Technology and Security Committee charter

1. Mandate

1.1 The Technology and Security Committee (Committee) of the Board of Management (Board) of the Canada Revenue Agency (Agency) assists the Board in fulfilling its oversight responsibilities pertaining to technology and security functions, in such areas as:

• information technology, emerging and disruptive technology, including artificial intelligence (AI);
• physical and cyber security;
• suspicious activities, potential internal and external fraud threats;
• information management and data protection;
• digital transformation;
• major project investment and delivery; and
• internal controls; and risks associated with the above.

2. Composition

2.1 The Committee will be comprised of a minimum of three directors of the Board, including a Chair and Vice-Chair.

2.2 Based upon changes in Board membership and/or on an annual basis, the Chair of the Board, in consultation with the Chair and Vice-Chair of the Committee, will review the composition of the Committee and recommend to the Board any changes in Committee membership, if required. All changes in Committee membership will be approved by resolution of the Board at the earliest opportunity.

2.3 The CRA’s Commissioner is a member of the Committee.

2.4 The Chair of the Technology and Security Committee is to be a member of the Audit, Finance and Risk Committee.

2.5 The Chair of the Audit, Finance and Risk Committee is to be a member of the Technology and Security Committee.

2.6 The Chief Information Officer (CIO) and Assistant Commissioner of the Information Technology Branch, Agency Security Officer (ASO) and Assistant Commissioner of the Security Branch, and Digital Transformation Officer (DTO) and Assistant Commissioner of the Digital Transformation Program Branch may attend as observers in regular closed sessions of the Committee meetings. Board directors who are not members of the Committee may attend the regular closed session and/or in-camera sessions as observers, by request or by invitation of the Committee Chair. Requests to observe should be submitted to the Board Secretariat at least two business days in advance of the meeting. Any other person not having business before the Committee may attend the regular closed session with approval from the Committee Chair.

3. Responsibilities and duties

3.1 In discharging their duties under this mandate, each member of the Committee shall be is obliged to exercise the care, diligence and skill a reasonable person would exercise in comparable circumstances.

3.2 In discharging the duties under this mandate, the Committee may seek and rely in good faith upon any report of a lawyer, accountant, an officer of the Agency or any other person whose profession provides credibility to the statement made by such person.

To fulfill its mandate, the Committee will:

3.3 Technology

1. Engage with the Agency on major strategic plans and initiatives at early stage of development to ensure the effective use of technology and information across the organisation;
2. Receive quarterly updates from the CIO with respect to functional support for implementation of significant technology projects and initiatives, including, but not limited to emerging or disruptive technology, AI, procurement and management of critical and new technology systems, status of technical debt, and an update on evolution of the call center technology;
3. Receive semi-annual updates from the DTO related to advancement of the enterprise-wide digital transformation agenda, including, but not limited to, digital transformation progress, strategic planning, and internal and external collaboration and partnerships;
4. Review plans and policies related to data governance and data management;
5. Review the Strategic Investment Plan (for major project investments); and
6. Approve and continually review, through regular progress updates, all Agency major project plans whose lifecycle development costs are anticipated to exceed $40 million and/or 50 points on the risk and complexity scale as outlined in the Project and Programme Management Policy, and monitor risk related to these projects.

3.4 Security

1. Receive quarterly updates from the ASO on the Agency’s physical and cyber security posture, fraudulent activities, and any emerging risks, trends and related policies, including, but not limited to:
   • cybersecurity;
   • data protection;
   • information security; and
   • prevention and deterrence of suspicious activities, potential internal and external fraud.
2. Review, provide guidance on, and, when appropriate recommend to the Board approval of the Agency’s strategies, plans and policies as they relate to Agency’s major incident or an emerging crisis management; and
3. Receive and review internal and external audit reports on the topics related to the Committee’s mandate, as well as regular updates on the progress of the action plans and risk mitigation strategies resulting from these reports.

3.5 Accountability

1. Develop a Technology and Security Committee work plan on an annual basis, identifying priorities and objectives;
2. Review the charter annually and make a recommendation to the Governance and Service Committee for Board approval; and
3. Undertake any other duties the Board may delegate to the Committee.

4. Operating procedures

4.1 Meetings

1. Meetings of the Committee will take place in accordance with the procedures set out in sections 9, 17, and 18 of Board of Management By-Law # 1. All meetings of the Committee are closed meetings. At the start and at the end of each meeting of the Committee, there may be an in-camera session for independent Board members scheduled on the agenda. There may also be an in-camera session with the Commissioner scheduled on the agenda, at the beginning and/or the end of each meeting of the Committee;
2. The Chair of the Committee may adopt any combination of in-camera sessions as they may deem appropriate; and
3. Section 7.1 of the Manual – Meeting Modalities defines and describes the procedures for closed and in-camera meetings/sessions.

4.2 Absence of Committee Chair

1. In the absence of the Committee Chair, the Committee Vice-Chair will act as Chair.

4.3 Secretary

1. Unless the Committee specifies otherwise, the Corporate Secretary will act as Secretary for all meetings of the Committee.

4.4 Reporting to the Board

1. The Committee, through its Chair, will report to the Board, in an abridged manner, at the next regular Board meeting while ensuring the following elements are included in the report:
   • an overview of items discussed;
   • an opportunity to receive comments or questions from other Board members; and
   • any recommendations and/or decisions for the Board.

4.5 Minutes

1. Minutes of each meeting of the Committee will be prepared by the Board Secretariat, and provided to members for review and approval at the next meeting of the Committee. The Chair will, as required, brief the Corporate Secretary and the Commissioner following in-camera sessions.

4.6 Reading material

1. Reading material for each Committee meeting will be available in both official languages and provided to Committee members by the Board Secretariat. Every effort is to be made to allow Committee members at least two weekends to review the material before the meetings. Committee members will be expected to have read the material prior to the meeting and thus will be expected to participate fully in Committee discussions on the subject matter contained within the reading material.

4.7 Legal advice

1. At any time, Committee members may seek legal advice from the legal counsel assigned to the Board of Management by the CRA. All requests for advice will be made in writing to the Agency's legal counsel, with a copy provided to the Corporate Secretary.