Security of Taxpayer Information

Table of contents

Safeguards to protect taxpayer information

The Canada Revenue Agency (CRA) takes the protection, privacy and security of Canadians’ information very seriously. The CRA has a number of internal processes in place to prevent unauthorized access to taxpayers’ personal information and to make sure that taxpayers’ rights are protected.

The CRA’s multi-layered approach to security protects against potential internal and external threats and privacy breaches.

Personnel screening
All prospective CRA employees must obtain the appropriate security status or clearance before employment. When granted a security status or clearance, the employee accepts the responsibility to protect CRA information, assets and facilities, and must maintain a valid security status or clearance throughout their employment.
Employee awareness of their responsibilities

CRA employees are regularly trained on their security obligations, and security awareness information is regularly shared with all employees. Employees are subject to strict standards of conduct, which are outlined in the CRA Code of Integrity and Professional Conduct.

Any employee found to have acted inappropriately is subject to disciplinary action, up to and including the termination of employment. Potential criminal acts are referred to the Royal Canadian Mounted Police (RCMP) for investigation.

Security markings on forms and documents
All CRA forms and documents containing taxpayer information are marked as Protected. These markings help CRA employees make sure sensitive information is handled securely.
Protection of taxpayer information

The CRA enables employees to keep taxpayer information secure by ensuring information is shared only with the taxpayer concerned or with an authorized third party, except where the disclosure is authorized by law. Employees are trained not to leave voice messages containing taxpayer information when contacting the taxpayer or their authorized representative. The CRA ensures emails containing taxpayer information are labelled appropriately and may only be transmitted internally with approved end-to-end encryption. To protect taxpayer information, the CRA does not permit employees to send Protected information to taxpayers via email.

In addition, the appropriate management and protection of Canadians’ information is governed through legislation and policies, such as the Privacy Act and associated Treasury Board of Canada Secretariat policies and directives, as well as corporate policies like the CRA Privacy Policy. The CRA collects, uses and discloses personal information according to these laws and regulations.

To demonstrate our commitment to protecting personal information, the CRA has developed the Privacy Management Framework, which explains how the CRA manages privacy and personal information.

Access to taxpayer information is on a need-to-know basis

CRA employees, such as taxpayer services personnel, auditors, investigators, and those handling income tax files, are responsible for safeguarding Protected information from unauthorized access. Unauthorized access to Protected information occurs when an employee accesses any information that is not part of their officially assigned workload.

The CRA has proactive detection tools in place to verify in real time that employees are accessing only the taxpayer information they need to carry out their assigned workload. Reviews are completed if a manager or a taxpayer has reason to believe that unauthorized access has occurred.

Risk assessments
The CRA performs regular risk assessments and internal audits to ensure its internal processes are secure.
Investigating suspected breaches of taxpayer information

The CRA has dedicated teams to address issues related to unauthorized access and breaches of taxpayer information. CRA officers thoroughly look into any security breach or allegation of unauthorized access or disclosure of taxpayer information. In the case of unauthorized access, impacted taxpayers may be notified of a privacy breach of their information.

If a taxpayer suspects that their personal information has been compromised and believes their tax information may be affected, they should contact the CRA.

Protecting taxpayers’ digital accounts

The CRA continues to invest in security and enhance its technologies, processes and controls. It has also been increasing the number of resources dedicated to combat fraud and the unauthorized use of taxpayer information. As scammers adapt their practices, so does the CRA.

The CRA regularly adjusts and improves its security measures in response to an ever-evolving digital threat environment and continuing intrusion attempts. In addition, the CRA proactively monitors user actions on CRA systems to better detect potentially fraudulent transactions and information misuse.

The CRA has also implemented mandatory multi-factor authentication for CRA sign-in services. This enhanced security measure helps to protect taxpayers’ personal information and to prevent unauthorized access to their accounts.

To help prevent incidents of unauthorized access and safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been obtained by unauthorized parties that are external to the CRA. As a preventative measure, the CRA revokes the identified CRA user IDs and passwords, and provides affected individuals with the information they need to regain access to their account.

Legislative framework

The CRA’s legal obligation to safeguard the confidentiality and integrity of taxpayer information for which the CRA is responsible is stated in the following legislation:

Under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, an employee may disclose taxpayer or confidential information to the person about whom the information relates. However, no employee can give that information to a third party without the written consent of the taxpayer, except where authorized by law to do so. Similarly, both the Privacy Act and the Access to Information Act do not allow the disclosure of personal information, except under circumstances as stated in the legislation.

Related topics

Page details

Date modified: