Privacy Management Framework

Table of contents


Your privacy is our priority

The Canada Revenue Agency (CRA) is one of the largest holders of personal information in the Government of Canada. Making sure this personal information is properly managed and protected is one of our top priorities.

We are committed to upholding the trust that Canadians place in our organization. To meet their expectations, we take the necessary measures to protect personal information, enable the appropriate management of data and drive employee responsibility for privacy.Footnote 1 Privacy refers to the effective protection and management of personal information. We do this by identifying, assessing, monitoring, and mitigating privacy risks in programs and activities that involve collecting, retaining, using, disclosing, and disposing of personal information.

The CRA has the authority to obtain information from taxpayers to administer and enforce its program legislation, the Income Tax Act and Excise Tax Act. At the CRA, the appropriate management and protection of Canadians’ information is governed through legislation and policies, such as the Privacy Act and associated Treasury Board of Canada Secretariat policies and directives, as well as corporate policies like the CRA Privacy Policy. We collect, use and disclose personal information according to these laws and regulations.

Although the overall accountability for our privacy program rests with the CRA’s Chief Privacy Officer (CPO), several senior management officials are responsible for the various mechanisms that support privacy.Footnote 2 These mechanisms are listed in the “Our privacy commitment” section of this document.

This Privacy Management Framework articulates our vision, our objective and our commitment to privacy, including how we handle and protect personal information to make sure we respect our clients’ privacy. The Framework is meant to be a reference document for taxpayers and CRA employees.

We define these key terms as follows:

Privacy management

The combined activities of an organization to:

Personal information

Personal information is information about an identifiable individual that is recorded in any form.Footnote 3

Driving factors for our approach to privacy

The privacy landscape is rapidly evolving; the public increasingly expects their personal information to be properly managed and protected.Footnote 4

Although this expectation is driving forward stronger privacy legislation (for example, the European Union’s General Data Protection Regulation and the Department of Justice Canada’s review of the Privacy Act),Footnote 5  it is also highlighting the need for strong accountability for privacy and for the handling and protection of personal information. To maintain the trust of individuals, organizations must have sufficient and appropriate practices in place to handle personal information.

We have adopted an accountability framework consisting of various technical and organizational mechanisms to appropriately handle and safeguard personal information. These mechanisms include:

Privacy breaches are on the rise and are top of mind for all organizations.

We recognize that to prevent privacy breaches, privacy must be woven into all organizational activities. To make this possible, all branches and regions must be involved since they share the responsibility to appropriately handle the personal information they collect, retain, use, disclose, and dispose of.
Therefore, we embed Privacy by Design principles into the development and operation of IT systems, networked infrastructure, and business practices so we can mitigate risks, find solutions early on, and support operational excellence.

The CRA is also introducing new privacy professionals and experts to its workforce — who understand how to get value from an ever-increasing quantity of data while maintaining privacy.
Privacy is no longer viewed as a roadblock to innovation and service, but rather as a strategic enabler that drives service delivery by prioritizing the protection of personal information.

We have established a comprehensive and effective privacy governance structure to help foster privacy. This structure has measurable outcomes to show that respecting privacy is a top priority. Privacy permeates our business discussions and decisions because we view it as a proactive measure that creates value in our organization by driving innovation and creative solutions.

Our privacy program has evolved to become a strategic capability rather than solely operational because of the increased demand for privacy advisory support and expertise from the public and across the CRA. 

Privacy guiding principles

To foster client trust and confidence in the CRA, we believe in establishing a language about privacy that will make sure we are working toward the same goals.

The following are our privacy guiding principles:

  1. We value and respect the client data in our possession and help our clients clearly understand how and why we are using it.
  2. We support our employees in understanding their data handling responsibilities, and we respond to our clients’ requests promptly and helpfully to drive a seamless and efficient experience.
  3. We put our clients at the heart of all changes and improvements to our service delivery by adopting innovative practices and including Privacy by Design principles into all that we do.
  4. We collaborate with our employees and integrate effective and secure client data management across the CRA to foster a holistic approach to building and maintaining client trust.
  5. We decide how we handle client data in line with legislative obligations and leading privacy practices and based on ethical standards.

Our privacy commitment

Our privacy commitment to you is to appropriately manage and proactively protect your personal information by collaborating across the CRA and adopting the Privacy by Design principles.Footnote 6 We believe that privacy management is a responsibility that everyone at the CRA shares. This means our privacy commitment spans all agency branches and regions and is upheld by each of our 46,000+ employees.

To meet our commitment to privacy, we focus on the following measures. Together, these measures provide a set of mechanisms to protect your personal information. Various CRA leaders are responsible for these mechanisms, with the Chief Privacy Officer (CPO) having a line of sight into each capability to execute the CPO’s mandate and support the CRA in meeting its privacy commitment.Footnote 7

1. Program design and delivery

We embed our privacy guiding principles and the Privacy by Design principlesFootnote 8 into the development, operation, and management of all programs, processes, solutions, and technologies involving personal information. Taking into account the need for effective and timely service delivery and privacy considerations to enable the protection of our most sensitive assets.

Key related privacy capabilities include:

2. Information sharing

If the CRA may have to share information (for example, with taxpayers, employees, or other third parties), we include privacy protective measures into those relationships. This facilitates the appropriate handling and protection of personal information.

Key related privacy capabilities include:

3. Internal and external controls

The CRA takes the necessary precautions and steps to protect personal information from external and insider threats.

Key related privacy capabilities include:

4. Employee outreach

We support our employees in their understanding of privacy responsibilities and compliance obligations to enhance privacy at the CRA.

Key related privacy capabilities include:

5. Privacy risk management and compliance

We are committed to managing existing and emerging data risks and to monitoring and responding to privacy compliance issues.

Key related privacy capabilities include:

6. Management of privacy breaches

We assess privacy breaches in keeping with TBS policies and procedures to document and evaluate potential risks to the affected individual and mitigate risks.

Key related privacy capabilities include:


At the CRA, we believe that privacy cannot be viewed in isolation. Rather, privacy is a topic that intersects activities across all of our branches and within all regions. A strong privacy governance structure fosters cross-branch collaboration and employee awareness for their privacy obligations.

We developed a privacy governance structure that includes:

This structure lets us include privacy in all our initiatives and services. As well, it opens dialogue amongst all branches and regions, and strengthens oversight on the privacy of all our programs.

We enforce and measure this governance structure through forums, and metrics to report and govern cross-branch engagement, and accountability for privacy.


The CRA is committed to protecting the personal information entrusted to us by Canadians and employees. We do this using a thorough approach of privacy management that is based on collaboration and the principles of Privacy by Design.


CRA's Annual Reports to Parliament on the Administration of the Access to Information Act and the Privacy Act

Personal information banks

Privacy impact assessment summaries

Privacy notice for Government of Canada websites

Employee Code of Integrity and Professional Conduct

Request information from the Canada Revenue Agency

Contact the Access to Information and Privacy Directorate

Follow us:

Annex A: Privacy by Design principles

1.  Be proactive, not reactive

Anticipate, identify, and prevent invasive events before they happen. This means taking action before the fact, not after.

2.  Lead with privacy as the default setting

Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual.

3.  Embed privacy into design

Privacy measures should not be add-ons but fully integrated components of the system.

4.  Retain full functionality (positive-sum, not zero-sum)

Privacy by Design employs a “win-win” approach to all legitimate system design goals, which means that both privacy and security are important and no unnecessary trade-offs need to be made to achieve both.

5.  End-to-end security – full lifecycle protection

Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed.

6.  Maintain visibility and transparency – keep it open

Assure stakeholders that business practices and technologies are operating according to objectives and are independently verified.

7.  Respect user privacy – keep it user-centric

Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost. They can do this by offering measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.

Annex B: Chief Privacy Officer's mandate

The Chief Privacy Officer (CPO) operates as the privacy champion at the CRA. The CPO is appointed by the Commissioner and is responsible for defining, executing on and maintaining the Privacy Commitment of the CRA. The role of the CPO is to ensure that the CRA’s respect for privacy is reinforced and strengthened.

The CPO has a broad mandate for privacy oversight at the CRA. The creation of this position reinforces the CRA’s commitment to integrity and excellence. 

The CPO is responsible for:

The CPO oversees the privacy program within the Public Affairs Branch, which serves as the strategic advisor to enable the branches and regions to meet their objectives while maintaining privacy and drives forward the privacy mandate.

The privacy program is responsible for:

Annex C: Agency Chiefs' and Senior Management's privacy-related accountabilities

Chief Information Officer

The Chief Information Officer (CIO) oversees IT infrastructure, networks and applications for the CRA’s tax systems. In relation to privacy, the CIO ensures personal information is protected by securing the CRA’s systems and through sound threat management.

Chief Data Officer

The Chief Data Officer (CDO) maximizes the CRA’s ability to use data for the benefit of Canadians as well as the CRA. This includes ensuring personal information is appropriately managed in all datasets. The CDO ensures the sound handling of data that could identify an individual, and ensures the Agency Data Strategy lines up with our agency’s privacy principles and policies.

Chief Service Officer

The Chief Service Officer (CSO) enables service excellence at the CRA. The CSO embeds privacy into the design of all the CRA’s services to ensure the client is at the heart of the solution. This includes the appropriate protection of client personal information.

Agency Security Officer

The Agency Security Officer (ASO) provides department-wide strategic leadership, coordination, and oversight for all security management activities and security controls, including those related to the protection of information. As part of these responsibilities, the ASO oversees establishing department-wide policies, processes, and practices to ensure an integrated approach to security management in collaboration with partners and other stakeholders.

Chief Financial Officer

The Chief Financial Officer oversees the financial management and financial administration for the CRA, including funds to support the privacy function.

Information Management Senior Officer

The Information Management Senior Officer coordinates and implements information management policy, sound record management and external information-sharing arrangements involving personal information.

Legal counsel

Legal counsel offers legal advice on interpreting and applying legislation and supporting requirements the Agency must follow. They also give advice on developing privacy policy and appropriately interpreting privacy legislative requirements. 

Chief Human Resources Officer

The Chief Human Resources Officer oversees all of the CRA’s human resources needs. This includes ensuring the proper controls for protecting employee personal information are in place as well as maintaining records of employee privacy training.

Chief Audit Executive

The Chief Audit Executive performs audits to assess the effectiveness and efficiency of policies, practices and controls, in order to advise the branches, Commissioner and Chief Executive Officer and Board. This includes the auditing of privacy related activities to strengthen controls and the protection of personal information.

Assistant Commissioner of the Public Affairs Branch

The Assistant Commissioner of the Public Affairs Branch develops, maintains and publishes privacy communications and awareness materials for the CRA and the Public, in order to ensure we clearly communicate our privacy practices and to increase transparency in how we handle personal information.

Assistant Commissioner of the Assessment, Benefit, and Service Branch

The Assistant Commissioner of the Assessment, Benefit and Service Branch administers key services for the CRA to ensure interfaces and applications allow clients to access their data.

All program areas and regional assistant commissioners

Assistant commissioners from all program areas and regions are accountable for managing personal information within their branch and region and for ensuring they apply appropriate privacy safeguards. This includes the secure and appropriate sharing of personal information internally throughout the CRA and externally with authorized third parties.

Annex D: CRA employees' privacy-related accountabilities

All employees within the branches and regions

Employees from all branches and regions play a vital role in helping the CRA meet its commitment to safeguarding our clients’ personal information. Employees must understand their obligations to properly handle and safeguard personal information. Employees are responsible for ensuring they handle, manage, and protect the personal information they collect, use, or disclose while doing their duties in accordance with the CRA's privacy policies, procedures, processes, and protocols.

Page details

Date modified: