Data privacy and security
Canadians place their trust in the Canada Revenue Agency (CRA) to protect their information from unauthorized access or disclosure and to ensure that its services are delivered securely and without interruption. That trust is crucial to promoting their compliance with their tax obligations.
Key facts and figures 2020-2021
The CRA is responsible for one of the largest repositories of personal and financial information in the country
According to a 2018 third-party (Gartner) assessment, the CRA's security maturity is comparable to industry peers
A multi-layered approach to security, including system and business controls, protects against potential internal and external threats and privacy breaches
Threats in the external environment are increasing in number and complexity, driving the CRA to increase its measures to analyze, identify and mitigate potential threats
All figures are approximate
Recent and planned improvements
- Protection of personal information vulnerability assessment
- Potential weaknesses were identified in the processes and procedures for protection of information, which will frame current and future risk mitigation strategies.
- Privacy management framework
- This framework was developed to demonstrate commitment to protecting personal information and outlines how the CRA manages privacy.
- Privacy by design
- This initiative ensures incorporation of privacy into early stages of all programs, processes, and solutions.
- Fraud detection
- Models and tools have expanded use of proactive monitoring of user actions on CRA systems to better detect potentially fraudulent employee transactions and information misuse since spring 2021.
- Data and artificial intelligence (AI) ethics
- A pillar in the CRA's AI roadmap, the focus is on maintaining the trust of Canadians by embedding ethical considerations in every step of the design, deployment, and ongoing auditing of AI and automated decision making solutions.
- Agency Security Officer (ASO)
- A position within the CRA that was recently elevated in seniority to further centralize and formalize management of the security program.
COVID-19 impacts
- The COVID-19 emergency benefit programs, in Canada and elsewhere, became a target for bad actors in part due to their unprecedented reach and materiality.
- In the summer of 2020, the CRA and the Government of Canada experienced a set of cyber incidents. In those incidents, bad actors used stolen credentials obtained through a variety of means from sources external to the CRA.
- The CRA rapidly countered these attacks to uphold the integrity and security of taxpayer information and their CRA accounts.
- The CRA continues to enhance its security measures and communicates with Canadians to validate their credentials and increase awareness.
- A dedicated cross-Agency team was created to coordinate the holistic, CRA-wide response.
- A class action lawsuit was filed against the Government of Canada in August 2020 alleging unauthorized disclosure of personal and financial information resulting from the summer 2020 "credential stuffing" cyber attacks. The CRA is the lead client for this litigation.
- In support of transparency and accountability, the CRA proactively disclosed data on the uptake and demographics of recipients of emergency measures.
Context
Maintaining public confidence in the integrity of the tax system is of paramount importance to the CRA. As one of the largest holders of personal and financial information in the Government of Canada, Canadians place their trust in the CRA to protect their information from unauthorized access or disclosure. That trust is crucial to ensure compliance with Canada's tax system.
Public concerns with privacy and the protection of information continue to grow, informed by an increasing number of public and private sector privacy breaches. In a digital and connected world, there is a need to remain proactive in addressing increasingly sophisticated cyber threats especially since the CRA and its data holdings are a valuable target for bad actors. Canadians expect that their personal information is safe with us, and the CRA continues to adapt to this changing privacy and security landscape.
The CRA is aware of the necessity to adapt its privacy management program as this landscape evolves. With the launch of the CRA Privacy Management Framework (PMF) in 2020, the CRA has committed to enhancing its privacy practices, based on Privacy by design principles, where privacy is systemically embedded into business practices and systems.
The CRA is committed to protecting personal information from internal and external misuse. Information is protected through rigorous controls as guided by legislation, including the Privacy Act and the Income Tax Act. These controls help to prevent, detect, and respond to internal and external threats. The CRA is vigilant in monitoring the environment to ensure controls remain effective and that they are available to respond to new and emerging threats.
Considerations
For the CRA's tax and benefit administration to be most effective, it is imperative to have good information on which to rely. The CRA's ability to use its information and that of third parties allows for improved service, better-targeted compliance interventions, and the timely and accurate provision of benefits.
Current privacy and security prevention control measures include account identity validations, security screening, internal fraud risk assessments and internal audits. The CRA is actively working with Government of Canada partners to introduce robust identity and access management controls that can be used across government platforms. Detection control measures in place at the CRA include an anonymous tip line and systems that monitor data access. As with any organization, despite the range of the CRA's existing controls, personal information can be inappropriately used or released. For those instances, the CRA has established response and mitigation controls to inform affected individuals and minimize the impact.
The CRA continues to leverage third-party assessments and benchmarking against peer organizations to enhance security. As threat trends change and gaps are identified, the CRA will adapt the program to effectively meet future security challenges.
Environmental factors
In 2020, COVID-19 emergency relief measures increased the CRA's profile as a potential target for cyber attacks and fraud. Cyber attacks occurred on the CRA My Account, My Business Account, and Represent a Client platforms, resulting in CRA online services being temporarily disabled while the CRA worked to neutralize the threats and address vulnerabilities. Impacted Canadians were contacted, and their calls were prioritized in contact centre queues. In addition, a new anti-fraud program was introduced to address concerns related to fraudulent applications and other security pressures that existed with the emergency benefits. The CRA also offered credit protection services to impacted individuals, at no cost to them, to further protect their personal information. Nevertheless, a class action lawsuit has been filed in relation to the online services privacy breach incidents.
Systems
The CRA Cyber Security Strategy is a strategic, risk-based approach for continuously assessing threats and opportunities in a volatile security environment. The relationship between information technology (IT) security and business is key to ensure "security by design", meaning when solutions are developed that security controls are built in from the start.
A multi-layered approach is used for IT security, with responsibilities for these layers spread across multiple organizations. The CRA also works with other government departments, law enforcement, the Canadian Anti-Fraud Centre and the provinces and territories to protect taxpayer accounts and personal information through collaboration and coordination.
Systems that are created and maintained with a proper security posture provide the basis for trust in CRA systems. Mitigation measures for security risks related to the protection of the confidentiality, integrity, and availability of CRA systems are in place. These mitigation measures provide assurance that security risks are identified and appropriately managed for all systems used by the CRA.
Data
The CRA recognizes that while data carries tremendous value, it also creates risks related to transparency, accuracy, security, and privacy. This will be a growing issue as the CRA increases data use. The CRA is committed to mitigating data risks and has established a Chief Data Officer function, tasked with ensuring the effective use and management of the CRA's data by establishing data quality measures, validating tax and benefit data for external release, and leading the data stewardship and Open Government initiatives.
The CRA provides data to external partners and stakeholders where required by legislation or where formal data sharing agreements exist. For such external data, various controls, checks, and balances are in place to ensure privacy and security, data quality, and encryption standards are met.
Oversight
Maintaining a mature security posture requires continuous investment as well as ongoing monitoring and enhancement/adjustment of security controls. With the increase in frequency and sophistication of security threats, the CRA elevated the role of agency security officer (ASO) to report directly to the commissioner. The ASO is responsible for providing strategic leadership, coordination and oversight for all CRA security obligations. This improves management of the CRA's security program, enhances collaboration, and formalizes roles and responsibilities to fully integrate security considerations into decision-making across the Agency.
In addition, the CRA has a chief privacy officer (CPO) with a broad mandate of overseeing decisions related to privacy, including privacy assessments, at the CRA. To fulfill this mandate, the CPO champions personal privacy rights, including managing internal privacy breaches, and reports to the CRA's senior management on the state of privacy management within the CRA at least twice a year.
Next steps
The CRA is bolstering its privacy and security posture by leveraging emerging approaches and technologies and making further improvements in data security, risk mitigation, fraud detection, and more. Ongoing assessments of processes and systems, as well as monitoring of systems and tools, will help the CRA identify and address emerging issues and trends as they arise. These activities will continue to ensure the protection of personal information and ensure trust in the tax system.
Page details
- Date modified: