Anonymous internal fraud and misuse reporting line v 2.0 - Privacy impact assessment summary

Security and Internal Affairs Directorate, Finance and Administration Branch

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Kami Ramcharan
Chief Financial Officer and Assistant Commissioner
Finance and Administration Branch 

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Travel and Other Administrative Services

Description of the class of record and personal information bank

Standard or institution specific class of record:
Security
PRN 931 

Standard or institution specific personal information bank:
Security Incidents and Privacy Breaches
PSU 939

Legal authority for program or activity

Paragraph 30 (1)(a) of the Canada Revenue Agency Act

Paragraph 30 (1)(d) of the Canada Revenue Agency Act

Section 51 of the Canada Revenue Agency Act

Section 241 of the Income Tax Act

Section 295 of the Excise Tax Act

Subsection 38 (2), section 78, paragraphs 80 (1) (b), (c), (d) and (e), subsection 80 (2) and section 81 of the Financial Administration Act

Paragraph 16.4 (1) (b) of the Federal Accountability Act

Section 122 of the Criminal Code

Summary of the project / initiative / change

Overview of the program or activity

The Anonymous Internal Fraud and Misuse Reporting line is intended to provide individuals with an anonymous, confidential, and secure means to report suspicions of fraudulent activity engaged in by employees and/or management. This communication channel is administered by an independent third party contractor.

By making the reporting line available to individuals, the CRA is ensuring that individuals are able to speak up with confidence. The external service provider is completely independent from the CRA, and the reporting line system, ClearView Connects™, resides on their own secure servers.

An individual may use either the web-based system or the telephone line system to report allegations of internal fraud and misuse. Individuals will be able to write text in freestyle form in the web application and choose the category the allegation relates to. Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them. The reporting line system assigns them a secure login ID and password for the report that they submitted. They can log into the system or call the line and use their login ID and password to check the status of their report. Since the login ID and password are system-generated, their anonymity is maintained.

This method of reporting internal fraud or misuse is completely anonymous: the information individuals report will not be audio recorded or traced. If individuals are using the online system, the session is encrypted and the IP address is not identified with the report. If individuals are calling the telephone line and speaking to a live operator, the call is not recorded, nor is caller ID used. The report is transcribed by a trained operator into the reporting line system verbatim (in the exact words, word for word).

The external service provider system collects the information and submits it to designated employees of the Internal Affairs and Fraud Control Division (IAFCD), which are automatically notified (via email) by the system when a report has been submitted. They can log in to view the report and may ask follow-up questions and inform the reporter about how the report is being addressed. The external service provider does not review reports submitted into the system - this is the responsibility of authorized individuals in the IAFCD, Security and Internal Affairs Directorate (SIAD), who ensure that reports are reviewed and investigated as appropriate, in a fair and timely manner - as they would do for any reports received through other channels.

The IAFCD reviews all allegations received through the anonymous reporting line to determine if it is about a current CRA employee, and if it relates to internal fraud or misuse. If so, the matter will be investigated. If not, the matter will be closed. While individuals will be encouraged to only use the reporting line for what it is meant, a “no wrong door” approach will be applied. If individuals report something that is not considered internal fraud or misuse, the situation will be handed to the proper avenue, and is out of scope for this PIA. In addition, the interactive feature of the tool will be used to inform employees of the appropriate channel for the matter individuals reported.

All personal information collected and held by the external service provider will be the property of the CRA. As such it will be subject to the Access to Information Act and the Privacy Act in the same manner as any information held by the IAFCD. They will deliver to the CRA all personal information in whatever form and documentation which have been made or obtained in relation to the contract, upon the completion or termination of the contract, or at such earlier time as CRA may request. Upon delivery of the personal information to the CRA, they will have no right to retain that information in any form and must ensure that no record of the personal information remains in their possession.

What’s new

The CRA has extended its contract with ClearView Strategic Partners Inc. until March 31, 2019.

A Statement of Sensitivity and Threat and Risk Assessment were completed for the ClearView Connects™ system in August of 2016.

All CRA Records Disposition Authorities (RDA) were replaced with the new RDA 2017/012. However, the retention schedule for all Anonymous Internal Fraud and Misuse Reporting line records remains the same. If there are any changes following migration of all retention rules to the new RDA, this PIA and PIB will be updated accordingly. 

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Anonymous Internal Fraud and Misuse Reporting line activities. Reports which have been transferred to other areas because they are not deemed to be internal fraud or misuse, are out of scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: The reporting line is available to individuals to report allegations of internal fraud and misuse of employees of the Agency. If it is determined that the allegation is about a current CRA employee, and if it relates to internal fraud or misuse the matter will be investigated.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details: The information expected to be received through the reporting line includes allegations or suspicions of employee misconduct related to internal fraud or misuse and is not different than the information already received through other channels and reported to the Internal Investigations Section. The information may include personal information of employees and occasionally it might include taxpayer information such as name, contact information, financial information, marital status, etc. Individuals that are reporting will be able to write text in freestyle form in the web application and choose the category the allegation relates to (for example; financial management and fraud; abuse of authority; breach of trust). Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them. 

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details: The information or allegation received through the reporting line may be shared within the CRA. The reporting line is being hosted by a privately owned Canadian corporation through an online (web) system and telephone line system; however, no information pertaining to the allegations received (for example the total number of cases investigated or investigation results) will be shared with the third party.

D) Duration of the program or activity: Long-term program

Short term program

Level of risk to privacy: 2

Details: The reporting line is currently a short term initiative. A two-year contract was initially awarded (with an additional optional three-year contract) for the reporting line, and an extension was awarded until March 2019. 

E) Program population

The program affects certain individuals for internal administrative purposes. 

Level of risk to privacy: 1

Details: The initiative will only impact certain CRA employees based on allegations of misconduct received through the CRA anonymous internal fraud and misuse reporting line. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

Details: N/A

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: When a report is received by the external service provider system, automatic notifications are sent through email immediately to the CRA’s authorized reviewers in the Internal Affairs and Fraud Control Division (IAFCD). Authorized reviewers are also automatically notified whenever an individual provides additional information, either through a comment, or by uploading documentation or further information. The CRA authorized reviewers, will access the allegation through ClearView Connects provided by the external service provider.

The reporters will receive a login ID and password when submitting a report so that they can login again at a later date to check the status of their report.

All allegations received through the reporting line will be copied and pasted in the IAFCD case management system and a tracking sheet used for statistical purposes that contains the IAFCD internally assigned case number, the Branch or Region, the category of allegation, where it was referred if it did not meet the IAFCD mandate and the result of the preliminary analysis. The information is stored on a server and in a shared network drive only accessible by authorized employees of the IAFCD, for internal use (referral to other areas, closed cases or cases requiring investigation services). There is no direct link/connection with the external service provider system and CRA systems. 

H) Risk impact to the individual or employee

Details: There is a risk that the individual may suffer embarrassment that could have a negative effect on an individual’s career and/or reputation if the report is disclosed without his/her knowledge or consent. There is also a risk that such a privacy breach could influence his or her career in terms of how his or her performance is assessed.

Page details

Date modified: