How is the Canada Revenue Agency accountable for your privacy?
As a Canadian taxpayer, you entrust the Canada Revenue Agency (“CRA”) with your personal information and you rely on us to keep it secure. As stated in the Taxpayer Bill of Rights, you have the right to privacy and confidentiality. We protect your information under the Privacy Act and other acts that have confidentiality provisions, such as the Income Tax Act and the Excise Tax Act. We are committed to protecting your privacy by making sure that the personal information we have is appropriately managed and protected, and that your right to access your information is respected.
We are guided by the following principles:
- We value and respect the personal information that we have, and we enable you to clearly understand how it is being used and for what purpose
- We make sure that all CRA employees understand their responsibilities in handling personal information, as well as in responding to requests in a timely and helpful manner
- We put you at the heart of all changes and improvements to service delivery, by embedding Privacy by Design into all that we do
- We join together effective and secure information management principles across the CRA
- We make decisions about how your personal information is handled based on ethical standards, and in alignment with legislative and policy obligations and leading privacy practices
For more information on our commitment to privacy, please read our Privacy Management Framework.
What is the role of our Chief Privacy Officer?
Our Chief Privacy Officer (CPO) has a broad mandate for privacy oversight at the CRA and is responsible for:
- overseeing decisions related to privacy, including assessing the privacy impacts of our programs
- championing personal privacy rights according to legislation and policy, including managing privacy breaches
- reporting to our senior management on the state of privacy management at the CRA, at least twice a year
The CPO oversees the access to information and privacy functions within the CRA. We created this position to reinforce our commitment to excellence in privacy. The fulfillment of the CPO mandate highlights our dedication to maintaining privacy and the trust that Canadians place in us.
The CPO’s role is to strengthen our management of the personal information we have. This involves:
- aligning our privacy program with leading privacy practices
- collecting your personal information only when lawful to do so
- using your personal information only as allowed or required by law
- establishing clear roles and responsibilities, which cover all aspects of our privacy mandate to provide effective oversight, reporting, and decision making
- making sure you receive a privacy notice when we collect your personal information from you
- cultivating a culture of privacy, through regular training of all CRA employees
- identifying and mitigating new or changed risks to personal information and monitoring the effectiveness of our privacy controls
Our responsibility for sound privacy management goes beyond appointing a CPO and is a responsibility that all CRA employees share.
What is personal information?
As defined under the Privacy Act, personal information is information about an identifiable individual that is recorded in any form.
Under this definition, personal information can include, but is not limited to:
- information about the race, national or ethnic origin, colour, religion, age, or marital status of the individual
- information about the education or the medical, criminal, or employment history of the individual or information about financial transactions in which the individual was involved
- any identifying number, symbol, or other particular assigned to the individual
- the address, fingerprints, and blood type of the individual
- the personal opinions or views of the individual, except in cases where they are about another individual or about a proposal for a grant, award, or prize to be made to another individual by a government institution or a part of a government institution
- correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence
- the views or opinions of another individual about the individual
- the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution, but not including the name of that other individual where it appears with the views or opinions of that individual
- the name of the individual where it appears with other personal information relating to the individual or where the name reveals information about the individual
What kind of personal information do we collect?
We have the authority to collect personal information related to our mandate and the legal authority given to us by our enabling legislation, such as the Income Tax Act, the Excise Tax Act, and the Canada Revenue Agency Act. We also administer a number of social benefit and tax credit programs for the federal government, as well as provincial, territorial, and First Nations governments. We collect personal information such as financial information, social insurance number, and contact information, as well as human resource information about CRA employees. For a full description of the types of personal information we collect, please see our personal information banks.
Why do we collect your personal information, and how do we use it?
We collect personal information where it is lawful and directly related to fulfilling our mandate: to administer tax, benefits, and related programs; and to ensure compliance for governments across Canada. Our work helps protect Canada's tax base and supports the delivery of a number of important government programs that are essential to the economic and social well-being of Canadians. For a full description of our function, programs, and activities, see Info Source.
How do we collect your personal information?
We collect your personal information directly from you or indirectly through other means as permitted by law, such as from:
- other governments in information-sharing agreements
- your authorized representative
- your employer
- a financial institution
- open sources
When we collect your personal information from you, we inform you at the point of collection as to why we are collecting it, our legal authority to do so, and how your information will be used. We will ask for your consent when required, including for additional uses or disclosures of your information. Note that, contrary to the private sector, consent is (more often than not) in fact not required for the bulk of the personal information collected at the CRA.
How do we manage and protect your personal information?
We manage and protect your personal information by having all parts of the CRA work together and by adopting the Privacy by Design principles, as outlined in our Privacy Management Framework. We focus on measures that provide a set of mechanisms to protect your personal information.
We take the security of all taxpayer information very seriously. We keep a close watch to prevent unlawful attempts to get your tax information and to make sure that your privacy rights are protected. Personal information is kept physically and digitally secure, and all of our forms and documents containing taxpayer information are marked “Protected.” This helps us to make sure that sensitive information is handled securely. More information on protection of personal information is at Integrity and security at the CRA: Keeping taxpayer information safe and in our Privacy Commitment, which is part of our Privacy Management Framework.
We keep your personal information for as long as necessary to fulfill the purposes for which we collected it. When we no longer need your information, we dispose of it according to Library and Archives Canada disposition authorities. Information is securely deleted or shredded or, if deemed of archival value, sent to Library and Archives Canada. For more details on program-specific retention and disposal standards, please see our related personal information banks.
To reduce risks to privacy, we do privacy impact assessments to determine how our programs and services using personal information could affect the privacy of an individual and propose measures to reduce these risks.
Do we share your personal information?
We share your personal information with you; with your authorized representative; as necessary, within our program areas if they have a need to know; and with other parties as legally necessary and duly documented. We may also disclose your personal information if it is authorized by law, for example, with other governments (federal, provincial, territorial), authorized third-party service providers, and / or law enforcement agencies.
When we share information, we abide by robust privacy protective measures and safeguards, such as:
- stringent privacy and security clauses in our contracts with third-parties and with partners in information-sharing agreements (that is, with domestic or foreign governments)
- where applicable, removing identification details in personal information before sharing it for instance, in aggregate statistical information, and employing stringent controls to prevent re-identification
- ongoing monitoring of our information-sharing agreements and contracts
All authorized sharing is outlined in the “Consistent Uses” section of our personal information banks.
We share personal information with other parties, if that disclosure is authorized by law. For example, we share with:
- federal, provincial, territorial, and Indigenous government institutions
- international jurisdictions: we may be required to share personal information with international jurisdictions with whom we have intergovernmental agreements for situations involving international tax laws and tax avoidance
- authorized third-party service providers and partners: to fulfill our tax mandate, we may share information with our authorized third-party service providers and partners
- law enforcement agencies: as required by law, and to aid in ongoing investigations and public safety, we may share personal information with these agencies
What happens if there is a privacy breach?
Our employees have to report any detected or suspected unauthorized access or disclosure of information, misconduct, or fraud, and any processes that appear to be vulnerable to fraud. We take seriously, and thoroughly investigate all allegations or suspicions of:
- improper or unauthorized handling and/or exposure of personal information under our control: by any of our employees, or by a third-party including external threat actors
- external incidents that indirectly affect taxpayer personal information or taxpayer interactions with us
If we confirm a privacy breach, we act quickly to deal with the incident. If a breach is deemed “material” we inform any affected individuals and the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat. We are committed to reducing all risks in order to prevent breaches from occurring. If criminal activity is suspected, we co-operate fully with law enforcement authorities.
To report a suspected privacy breach, please contact us immediately at 1-800-959-8281.
A breach of personal information could include incidents such as theft, or loss of data storage equipment, as well as improper or unauthorized collection, use, disclosure, access, retention, or disposal of information. A breach could be the result of error or malicious action by one of our employees, a third party, a partner in an information-sharing agreement, or an intruder.
We have developed privacy breach procedures that outline the steps our employees must take if there is a suspected or confirmed privacy breach. Our procedures follow the Treasury Board of Canada Secretariat’s Directive on Privacy Practices and Guidelines for Privacy Breaches.
What are your rights under the Access to Information Act, the Privacy Act and the Taxpayer Bill of Rights?
You have the right to ask for a copy of the personal information we have about you. For information on sending a request, please visit Access to information and privacy at the Canada Revenue Agency.
The Privacy Act came into force on July 1, 1983. The act protects the privacy of individuals by stating the requirements for collecting, keeping, using, disclosing, and disposing of personal information held by government institutions. The act also gives individuals (and their authorized representatives) the right of access to their personal information, with limited and specific exceptions, and with certain rights to correct or annotate it.
Requests under the Privacy Act are made by individuals who are looking for their personal information. However, there are limited and specific exceptions when others can request your personal information, such as:
- when the individual making the request has the written consent of the individual that the information is about
- when the requester is a legal representative for an estate
- when the request involves a compelling public interest
The Access to Information Act came into force on July 1, 1983. It gives Canadian citizens, along with persons and corporations in Canada, the right to ask for access to federal government records. The act is based on three main principles:
- government information should be available to the public
- exceptions to the right of access should be limited and specific
- decisions about disclosures should be reviewable independently of government
The Taxpayer Bill of Rights states that you have the right to complete, accurate, clear, and timely information.
What happens when you interact with us online?
When you visit the web pages of any Government of Canada organization, most web servers automatically collect information about that visit. We safeguard the privacy of users of our web pages, in accordance with the Standard on Privacy and Web Analytics.
Web servers may automatically collect information about a visit to a website, including the visitor's Internet Protocol (IP) address. The IP address is collected to identify unauthorized attempts to upload information, change information, or otherwise cause damage.
Digital markers (including cookies)
We may use sessional and persistent digital markers on some web pages to better understand your preferences and provide you with the best possible web experience. A digital marker is a resource created by your browser to reference certain pieces of information during the same or a later visit to a web page. During your online session with the CRA, your browser exchanges data with our web server.
You can adjust your browser settings to reject digital markers, including cookies. However, doing so may affect your ability to interact with our web pages. For example, if you are accessing any secure services that require a username and password and if you disable any cookies, you may need to re-insert your username and password at every visit to a website.
Examples of digital markers are cookies and HTML5 web storage. Among other functions, digital markers:
- let a website recognize a previous visit each time a visitor accesses a site.
- track the information viewed on a site, to help website administrators make sure visitors find what they are looking for. For example, the number of mouse clicks made by an individual can indicate whether or not content was easy to find.
Web analytics is the collection, analysis, measurement, and reporting of data about web visits to understand web usage and to maintain and improve web service. When your computer asks for a CRA web page, we collect information under the authority of section 5 of the Canada Revenue Agency Act, for analytics purposes, which may be used for IT related audits, evaluations, research, planning, and reporting, as well as communications and information technology statistics. The following types of information will be collected during a visit to our web pages:
- part of the originating IP address
- the date and time of a request
- the type of browser used
- the page(s) visited
We do web analysis with services from third-party service providers.
Information used for the purpose of web analytics is collected following the Treasury Board of Canada Secretariat’s Standard on Privacy and Web Analytics.
Our use of social media is an extension of our presence on the web. Our social media account is not hosted on Government of Canada servers. If you choose to interact with us through social media, you should consult the terms of service and privacy policies of the third-party service provider and those of any applications you use, so that you understand how personal information is used. We use the social media platforms Twitter, YouTube, LinkedIn, and Facebook.
An Internet Protocol (IP) address is a unique number assigned by an Internet service provider to any device used to access the Internet. A web server automatically logs the IP address of a visitor to its site. An IP address, on its own, does not identify an individual. However, in certain circumstances, such as with the co-operation of an Internet service provider, an IP address could be used to identify an individual using a site. For this reason, the Government of Canada considers an IP address to be personal information.
As part of web analytics, information in digital markers may be used to remember your online interactions with our web pages. We use Webtrends, and we keep information for web analytics for a maximum period of 18 months. After that period, the information is disposed of according to the Treasury Board of Canada Secretariat’s Standard on Privacy and Web Analytics and the provisions of the Library and Archives of Canada Act.
We use Adobe Analytics (Adobe Systems Inc.), which is based in the United States of America. This means that the information collected (that is, truncated IP addresses, date and time of a request, type of browser used, and pages visited) is sent outside of Canada and may be subject to American law, including the Patriot Act. To strengthen privacy, the truncated IP addresses are converted into non-recognizable strings at the Canada.ca server-level prior to being submitted to Adobe Analytics.
Adobe Systems Inc. operates servers in other countries, which may be used to process web analytics data. So that data may be subject to the governing legislation of the country where it is processed. The Government of Canada has advised Adobe Analytics that it may store personal information only on servers located in Canada, the United States of America, the European Union, Australia, Israel, New Zealand, Norway, and Switzerland.
Personal information that you provide to us through a social media account is collected under the authority of section 5 of the Canada Revenue Agency Act. This information is collected to capture conversations (for example, questions and answers, comments, likes/favourites, retweets/shares) between you and us, in order to respond to enquiries, or for statistical, evaluation, and reporting purposes. Comments posted that violate Canadian law will be moderated or hidden and disclosed to law enforcement authorities. Comments that violate our rules of engagement will also be moderated or hidden. The use of personal information in the context of social media is described in Personal Information Bank, CRA PSU 938, Outreach Activities.
For more details on our social media presence, please visit: Interacting with us on social media.
Protecting the security of our web pages
We use software programs to monitor network traffic in order to identify cyber threats, unauthorized attempts to upload information, change information, or otherwise cause damage. This software receives and records the IP address of the computer that has contacted our web pages, the date and time of the visit and the pages visited. We make no attempt to link these addresses with the identity of individuals visiting our pages, unless an attempt to undertake inappropriate activity as described above has been detected.
We collect the network traffic information under section 161 of the Financial Administration Act. The information may be shared with appropriate law enforcement authorities if suspected criminal activities are detected. Such information may be used for network security statistics, as well as for IT related audits, evaluations, research, planning, and reporting. Our network traffic information is in Standard Personal Information Bank CRA PSU 939, Security Incidents and Privacy Breaches.
Communicating with us
If you send us an email or complete a feedback form online, we use your personal information to respond to your enquiry. We collect personal information from email and feedback forms under section 5 of the Canada Revenue Agency Act. That information may be used for statistics, evaluations, and reporting. For the information we have of this type, see Standard Personal Information Bank CRA PSU 914, Public Communications.
For questions, comments, concerns or complaints about our privacy practices, please contact us:
Access to Information and Privacy Directorate
Canada Revenue Agency
5th floor, 555 Mackenzie Avenue
Ottawa ON K1A 0L5
Phone: 613-960-5393 (Ottawa area) or 1-866-333-5402 (toll-free)
If you are not satisfied with our response to your privacy concern, you may contact the Office of the Privacy Commissioner.
- Date modified: