Section 3 – Introduction to the Canada Revenue Agency

• Previous page
• Next page

Safeguarding taxpayer information

CRA's obligation

The Canada Revenue Agency (CRA) recognizes that trust is the foundation of Canada's voluntary self-assessment tax system, and therefore, places the highest priority on protecting the personal information entrusted to it by taxpayers. The CRA has put in place strong internal controls to ensure taxpayer information and privacy is protected.  

The CRA has a legal obligation to safeguard the confidentiality and integrity of the information and assets for which it is responsible. The CRA's legislative responsibility to protect taxpayer information is outlined in detail in section 241 of the Income Tax Act, section 295 of the Excise Tax Act, and section 211 of the Excise Act, 2001.

Information classification

In accordance with the Access to Information Act and the Privacy Act, the Government of Canada has grouped its sensitive information and asset holdings into two types: classified information and protected information.

1. Classified information concerns information related to the national interest, such as the defence and maintenance of social, political and economic stability of Canada that may qualify for exemption or exclusion under the Access to Information Act or Privacy Act.  Classified information is classified into three categories based on the degree of potential injury to the national interest if the information were to be compromised: Top secret (high); Secret (medium), and Confidential (low).
2. Protected information concerns information that lies outside the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act. Protected information is classified into three categories based on the degree of potential injury to an individual, an organization, or the CRA if the information were to be compromised: Protected A (low); Protected B (medium); and Protected C (high).

Cabinet documents management

It is essential for the Minister's Office to follow established procedures to safeguard Cabinet documents, which contain classified and/or protected information. The CRA manages Cabinet documents in its custody according to the requirements of the Privy Council Office with regard to the handling, storing, routing, and filing of Secret Agency information and assets. In addition, the CRA stores Cabinet documents in a secure area with controlled access and an alarm system. The employees involved in managing the documents use equipment that has been approved by the Royal Canadian Mounted Police, such as filing cabinets, shredders, brief cases, and fax machines. The employees also work on a separate secret file server.

Privacy breaches

Privacy breaches refer to the improper or unauthorized access or disclosure of personal information as defined in the Privacy Act.  Privacy breaches involving taxpayer information generally fall into three broad categories: employee misconduct (e.g. unauthorized access); unintentional breaches (e.g. human error), or information technology vulnerabilities.

A material breach is one that involves sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual, and/or involves a large number of affected individuals. When a privacy breach is discovered, the CRA documents it, assesses its risk, and notifies the individuals involved. This is in accordance with Treasury Board Secretariat guidelines.

In 2014-2015, the CRA reported the following three types of privacy breaches:

• misdirected mail;
• unauthorized access to taxpayer information; and
• other, including cyber security threats (e.g., Heartbleed) and unauthorized disclosure of taxpayer information (e.g., Canadian Broadcasting Corporation).

Specifically, 37 privacy breach incidents were reported to the Office of the Privacy Commissioner and the Treasury Board Secretariat. These incidents include the following:

•  32 incidents involving unauthorized access to taxpayer information by a CRA employee;
•  two unauthorized disclosures of taxpayer information;
•  two incidents of misdirected mail; and
•  one theft of information.

In April 2014, there was a breach of CRA's systems as a result of the Heartbleed bug, a software security threat. The CRA quickly closed down its e-services, including My Account and My Business Account for five days to contain the vulnerability. In November 2014, in response to an access to information request, the CRA inadvertently released taxpayer information to the Canadian Broadcasting Corporation (CBC). The CRA immediately addressed the incident by conducting an internal investigation, which confirmed the disclosure of information was a result of human error. The CRA also implemented a plan to enhance controls within the Agency's Access to Information and Privacy operations. At the same time, the CRA initiated a third-party independent review of its access to information and privacy management frameworks.

Although the CRA made immediate efforts to retrieve the information, the CBC chose to publish some of the information in an article. Since the incident, the CBC has refused to return the confidential information. In May 2015, the CRA commenced legal proceedings against the CBC to recover this information on the basis that their failure to return the material is a breach of confidence.

CRA's security screening

As part of protecting the confidentiality of taxpayer information, the Agency examines employees' conduct and potential risk for misconduct through its security screening process. The CRA has three levels of security clearance:

• Reliability Status for positions requiring access to Protected information.
• Secret Clearance for positions requiring access to Classified information.
• Reliability Status Plus (RS+) was introduced in December 2013, for positions requiring a high degree of public trust.

CRA's security infrastructure

The CRA has a centralized security and incident management capacity. The Agency ensures that only those that require access as part of their work function have access to CRA's systems and that information is only used for its intended purpose. Additionally, the Agency has post screening mechanisms in place for reporting suspected fraud or misuse of access to information, including an anonymous tip line. When concerns are raised, the Agency conducts investigations to determine whether allegations of wrongdoing are founded.

The Agency's security infrastructure includes:

• proper security design of facilities;
• access control measures and procedures; and
• standards for handling, storing, transmitting, and disposing of information and assets.

The CRA continues to enhance its security infrastructure to ensure the Agency's readiness to respond to the changing threats in its environment. For example, given that cyber security incidents are increasing and becoming more sophisticated, the CRA is strengthening the security of its processes with regard to how sensitive information is stored, accessed, and transmitted over its network. The Agency also continues to improve upon its security protocols and controls to make sure that taxpayer information is safeguarded. 

• Previous page
• Next page