was created. There are three sections under this division:
- Business Transformation and Analytics Section
- Program Support Section
- Innovation and System Support Section
Additionally, to address the volume of work that has resulted from the ever-changing privacy landscape, a new section was created in the Privacy and Access Policy Division. This section is dedicated to the sound management of privacy breaches within the CRA. This new section is called the Privacy Breach Management Section.
And finally, the Director General’s title was expanded to include the Deputy Chief Privacy Officer function.
Training
The CRA is committed to promoting and providing ATIP training to CRA employees. The following is a summary of training activities the CRA completed in 2023–2024.
Mandatory training
As of September 2023, all CRA employees must complete the Canada School of Public Service course Access to Information and Privacy Fundamentals (COR502). They must retake it every five years so they retain the knowledge. This ensures that all CRA employees have the required knowledge to properly respond to ATIP requests and protect and manage personal information.
This mandatory training supports the Treasury Board of Canada Secretariat’s policy requirements outlining that all federal government employees must receive training on their obligations related to the Access to Information Act and the Privacy Act.
Quarterly information sessions
During the fiscal year, the ATIP Directorate provided eight quarterly information sessions in English and French to a total of 1,975 participants.
Technical review meetings
The ATIP Directorate held monthly technical review meetings to enable communication and consultation between the operations, policy, and business support teams within the directorate. The purpose of the meetings is to maintain a forum for:
- sharing policy and process changes
- sharing lean initiatives
- sharing improvements to the ATIP case management system
- providing supplementary tools
Quarterly teleconferences with the office of primary interest
During the reporting period, 873 CRA employees participated in quarterly teleconferences with the office of primary interest to assist them in their roles as ATIP contacts. This teleconferences ensured continued awareness and consistency in how the CRA applies processes across the organization.
Targeted training
The ATIP Directorate provided targeted access to information training to 158 participants in 5 separate CRA areas. This training varied depending on the needs of the programs and included topics such as how to:
- conduct a reasonable search
- provide complete recommendations in response to requests
The ATIP Directorate also delivered privacy training to over 583 Human Resource Branch employees during one of their HR Connected events. These events are quarterly informal training sessions, organized by and for Human Resources Branch employees, covering a variety of subjects.
Web-based modules
The CRA continued to offer its suite of 10 web-based modules of specialized technical training to ATIP Directorate employees.
ATIP quality assurance program
The ATIP quality assurance program identifies trends in file processing and fixes gaps in business processes. Its findings have helped develop training and awareness material to improve the quality of the service provided.
In 2023–2024, training on the consistent application of procedures, such as conducting a reasonable search, was presented to ATIP Directorate employees and offices of primary interest.
Raising awareness
Every year, the CRA celebrates Data Privacy Week, an international initiative which promotes awareness of the effects of technology on privacy rights and the importance of valuing and protecting personal information. In January 2024, the CRA celebrated Data Privacy Week by hosting a CRA-wide virtual event with guest speaker Ignacio Cofone, associate professor and the Canada Research Chair in Artificial Intelligence Law and Data Governance at McGill University’s faculty of law. The presentation focused on technology regulation trends and how innovation can be promoted while protecting privacy.
Beyond Data Privacy Week events, the directorate also collaborated on many internal communications to increase awareness, including the publication of a personal information infographic and a Privacy by Design quiz. A series of videos about privacy breaches were also released throughout the year.
Additionally, three career showcases were published on the CRA’s intranet. The showcases detail the career path of ATIP Directorate employees who are passionate about privacy and make it a cornerstone of their day-to-day work.
Throughout the year, the ATIP Directorate continued to promote awareness of the role that privacy plays in supporting sound privacy management by participating in committees and working groups, providing advice, and regularly communicating with employees in the offices of primary interest across the CRA.
Collaborating with oversight bodies and other organizations
The CRA continues to share strategies and solutions with other federal departments with the aim of maximizing each department’s ability to process ATIP requests and promote privacy and transparency.
As well, the CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat, and other organizations to strengthen privacy management at the CRA.
In 2023–2024, the CRA:
- communicated frequently with the Office of the Privacy Commissioner of Canadaon various subjects, including privacy breach management, privacy investigations, and new or amended initiatives that involve the use of personal information
- worked closely with the Treasury Board of Canada Secretariat on various items, including privacy breaches, privacy assessments, corporate policy instruments, and processing software solutions for ATIP requests
- actively participated in initiatives launched by the ATIP Community Development Office, including training and recruitment
- collaborated with the ATIP community by sharing best practices on security, ID validation, and authentication of ATIP requesters seeking client-specific information
- co-chaired the ATIP Interdepartmental Modernization Committee, which identifies and pilots modernization initiatives that affect the ATIP community
- participated in an inter-departmental working group for the Department of Justice of Canada’s Privacy Act review
- participated in the ATIPXpress sub working group to make sure the system was ready and lessen any challenges in launch ATIPXpress
- participated with Employment and Social Development Canada in E-Link Risk Workshops meant to identify and explore possible fraud risks, vulnerabilities, and gaps to improve protections
Privacy management
Strengthening the Privacy Management Framework
The privacy landscape continues to evolve significantly with ever-expanding digital technologies and automated decision-making.
In 2023–2024, the CRA continued to improve its privacy management frameworkFootnote 3 by:
- updating a CRA-wide privacy training and awareness strategy which includes mandatory privacy training for all employees
- revising the privacy dashboard and key performance indicators which track andmonitor key privacy metrics
- providing privacy advice and guidance as members of a CRA working group established to develop a strategy for using new and emerging artificialintelligence, such as ChatGPT
Standing Committee on Access to Information, Privacy, and Ethics
The CRA was one of 13 institutions invited to appear before the Standing Committee on Access to Information, Privacy, and Ethics (ETHI) as part of their study titled Federal Governments Use of Technological Tools Capable of Extracting Personal Data from Mobile Devices and Computers. The Director General of the Criminal Investigations Directorate and the Director General of the ATIP Directorate were witnesses on behalf of the CRA and told the committee that the CRA does not use spyware. The CRA uses digital extraction tools in criminal investigations only with proper judicial authorization. Furthermore, the CRA had previously completed a privacy impact assessment in 2016 for the Criminal Investigations Program which was also updated in 2023–2024. For more information, see the “Privacy impact assessment” section.
Office of the Privacy Commissioner of Canada special report to Parliament
On February 15, 2024, the Office of the Privacy Commissioner of Canada released a Special Report to Parliament on the findings of its investigation into the unauthorized disclosure and modification of personal information held by the CRA and Employment and Social Development Canada resulting from cyberattacks.
The report outlines the Office of the Privacy Commissioner of Canada’s findings related to the actions taken by the CRA and other government departments in response to the cyberattacks and provides the Office’s formal recommendations to mitigate the risks of similar incidents occurring in the future.
The CRA has made significant progress in addressing the recommendations of the Office of the Privacy Commissioner of Canada. Immediately following the discovery of the 2020 cyber-attacks, the CRA began reviewing its systems and controls, and it began implementing various system improvements, security measures, processes, governance, and organizational changes.
The CRA continues to work closely with internal and external stakeholders through a variety of internal and interdepartmental working groups to fully address the recommendations within the prescribed timeframes.
The special report to Parliament can be found at priv.gc.ca/en/opc-actions-and-decisions/ar_index/202324/sr_pa_20240215_gckey.
Privacy Breach Management
One of the corner stones of Canada’s tax system is the trust taxpayers place in the CRA to safeguard their personal information. The CRA takes the integrity and protection of taxpayers’ information very seriously and has strong controls in place to prevent privacy breaches. Despite the effectiveness of those controls, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of Canada’s tax system.
The CRA investigates all internal and external incidents involving potentially compromised information. When a privacy breach occurs, the ATIP Directorate works closely with stakeholders to contain and manage the breach, assess the impacts to affected individuals, and identify and apply corrective measures to prevent reoccurrence.
When warranted, the CRA proactively protects taxpayer accounts, notifies individuals affected by a privacy breach, and offers credit protection services to help further protect their personal information.
Unauthorized access or disclosure by CRA employees
This year, the CRA’s Security Branch informed the ATIP Directorate of 84 incidents of improper handling of personal information by CRA employees.
Confirmed employee misconduct is dealt with promptly and appropriately, and any incident involving suspected criminal activity is referred to the proper authorities. All CRA employees receive mandatory and ongoing security training that highlights the importance of protecting taxpayer information. Furthermore, CRA employees are subject to its strict Code of Integrity and Professional Conduct. Employees who breach the Code can face disciplinary measures, such as a review of their security clearance or termination of employment.
Misdirected mail and security incidents
In 2023–2024, the CRA recorded 1,008 privacy breaches as a result of misdirected mail, which is mail that was incorrectly addressed or sent to the wrong person in error.
Misdirected mail incidents occur for only 0.003% of the 95 million pieces of mail the CRA handles each year.
In addition, 309 CRA privacy breaches resulted from security incidents including loss, theft, or improper disclosure of personal information.
Unauthorized use of taxpayer information by a third party
In 2023–2024, the CRA recorded 72 privacy breaches as a result of the unauthorized use of taxpayer information by a third party. These breaches occur when an external threat actor uses elements of personal information, likely obtained from external sources, to attempt to access, alter, or create personal taxpayer information.
The CRA continues to note an increase in these types of incidents. This can likely be attributed to the unique and lucrative set of circumstances caused by the CRA’s distribution of emergency benefits to taxpayers at the beginning of the COVID-19 pandemic. These circumstances have made the CRA an attractive target to external threat actors attempting to continue to take advantage of the benefits and refunds the CRA administers.
In cases where the CRA becomes aware of suspicious account activity, accounts are proactively protected and individuals are informed, as required.
Privacy breach mitigation measures
The CRA continually strives to monitor and improve its internal processes and systems to further protect taxpayer information, limiting employees’ access permissions to only the information they need to do their job and regularly reviewing employee access to CRA systems.
In addition, the CRA has implemented additional security measures, such as multifactor authentication, to protect the personal information of taxpayers and make sure they can use the CRA’s online services with confidence and safety.
Taxpayers’ vigilance in protecting account information is also an essential layer of security. The CRA reminds all taxpayers to change their passwords regularly and to monitor their online accounts for any signs of suspicious activity, such as unsolicited changes to contact and banking information, changes of representative or directors, or tax returns filed on their behalf and resulting in refunds.
For more information on material privacy breaches see Interpretation and explanation of Appendix A – Statistical report.
Updating Info Source
Info Source provides information about the functions, programs, activities, and related information holdings of federal government institutions subject to the Access to Information Act and the Privacy Act. This resource also offers guidance to individuals on how they can access the information that government institutions hold so they can exercise their rights under these acts.
Each institution subject to the Access to Information Act and the Privacy Act must update its chapter annually by the due date set by the Treasury Board of Canada Secretariat. In accordance with this requirement, in June 2023, the CRA published the updates of its personal information banks and classes of records information. It also reviewed and updated the list of reading room manuals.
The CRA’s Info Source chapter can be found at canada.ca/cra-info-source.
Monitoring compliance
The ATIP Directorate produces several reports that capture key statistics about the CRA’s inventory of ATIP requests. The reports show:
- active and closed requests
- the status of requests by branch and region
- the carry-forward inventory
- complaints
- deemed refusal volumes
Management regularly uses the reports to:
- ensure timely processing of ATIP requests
- monitor trends of frequently requested types of information
- measure the directorate’s performance
- identify opportunities to improve performance
- promote the availability of information by other means
Management presents the reports monthly to senior management at the commissioner-chaired Corporate Management Committee.
During the reporting period, the ATIP Directorate:
- implemented the use of a new visual management dashboard for better datadriven decision-making
- shifted the focus from query-driven reporting to trend analysis, enabling thedirectorate to proactively identify areas for improvement and optimize resources
- established a data-quality framework, including data validation, verification andreconciliation process, to ensure data accuracy and consistency
These improvements aimed to enhance forecasting, understand workload and resource management, and quality of information within the directorate.
Key issues and actions taken on complaints
The CRA regularly communicates with the offices of the information and privacy commissioners of Canada to simplify processes and apply continuous improvement Lean methods to close complaint files as soon as possible. During the reporting period, the CRA worked with these offices to simplify the complaint resolution process by focusing on resolving complaints at the early resolution stage. To this end, the CRA centralized the complaint resolution process.
The CRA specifically addressed complaints by:
- sharing a new reasonable commitment date for response with the commissionersin cases where the CRA failed to respond to a request within the prescribed date
- conducting thorough investigations to confirm a reasonable search for recordswas completed. A detailed rationale was provided to the commissioners detailingthe searches and whether they were successful or whether the records did not exist
- reviewing the analysis of the records to determine if it should maintain anexemption or release the information. Following the review, in cases where the CRA determines it improperly applied an exemption, a supplemental disclosure package is provided to the commissioners and the complainant
- reviewing the process of a refused request in order to provide further direction regarding the information or actions required to proceed with the initial request
- providing a new copy of the records in the requested format
For more information on complaints, see Part 9 – Complaints and investigation notices received.
Public interest disclosure
In 2023–2024, the CRA made no disclosures under paragraph 8(2)(m) of the Privacy Act and sent no written notifications to the Office of the Privacy Commissioner under subsection 8(5).
Privacy impact assessments
In compliance with the Directive on Privacy Impact Assessments, the CRA conducts privacy impact assessments when new programs or services raise privacy issues. It also does this when changes to programs or services affect the way it collects, uses, or discloses personal information.
Summaries of completed privacy impact assessments
The CRA completed 17 privacy impact assessments during the 2023–2024 reporting period.
As well, the CRA reviewed a significant number of initiatives to assess potential privacy impacts. These reviews looked at documents such as privacy assessment determination questionnaires, Treasury Board of Canada Secretariat submissions, threat-and-risk assessments, local application solutions, contracts, and written collaborative arrangements.
The CRA published summaries of completed privacy impact assessments at canada.ca/en/revenue-agency/services /about-canada-revenue-agency-cra/protecting-your-privacy /privacy-impact-assessment.
The following is an overview of the privacy assessments the CRA completed in 2023–2024.
Anonymous Internal Fraud and Misuse Reporting Line V4
This privacy assessment covers the initiative that provides individuals with a communication channel to report suspected internal fraud and misuse through the CRA Anonymous Internal Fraud and Misuse Reporting Line, which is administered by an independent third-party contractor. The privacy impact assessment has been updated to include the creation of the Security Branch and the renaming of two internal divisions.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/anonymous-internal-fraud-misuse-reporting-line-v4.
Business Intelligence and Compliance Risk Assessment V2
This privacy impact assessment focuses on the business intelligence and compliance risk assessment systems that support the reporting compliance programs to achieve better compliance outcomes. This privacy impact assessment has been updated to include minor housekeeping changes and system improvements.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/business-intelligence-compliance-risk-assessment-v2.
Common Reporting Standard Income Tax Act Part XIX V2
The Common Reporting Standard is an international standard for the automatic exchange of financial account information between tax administrations to use in fighting tax evasion and to promote voluntary compliance with tax laws. Canada and close to 100 other jurisdictions are committed to its implementation. This privacy impact assessment has been updated to include new program activities, systems used within the program, and users of the personal information.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/common-reporting-standard-income-tax-act-partxix-v2.
COVID-19 Subsidy Initiatives for Business Entities
The privacy impact assessment covers seven subsidies initiatives that have been implemented to assist with the Canadian economy by temporarily supporting wage and rent expenses for certain businesses, charities, and non-profits in Canada between March 15, 2020 and May 7, 2022.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/covid-19-subsidy-initiatives-business-entities.
Criminal Investigations Program V2
This privacy impact assessment identifies and assesses privacy risks to personal information related to the Criminal Investigations Program investigating persons suspected of committing tax evasion and tax fraud and referring appropriate cases to the Public Prosecution Service of Canada. This privacy impact assessment has been updated to include the implementation of a virtual private network.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/criminal-investigations-program-v2.
Excise and Specialty Tax Program
This privacy impact assessment covers how the Excise and Specialty Tax Program collects, uses, transfers, and safeguards personal information relating to the fuel charge, tobacco, vaping, alcohol, and cannabis stamping system, and tobacco, vaping, alcohol, and cannabis licensing and registration.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/excise-and-specialty-tax-program.
Good and Services Tax / Harmonized Sales Tax (GST/HST) Credit and Related Benefits and Credits V2
This privacy impact assessment covers the GST/HST credit, which is a tax-free quarterly payment that helps individuals and families with low or modest incomes offset all or part of the GST/HST they pay. This privacy impact assessment has been updated to include changes to various provincial incentive programs.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/goods-services-tax-harmonized-sales-tax-gst-hst-credit-related-benefits-v2.
Income Verification Services V4
This privacy impact assessment focuses on the automated income verification service provided by the CRA to federal, provincial, territorial, and municipal government entities, allowing the other entity to use the income verification process to administer their income-tested program or service. This privacy impact assessment has been updated to include new income verification partners that have been added to the program at the federal and municipal levels, and some exchanges with provincial partners have sunset.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/income-verification-services-v4.
Individual Returns Assessment Program V3
This privacy impact assessment identifies and assesses the privacy risks to personal information from processing individual taxpayer income tax returns for the federal and for most provinces and territories. This privacy impact assessment has been updated to include the collection of consent for the purpose of sharing an individual’s contact information so that those where it is applicable may receive information regarding their provincial or territorial organ and tissue registry.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-returns-assessment-program-v3.
Leads Program V3
This privacy impact assessment covers the Leads Program which gives the public the opportunity to come forward and anonymously report suspected cases of noncompliance with the tax laws administered by the CRA. This privacy impact assessment has been updated to include five significant program improvements.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/leads-program-v3.
Monitoring of Electronic Access to Taxpayer Information V3
This privacy impact assessment addresses the CRA’s monitoring of internal electronic access to taxpayer information to prevent, monitor, and detect internal fraud or misuse and unauthorized access to electronic taxpayer information.
This privacy impact assessment has been updated to include new sources of personal information, and employees involved in the monitoring were provided access to a product that would help detect risks of collusion and corruption in addition to flagging user actions that appear suspicious.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/monitoring-of-electronic-access-to-taxpayer-information-v3.
One-Time Top-Up to the Canada Housing Benefit V2
This privacy impact assessment covers the administration of the one-time top-up to the Canada housing benefit. This one-time top-up is a tax-free payment of $500 to directly support low-income renters who are experiencing housing affordability challenges. This privacy impact assessment has been updated to reflect the evolution of the program’s implementation and roll-out.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/one-time-top-up-canada-housing-benefit-v2.
Registered Disability Savings Plan V2
This privacy impact assessment focuses on the registered disability savings plan, part of the federal government’s Canada Disability Savings Program and the Canada Disability Savings Grant and Bond Incentives Program, which is to help parent and others save for the long-term financial security of persons with severe and prolonged disabilities. This privacy impact assessment has been updated to include new disclosure of personal information which the CRA has on file, to the financial institutions that administers registered disability savings plans.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/registered-disability-savings-plan-v2.
Scientific Research and Experimental Development V4
This privacy impact assessment covers the Scientific Research and Experimental Development Program, which is a federal tax incentive program designed to encourage Canadian businesses of all sizes and in all sectors to conduct scientific research and experimental development in Canada. This privacy impact assessment has been updated to include new technological tools, web applications, and service to taxpayers.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v4.
Tax Appeals to the Court Program
This privacy impact assessment addresses the deployment of a portal for the secure (Protected B) sharing of documents with the Department of Justice employees who represent the CRA before the federal courts on appeal matters.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/tax-appeals-court-program.
Voluntary Disclosures Program V2
This privacy impact assessment covers the Voluntary Disclosures Program which encourages taxpayers to voluntarily come forward and correct any previous errors or omissions in their tax affairs and comply with their legal obligations. This privacy impact assessment has been updated to include new systems to record, track, and manage voluntary disclosures and updated processes related to internal mail.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/voluntary-disclosure-program-v2.
Workload Development and Business Intelligence: Business Compliance Programs
This privacy impact assessment outlines the activities of the Workload Development and Business Intelligence Section to gain an understanding of taxpayer behavior. This privacy impact assessment has been updated to include the use of information from the Third-Party Data Repository to analyze risks, identify taxpayer and business information that needs to be reviewed, and extract business intelligence.
For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/workload-development-business-intelligence-business-compliance-programs.
Interpretation and explanation of Appendix A– Statistical report
Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2023 to March 31, 2024. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.
Note: Some totals may add up to more than 100% due to rounding.
Part 1 – Requests under the Privacy Act
During the reporting period, the CRA received 12,502 new requests under the Privacy Act. This is an increase of 930 requests from last year’s total of 11,572 requests. Including the 1,780 requests carried forward from the 2022–2023 reporting period, the CRA had 14,282 active requests in its inventory.
The following table shows the number of requests the CRA received and closed under the Privacy Act, as well as the number of pages it processed over the past five fiscal years.
| Fiscal year | Requests received | Requests closed | Pages processed |
|---|---|---|---|
| 2019–2020 | 4,895 | 4,728 | 1,115,075 |
| 2020–2021 | 4,120 | 4,023 | 653,853 |
| 2021–2022 | 8,763 | 8,558 | 951,414 |
| 2022–2023 | 11,572 | 10,960 | 888,080 |
| 2023–2024 | 12,502 | 12,194 | 1,019,583 |
The following table shows how the CRA received the 12,502 requests during the 2023–2024 reporting period.
| Source | Number of requests | Percentage |
|---|---|---|
| Online | 8,722 | 70% |
| 1,632 | 13% | |
| 951 | 8% | |
| In person | 1 | 0.008% |
| Phone | 3 | 0.02% |
| Fax | 1,193 | 9% |
Other requests and workload
The CRA processed a large amount of requests other than the 12,502 requests it received under the Privacy Act. The additional volume significantly affected operations since the CRA had to divert resources to manage the workload. The additional requests included external and internal consultations, general enquiries, and complaints. During the fiscal year, the ATIP Directorate responded to 5,509 emails (109% more than last year’s 2,630 emails), and 1,623 enquiries through the general enquiries mailbox and toll-free phone line.
Part 2 – Informal requests
The CRA did not receive or close any informal requests under the Privacy Act in 2023–2024.
Part 3 – Requests closed during the reporting period
Disposition and completion time
The CRA continues to complete a large number of requests received under the Privacy Act. Of the 12,194 requests closed during the fiscal year is as follows:
- 7,121 were fully disclosed (58%)
- 1,170 were disclosed in part (10%)
- 2 were exempted in their entirety (0.02%)
- 0 was all excluded (0%)
- 379 resulted in no existing records (3%)
- 3,520 were abandoned by requesters (29%)
- 2 were neither confirmed nor denied (0.02%)
In 2023–2024, the CRA closed 1,234 (11%) more requests closed than in 2022–2023.
The following chart shows the completion times for the 12,194 requests closed in 2023–2024.
Image description
Completion time
10,560 (87%) in 30 days or under
966 (8%) from 31 to 60 days
320 (3%) from 61 to 120 days
348 (3%) in 121 days or more
For more details, see Table 3.1 of Appendix A.
Exemptions
The Privacy Act allows an institution to refuse access to specific information when necessary. For example, the CRA can refuse to give a requester information about another individual if that individual has not given consent. In 2023–2024, the CRA applied the following exemptions, in full or in part, to the 12,194 requests it closed during the reporting period:
- section 19 – Personal information obtained in confidence (13 times)
- section 22 – Law enforcement and investigation (340 times)
- section 26 – Information about another individual (857 times)
- section 27 – Solicitor client privilege (81 times)
Exclusions
The Privacy Act does not apply to information that is publicly available, such as information from government publications, libraries, and museums. The Act also excludes materials such as Cabinet confidences. In 2023–2024, the CRA did not apply any exclusions for information that was publicly available or for a Cabinet confidence.
Format of information released
Requesters can choose to receive their response package on paper or electronically. Persons with disabilities may ask for information in alternative formats, such as braille, although the CRA did not receive any such requests this fiscal year.
Providing documents electronically is more efficient because it significantly reduces manual processes, and it is environmentally friendly and secure. There was a 1% decrease in the volume of requests sent electronically in 2023–2024 compared to 2022–2023.
Of the 8,300 requests for which information was disclosed in 2023–2024, 7,466 requests (90%) were released in electronic format.
Complexity
The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests. For example, to respond to the 11,815 requests it closed during the fiscal year (excluding requests where no records existed), the CRA processed 1,019,583 pages and disclosed 852,270 pages. Of these requests:
- 10,751 involved processing less than 100 pages
- 751 involved processing 100 to 500 pages
- 135 involved processing 501 to 1,000 pages
- 143 involved processing 1,001 to 5,000 pages
- 32 involved processing more than 5,000 pages
Of note, 3 requests involved processing more than 10,000 pages, of which 1 involved processing more than 50,000 pages.
In addition to paper records, the CRA also processes requests for audio and video records. In 2023–2024, there were 9 requests for audio records, 7 of which involved processing less than 60 minutes and 2 of which involved processing more than 120 minutes. Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see tables 3.5.1 to 3.5.7 of Appendix A.
Closed requests
The ATIP Directorate closed 11,251 (92%) requests within the timelines required by law. This means that it provided responses within 30 calendar days or within an extended deadline. This compliance rate accounts for a 1.4% decrease compared to 2022–2023 (94%).
Deemed refusals
A deemed refusal is a request closed after the deadline of 30 calendar days or after an extended deadline.
Of the 12,194 requests closed during the reporting period, 943 were closed after the deadline. This resulted in a deemed refusal rate of 8%.
Requests for translation
Records are normally released in their original language. However, an institution may translate records to an official language if requested or if it is necessary for the individual to understand the information.
The CRA received and fulfilled two requests for translation in 2023–2024.
Part 4 – Disclosures under subsection 8(2) and 8(5)
Subsection 8(2) of the Privacy Act states that, subject to confidentiality provisions in other acts of Parliament, an institution may disclose personal information without consent for limited and specific circumstances. This is the case, for example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under paragraph 8(2)(m), the institution must notify the Privacy Commissioner of Canada.
During the reporting period, there were no disclosures of personal information under paragraph 8(2)(e) and (m) or subsection 8(5) of the Privacy Act.
Part 5 – Requests for correction of personal information and notations
Under the Privacy Act, every individual who is given access to personal information under paragraph 12(1)(a) and who believes their personal information contains an error or omission can ask for it to be corrected. When the CRA refuses a correction request, it must attach a notation to the information to show this.
During the 2023–2024 reporting period, the CRA did not receive any requests to correct personal information.
Part 6 – Extensions
The Privacy Act sets the required timelines for responding to requests for personal information. The Act allows time extensions when:
- meeting the original time limit would unreasonably interfere with operations
- there is a need to consult with a government institution or another third party
- there is a need to translate or convert records into another format
Of the 12,194 requests closed in 2023–2024, the CRA applied extensions to 922 (8%) of them. For 98% of the extensions, it applied them because of the workload and because meeting the original 30-day time limit would have interfered unreasonably interference with CRA operations. The CRA applied the remaining extensions to translate records or convert them into other formats.
Of the 922 extensions, 1 was for 15 days or less, and 921 were for 16 to 30 days.
Part 7 – Consultations received from other institutions and organizations
In 2023–2024, the ATIP Directorate received and closed one external consultation request from another Government of Canada organization. To respond to this request, the directorate reviewed 11 pages. The ATIP Directorate also received and closed two external consultation requests from other organizations outside of the Government of Canada.
Internal consultations
In 2023–2024, the CRA completed 264 internal privacy consultations requests, a 5% increase from the previous reporting period. To respond to these requests, the directorate reviewed 4,331 pages. These requests were informal reviews and did not fall under the Privacy Act.
The following chart shows the trends for internal privacy consultation requests received over the past five years.
Image description
Internal privacy consultation trends
In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.
In 2020–2021, 105 internal privacy consultation requests were received, 5,824 pages were processed.
In 2021–2022, 180 internal privacy consultation requests were received, 2,288 pages were processed.
In 2022–2023, 252 internal privacy consultation requests were received, 4,564 pages were processed.
In 2023–2024, 264 internal privacy consultation requests were received, 4,331 pages were processed.
Part 8 – Completion time of consultations of Cabinet confidences
Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), Treasury Board of Canada Secretariat policies require agencies and departments to consult with their legal services office to determine if they should exclude requested information. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.
In 2023–2024, the CRA did not have to consult with legal services or the Privy Council Office for Cabinet confidences.
Part 9 – Complaints and investigation notices received
In 2023–2024, the CRA received 122 complaints under the Privacy Act related to privacy requests. The complaints it received were related to:
- time delay (18)
- time extension (1)
- non-disclosure (28)
- refusal due to exemption (12)
- refusal due to a general reason (11)
In addition, the CRA received 84 early resolution complaints:
- 1 was escalated to a formal complaint
- 39 were closed because the Office of the Privacy Commissioner of Canada determined that there was no need to complete a formal investigation
- 1 was discontinued
- 36 were carried over to the next fiscal year
During the fiscal year, the CRA closed 51 complaints. This represents a 96% increase in the number of complaints closed compared to the previous fiscal year. In addition, the CRA completed 49 early-resolution complaints.
The following chart shows the disposition of the 51 complaints closed during the fiscal year.
Image description
The following chart shows the disposition of the 51 complaints closed during the fiscal year.
Complaint dispositions(16%) Not well-founded
(15%) Resolved
(6%) Discontinued
(51%) Well-founded
(12%) Escalated to formal complaint
Additionally, the ATIP Directorate received 11 early resolution and 4 formal privacy-related complaints from the Office of the Privacy Commissioner of Canada on behalf of individuals. These types of complaints are related to privacy management and not Privacy Act requests and concerned the following issues:
- Accuracy of personal information (1)
- Unauthorized collection of personal information (1)
- Unauthorized use and disclosure of personal information (13)
Of these complaints:
- 1 is in progress
- 10 were not well-founded
- 4 were resolved
For the definitions of disposition categories from the Office of the Privacy Commissioner of Canada, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf.
Part 10 – Privacy impact assessments and personal information banks
During the reporting period, the CRA sent 17 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is described in the “Privacy impact assessments” section of this report.
Under section 10 of the Privacy Act, the CRA must create a personal information bank in Info Source for any collection or grouping of personal information under the control of a Government of Canada institution which has been used, is being used, or is available for use in a program or activity of the institution.
The personal information bank must state how the CRA organizes and retrieves the information (for example, by a person’s name or by an identifying number or symbol).
During the reporting period, there were 101 active personal information banks. In the same period, 3 were created and 23 were modified.
Part 11 – Privacy breaches
The CRA follows Treasury Board of Canada Secretariat policy instruments to determine which privacy breaches meet the threshold of a material breach. The CRA must notify the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat of material privacy breaches.
An increase in the number of material privacy breaches the CRA reported to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat in 2023–2024 can be attributed to two factors:
- In October 2022, the Treasury Board of Canada Secretariat updated the definition of a material privacy breach, resulting in more privacy breaches being deemed material
- There has been an increase in the number of reported incidents resulting from the unauthorized use of taxpayer information by a third party.
The number of reported incidents is expected to increase in the coming years as the CRA continues to implement processes and enhance its systems and security measures to detect and report these types of incidents
This year, the CRA reported 141 material privacy breachesFootnote 4 . Of these:
- 57 involved unauthorized access or disclosure of taxpayer information by CRA employees
- 3 involved misdirected mail
- 9 involved security incidents, including loss and the improper disclosure of personal information
- 72 involved the unauthorized use of taxpayer information by a third party
Part 12 – Resources related to the Privacy Act
Costs
In 2023–2024, the ATIP Directorate’s cost to administer the Privacy Act was $18,956,422. This included $34,000 in credit protection services provided to individuals affected by privacy breaches. This cost does not include the significant resources used within CRA branches and regions. For more details, see Table 12.1 of Appendix A.
Human resources
In 2023–2024, the CRA dedicated an equivalent of 183 full-time employees, 11 consultants, and 3 students to administering the Privacy Act. Many of the employees simultaneously administered the Access to Information Act.
Interpretation and explanation of Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
The following is a brief overview of the tables included in Appendix B:
Section 1 – Open requests and complaints under the Access to Information Act
Table 1.1 – Open requests under the Access to Information Act
At the end of the fiscal year, the CRA had 1,066 Access to Information Act requests outstanding: 539 of these were within legislated timelines, while 527 were beyond legislated timelines. The CRA received 36% of these requests before 2023–2024, many of which will be addressed through its backlog elimination plan.
Table 1.2 – Open complaints with the Information Commissioner of Canada
At the end of the fiscal year, the CRA had 153 open complaints with the Information Commissioner of Canada.
Section 2 – Open requests and complaints under the Privacy Act
Table 2.1 – Open requests under the Privacy Act
At the end of the fiscal year, the CRA had 2,088 Privacy Act requests outstanding: 1,670 of these were within legislated timelines, while 418 were beyond legislated timelines. The CRA received 12% of these requests before 2023–2024. Many of these will be processed as part of its backlog elimination plan.
The following table shows the number of requests carried over to the next reporting period.
| Fiscal year open requests were received |
Open requests that are within legislated timelines as of March 31, 2024 |
Open requests that are beyond legislated timelines as of March 31, 2024 |
|---|---|---|
| 2023–2024 | 1,528 | 309 |
| 2022–2023 | 142 | 98 |
| 2021–2022 | 0 | 11 |
Table 2.2 – Open complaints with the Office of the Privacy Commissioner of Canada
At the end of the fiscal year, the CRA had 105 open complaints with the Privacy Commissioner of Canada.
The following table shows the number of open complaints with the Privacy Commissioner of Canada.
| Fiscal year open requests were received | Number of open complaints |
|---|---|
| 2023-2024 | 78 |
| 2022-2023 | 6 |
| 2021-2022 | 5 |
| 2020-2021 | 2 |
| 2019-2020 | 4 |
| 2018-2019 | 5 |
| 2017-2018 | 1 |
| 2016-2017 | 0 |
| 2015-2016 | 0 |
| 2014-2015 or earlier | 4 |
Section 3 – Social insurance number
The CRA reported a new collection of the social insurance number in 2023–2024. Specifically, the Underused Housing Tax Act resulted in a new collection of the social insurance number to administer the Underused Housing Tax.
Section 4 – Universal access under the Privacy Act
During the 2023–2024 reporting period, the CRA received 18 requests from confirmed foreign nationals under the Privacy Act.
Appendix A – Statistical report
Statistical report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2023 to March 31, 2024
Part 1 – Requests under the Privacy Act
1. 1 Number of formal requests
| Formal requests | Number of outstanding requests | Number of requests |
|---|---|---|
| Received during reporting period | 12,502 | |
| Outstanding from previous reporting periods | 1,780 | |
|
1,432 | |
|
348 | |
| Total | 14,282 | |
| Closed during reporting period | 12,194 | |
| Carried over to next reporting period | 2,088 | |
|
1,670 | |
|
418 |
1.2 Channels of formal request
| Channel | Number of requests |
|---|---|
| Online | 8,722 |
| 1,632 | |
| 951 | |
| In Person | 1 |
| Phone | 3 |
| Fax | 1,193 |
| Total | 12,502 |
Part 2 – Informal requests
2.1 Number of informal requests
| Informal requests | Number of outstanding requests | Number of requests |
|---|---|---|
| Received during reporting period | 0 | |
| Outstanding from previous reporting periods | 0 | |
|
0 | |
|
0 | |
| Total | 0 | |
| Closed during reporting period | 0 | |
| Carried over to next reporting period | 0 |
2.2 Channels of requests
| Channel | Number of requests |
|---|---|
| Online | 0 |
| 0 | |
| 0 | |
| In Person | 0 |
| Phone | 0 |
| Fax | 0 |
| Total | 0 |
2.3 Completion time of informal requests
| Completion Time (Days) | |||||||
|---|---|---|---|---|---|---|---|
| 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
2.4 Pages released informally
| Less than 100 | 101 to 500 | 501 to 1000 | 1001 to 5000 | More than 5000 | |||||
|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed | Number of requests | Number of pages disclosed |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 3 ‑ Requests closed during the reporting period
3.1 Disposition and completion time
| Disposition of requests |
Completion Time (Days) | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total | |
| All disclosed | 2,360 | 4,033 | 567 | 141 | 13 | 3 | 4 | 7,121 |
| Disclosed in part | 37 | 359 | 331 | 157 | 71 | 109 | 106 | 1,170 |
| All exempted | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 2 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| No records exist | 277 | 66 | 27 | 8 | 0 | 1 | 0 | 379 |
| Request abandoned | 3,286 | 140 | 40 | 13 | 11 | 7 | 23 | 3,520 |
| Neither confirmed nor denied | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 2 |
| Total | 5,961 | 4,599 | 966 | 320 | 95 | 120 | 133 | 12,194 |
3.2 Exemptions
| Section | Number of requests | Section | Number of requests | Section | Number of requests |
|---|---|---|---|---|---|
| 18(2) | 0 | 22(1)(a)(i) | 1 | 23(a) | 0 |
| 19(1)(a) | 6 | 22(1)(a)(ii) | 3 | 23(b) | 0 |
| 19(1)(b) | 0 | 22(1)(a)(iii) | 0 | 24(a) | 0 |
| 19(1)(c) | 7 | 22(1)(b) | 336 | 24(b) | 0 |
| 19(1)(d) | 0 | 22(1)(c) | 0 | 25 | 0 |
| 19(1)(e) | 0 | 22(2) | 0 | 26 | 857 |
| 19(1)(f) | 0 | 22.1 | 0 | 27 | 81 |
| 20 | 0 | 22.2 | 0 | 27.1 | 0 |
| 21 | 0 | 22.3 | 0 | 28 | 0 |
| - | - | 22.4 | 0 | - | - |
3.3 Exclusions
| Section | Number of requests | Section | Number of requests | Section | Number of requests |
|---|---|---|---|---|---|
| 69(1)(a) | 0 | 70(1) | 0 | 70(1)(d) | 0 |
| 69(1)(b) | 0 | 70(1)(a) | 0 | 70(1)(e) | 0 |
| 69.1 | 0 | 70(1)(b) | 0 | 70(1)(f) | 0 |
| - | - | 70(1)(c) | 0 | 70.1 | 0 |
3.4 Format of information released
| Paper | Electronic | Other | |||
|---|---|---|---|---|---|
| E-record | Data Set | Video | Audio | ||
| 834 | 7,457 | 0 | 0 | 9 | 0 |
3.5 Complexity
3.5.1 Relevant pages processed and disclosed for paper and e-record formats
| Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|
| 1,019,583 | 852,270 | 11,812 |
3.5.2 Relevant pages processed by request disposition for paper and e-record formats by size of request
| Disposition of requests |
Less than 100 pages | 101 to 500 pages | 501 to 1,000 pages | 1001 to 5,000 pages | More than 5,000 pages | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | Number of requests | Pages processed | |
| All disclosed | 6,742 | 210,002 | 359 | 55,203 | 14 | 8,834 | 5 | 7,864 | 0 | 0 |
| Disclosed in part | 489 | 24,616 | 392 | 92,084 | 121 | 86,005 | 134 | 256,175 | 32 | 268,503 |
| All exempted | 2 | 28 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 3,516 | 355 | 0 | 0 | 0 | 0 | 4 | 9,914 | 0 | 0 |
| Neither confirmed nor denied | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 10,751 | 235,001 | 751 | 147,287 | 135 | 94,839 | 143 | 273,953 | 32 | 268,503 |
3.5.3 Relevant minutes processed and disclosed for audio formats
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 478 | 478 | 9 |
3.5.4 Relevant minutes processed per request disposition for audio formats by size of request
| Disposition of requests |
Less than 60 minutes | 60-120 minutes | More than 120 minutes | |||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 3 | 57 | 0 | 0 | 0 | 0 |
| Disclosed in part | 4 | 107 | 0 | 0 | 2 | 314 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 7 | 164 | 0 | 0 | 2 | 314 |
3.5.5 Relevant minutes processed and disclosed for video formats
| Number of minutes processed | Number of minutes disclosed | Number of requests |
|---|---|---|
| 0 | 0 | 0 |
3.5.6 Relevant minutes processed per request disposition for video formats by size of request
| Disposition of requests |
Less than 60 minutes | 60-120 minutes | More than 120 minutes | |||
|---|---|---|---|---|---|---|
| Number of requests | Minutes processed | Number of requests | Minutes processed | Number of requests | Minutes processed | |
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 |
3.5.7 Other complexities
| Disposition of requests | Consultation required |
Legal advice Sought |
Interwoven information |
Other | Total |
|---|---|---|---|---|---|
| All disclosed | 2 | 2 | 32 | 14 | 50 |
| Disclosed in part | 3 | 0 | 70 | 9 | 82 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1 | 2 | 21 | 27 | 51 |
| Neither confirmed nor denied | 0 | 0 | 0 | 1 | 1 |
| Total | 6 | 4 | 123 | 51 | 184 |
3.6 Closed requests
3.6.1 Number of requests closed within legislated timelines
| Number of requests closed within legislated timelines | 11,251 |
|---|---|
| Percentage of requests closed within legislated timelines (%) | 92.26668854 |
3.7 Deemed refusals
3.7.1 Reasons for not meeting legislated timelines
| Number of requests closed Number of requests closed past the legislated timelines |
Principal reason | |||
|---|---|---|---|---|
| Interference with operations/workload |
External consultation | Internal consultation | Other | |
| 943 | 795 | 2 | 1 | 145 |
3.7.2 Requests closed beyond legislated timelines (including any extensions taken)
| Number of days past legislated timeline |
Number of requests past legislated timeline where no extension was taken | Number of requests past legislated timelines where an extension was taken |
Total |
|---|---|---|---|
| 1 to 15 | 234 | 65 | 299 |
| 16 to 30 | 93 | 30 | 123 |
| 31 to 60 | 97 | 40 | 137 |
| 61 to 120 | 65 | 49 | 114 |
| 121 to 180 | 27 | 22 | 49 |
| 181 to 365 | 54 | 57 | 111 |
| More than 365 | 75 | 35 | 110 |
| Total | 645 | 298 | 943 |
3.8 Requests for translation
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 2 | 0 | 2 |
| French to English | 0 | 0 | 0 |
| Total | 2 | 0 | 2 |
Part 4 ‑ Disclosures under subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
Part 5 – Requests for correction of personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Notations attached | 0 |
| Requests for correction accepted | 0 |
| Total | 0 |
Part 6 ‑ Extensions
6.1 Reasons for extensions
| Number of requests where an extension was taken | 15(a)(i) Interference with operations | 15a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidences | External | Internal | ||
| 922 | 22 | 52 | 817 | 9 | 0 | 0 | 0 | 22 |
6.2 Length of extensions
| Length of extension in days | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation purposes or conversion | |||||
|---|---|---|---|---|---|---|---|---|
| Further review required to determine exemptions | Large volume of pages | Large volume of requests | Documents are difficult to obtain | Cabinet Confidences | External | Internal | ||
| 1 à 15 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
| 16 à 30 | 22 | 52 | 816 | 9 | 0 | 0 | 0 | 22 |
| 31 days or greater | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
| Total | 22 | 52 | 817 | 9 | 0 | 0 | 0 | 22 |
Part 7 – Consultations received from other institutions and organizations
7.1 Consultations received from other Government of Canada institutions and organizations
| Consultations | Other Government of Canada institutions | Number of pages to review | Other organizations | Number of pages to review |
|---|---|---|---|---|
| Received during the reporting period | 1 | 11 | 2 | 11 |
| Outstanding from the previous period | 0 | 0 | 0 | 0 |
| Total | 1 | 11 | 2 | 11 |
| Closed during the reporting period | 1 | 11 | 2 | 11 |
| Carried over within the negotiated timelines | 0 | 0 | 0 | 0 |
| Carried over beyond negotiated timelines | 0 | 0 | 0 | 0 |
7.2 Recommendations and completion time for consultations received from other Government of Canada institutions
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total | |
| Disclose entirely | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
7.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Number of days required to complete consultation requests | |||||||
|---|---|---|---|---|---|---|---|---|
| 0 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total | |
| Disclose entirely | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 2 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 2 |
Part 8 – Completion time of consultations on Cabinet confidences
8.1 Requests with Legal Services
| Number of days | Less than 100 pages | 101 - 500 pages | 501 - 1000 pages | 1001 - 5000 pages | More than 5000 pages | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
8.2 Requests with Privy Council Office
| Number of days | Less than 100 | 101 - 500 | 501 - 1000 | 1001 - 5000 | More than 5000 | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | Number of requests | Pages disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 9 ‑ Complaints and investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 70 | 1 | 51 | 0 | 122 |
Part 10 ‑ Privacy impact assessments and personal information banks
10.1 Privacy impact assessments
| Category | Number |
|---|---|
| Number of privacy impact assessments completed | 17 |
| Number of privacy impact assessments modified | 12 |
10.2 Personal information banks
| Personal Information Banks | Active | Created | Terminated | Modified |
|---|---|---|---|---|
| Institution-specific | 53 | 3 | 1 | 21 |
| Central | 48 | 0 | 0 | 2 |
| Total | 101 | 3 | 1 | 23 |
Part 11 – Privacy breaches
11.1 Material Privacy Breaches reported
| Category | Number |
|---|---|
| Number of material privacy breaches reported to the Treasury Board of Canada Secretariat | 141 |
| Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada | 141 |
11.2 Non-Material Privacy Breaches
| Category | Number |
|---|---|
| Number of non-material privacy breaches | 1,332 |
Part 12 – Resources related to the Privacy Act
12.1 Costs
| Expenditures | Amount | |
|---|---|---|
| Salaries | $17,113,054 | |
| Overtime | $298,534 | |
| Goods and Services | $1,544,834 | |
|
$769,031 | |
|
$775,803 | |
| Total | $18,956,422 | |
12.2 Human resources
| Resources | Person years dedicated to privacy activities |
|---|---|
| Full-time employees | 183 |
| Part-time and casual employees | 0 |
| Regional staff | 0 |
| Consultants and agency personnel | 11 |
| Students | 3 |
| Total | 197 |
Appendix B – Supplemental statistical report on the Access to Information Act and the Privacy Act
Part 1 : Open requests and complaints under the Access to Information Act
1.1 Open requests outstanding from previous reporting periods
| Fiscal year open requests were received |
Open requests that are within legislated timelines as of March, 31 2024 |
Open requests that are beyond legislated timelines as of March 31, 2024 |
Total |
|---|---|---|---|
| 2023-2024 | 500 | 178 | 678 |
| 2022-2023 | 31 | 282 | 313 |
| 2021-2022 | 6 | 65 | 71 |
| 2020-2021 | 1 | 1 | 2 |
| 2019-2020 | 1 | 1 | 2 |
| 2018-2019 or earlier | 0 | 0 | 0 |
| Total | 539 | 527 | 1,066 |
1.2 Open complaints with the Information Commissioner of Canada outstanding from previous reporting periods
| Fiscal year open requests were received | Number of open complaints |
|---|---|
| 2023-2024 | 80 |
| 2022-2023 | 50 |
| 2021-2022 | 11 |
| 2020-2021 | 2 |
| 2019-2020 | 4 |
| 2018-2019 | 4 |
| 2017-2018 | 0 |
| 2016-2017 | 0 |
| 2015-2016 | 0 |
| 2014-2015 or earlier | 2 |
| Total | 153 |
Part 2 : Open requests and complaints under the Privacy Act
Table 2.1 - Open requests outstanding from previous reporting periods
| Fiscal year open requests were received |
Open requests that are within legislated timelines as of March 31, 2024 |
Open requests that are beyond legislated timelines as of March 31, 2024 |
Total |
|---|---|---|---|
| 2023–2024 | 1,528 | 309 | 1,837 |
| 2022–2023 | 142 | 98 | 240 |
| 2021–2022 | 0 | 11 | 11 |
| 2020–2021 or earlier | 0 | 0 | 0 |
| Total | 1,670 | 418 | 2,088 |
2.2 Open complaints with the Privacy Commissioner of Canada outstanding from previous reporting periods
| Fiscal year open requests were received | Number of open complaints |
|---|---|
| 2023-2024 | 78 |
| 2022-2023 | 6 |
| 2021-2022 | 5 |
| 2020-2021 | 2 |
| 2019-2020 | 4 |
| 2018-2019 | 5 |
| 2017-2018 | 1 |
| 2016-2017 | 0 |
| 2015-2016 | 0 |
| 2014-2015 or earlier | 4 |
| Total | 105 |
Part 3: Authority received for a new collection of the social insurance number (SIN)
| Category | Number |
|---|---|
| Did your institution receive authority for a new collection or new consistent use of the SIN in 2023–2024? | Yes |
Part 4 : Universal Access under the Privacy Act
| Category | Number |
|---|---|
| How many requests were received from confirmed foreign nationals outside of Canada in 2023–2024? | 18 |
Appendix C – Delegation order
Image description
Privacy Act
Delegation Order
I, Marie-Claude Bibeau, Minister of National Revenue, do hereby designate, pursuant to subsection 73(1) of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
This designation replaces all previous delegation orders.
Marie-Claude Bibeau
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 15th day of December, 2023
The positions authorized to perform the powers, duties, and functions given to the Minister of National Revenue as head of the Canada Revenue Agency under the provisions of the Privacy Act and its Regulations.
Commissioner
- Full authority
Deputy Commissioner
- Full authority
Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer
- Full authority
Director General of the Access to Information and Privacy Directorate in the Public Affairs Branch
- Full authority
Directors in the Access to Information and Privacy Directorate of the Public Affairs Branch
- Full authority
Assistant directors in the Access to Information and Privacy Directorate of the Public Affairs Branch
- Full authority except for paragraph 8(2)(j), paragraph 8(2)(m) and subsection 8(5), and subsection 72(1)
Managers, Technical Reviewers / Advisors, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority except for paragraph 8(2)(j), paragraph 8(2)(m), subsection 8(5), subsection 9(1), subsection 9(4), section 10, subsection 33(2), and subsection 72(1)
Analyst, Senior Analyst, Access to Information and Privacy Directorate, Public Affairs Branch
- Authority only under paragraph 14(a), section 15, subsection 16(1), paragraph 17(2)(b), and paragraph 17(3)(b)
Page details
- Date modified: