Anonymous Internal Fraud and Misuse Reporting Line

Security and Internal Affairs Directorate
Finance and Administration Branch

On this page

Overview & Privacy Impact Assessment Initiation (PIA)

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Amanda Nemer
Director General
Finance and Administration Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Travel and Other Administrative Services

Standard or institution specific class of record:

Security
Class of Record Number: PRN 931

Standard or institution specific personal information bank:

Security Incidents and Privacy Breaches
Bank Number: PSU 939

Legal authority for program or activity

Paragraph 30 (1)(a) of the Canada Revenue Agency Act

Paragraph 30 (1)(d) of the Canada Revenue Agency Act

Section 51 of the Canada Revenue Agency Act

Section 241 of the Income Tax Act

Section 295 of the Excise Tax Act

Subsection 38 (2), section 78, paragraphs 80 (1) (b), (c), (d) and (e), subsection 80 (2) and section 81 of the Financial Administration Act

Paragraph 16.4 (1) (b) of the Federal Accountability Act

Section 122 of the Criminal Code

Summary of the project / initiative / change

Overview of the Program or Activity

The Agency relies on an effective and integrated security framework, which assists in preventing, detecting, recovering and responding to events that could compromise the security and safety of the information, employees, and/or assets it holds.

The Internal Investigations Program is responsible to develop corporate policy instruments, initiatives, strategies, and implementation plans for the effective delivery of the Agency's investigations program and to conduct independent administrative investigations into allegations of employee misconduct including fraud, misappropriations and violations of the Financial Administration Act, the Income Tax Act, the Excise Tax Act, the Excise Act, the Privacy Act, the Code of integrity and professional conduct, and various Agency policies, guidelines and regulations.

The Internal Fraud Control Program leads the management of the risk of internal fraud in the CRA through prevention, detection and deterrence activities. The program develops effective detection methods and enhances prevention efforts, while fostering a heightened level of awareness of the possibility of internal fraud and the serious consequences of committing internal fraud.

The CRA Anonymous Internal Fraud and Misuse Reporting Line helps support the above Programs. It is intended to provide employees with an anonymous, confidential, and secure means to report suspicions of fraudulent activity engaged in by employees and/or management. This communication channel is administered by an independent third party contractor.

By making the reporting line available to individuals, the CRA is ensuring that they are able to speak up with confidence. The external service provider is completely independent from the CRA, and the reporting line system, ClearView Connects™, resides on their own secure servers.

An individual may use either the web-based system or the telephone line system to report allegations of internal fraud and misuse. Individuals will be able to write text in freestyle form in the web application and choose the category the allegation relates to. Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them. The reporting line system assigns them a secure login ID and password for the report that they submitted. They can log into the system or call the line and use their login ID and password to check the status of their report. Since the login ID and password are system-generated, their anonymity is maintained.

This method of reporting internal fraud or misuse is completely anonymous: the information individuals report will not be audio recorded or traced. If individuals are using the online system, the session is encrypted and the IP address is not identified with the report. If individuals are calling the telephone line and speaking to a live operator, the call is not recorded, nor is caller ID used. The report is transcribed by a trained operator into the reporting line system verbatim (in the exact words, word for word).

The external service provider system collects the information and submits it to designated employees of the Internal Affairs and Fraud Control Division (IAFCD), which are automatically notified (via email) by the system when a report has been submitted. They can log in to view the report and may ask follow-up questions and inform the reporter about how the report is being addressed. The external service provider does not review reports submitted into the system - this is the responsibility of authorized individuals in the IAFCD, Security and Internal Affairs Directorate, who ensure that reports are reviewed and investigated as appropriate, in a fair and timely manner - as they would do for any reports received through other channels.

The IAFCD reviews all allegations received through the anonymous reporting line to determine if it is about a current CRA employee, and if it relates to internal fraud or misuse. If so, the matter will be investigated. If not, the matter will be closed. While individuals will be encouraged to only use the reporting line for what it is meant, a “no wrong door” approach will be applied. If individuals report something that is not considered internal fraud or misuse, the situation will be handed to the proper avenue, and is out of scope for this PIA. In addition, the interactive feature of the tool will be used to inform employees of the appropriate channel for the matter individuals reported.

All personal information collected and held by the external service provider will be the property of the CRA. As such it will be subject to the Access to Information Act and the Privacy Act in the same manner as any information held by the IAFCD. They will deliver to the CRA all personal information in whatever form and documentation that has been made or obtained in relation to the contract, upon the completion or termination of the contract, or at such earlier time as CRA may request. Upon delivery of the personal information to the CRA, they will have no right to retain that information in any form and must ensure that no record of the personal information remains in their possession.

What’s New

The CRA has awarded a new contract to ClearView Strategic Partners Inc. effective April 1, 2020 until March 31, 2022 with the irrevocable option to extend the term of the contract by up to three additional one year period(s) under the same conditions up to March 2025.

Scope of the Privacy Impact Assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Anonymous Internal Fraud and Misuse Reporting line activities. The investigation activities stemming from allegations obtained through the reporting line, and reports which have been transferred to other areas because they are not deemed to be internal fraud or misuse, are out of scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The reporting line is available to individuals to report allegations of internal fraud and misuse of employees of the Agency. If it is determined that the allegation is about a current CRA employee, and if it relates to internal fraud or misuse, the matter will be investigated.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details:

The information expected to be received through the reporting line includes allegations or suspicions of employee misconduct related to internal fraud or misuse and is not different than the information already received through other channels and reported to the Internal Investigations Section. The information may include personal information of employees and occasionally it might include taxpayer information such as name, contact information, financial information, marital status, etc. Individuals that are reporting will be able to write text in freestyle form in the web application and choose the category the allegation relates to (for example; financial management and fraud; abuse of authority; breach of trust). Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

The information or allegation received through the reporting line may be shared within the CRA.

The reporting line is being hosted by a privately owned Canadian corporation through an online (web) system and telephone line system; however, no information pertaining to the allegations received (for example the total number of cases investigated or investigation results) will be shared with the third party.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

The reporting line is an ongoing Agency activity with no expected sunset date.

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Details:

The initiative will only impact certain CRA employees based on allegations of misconduct received through the CRA anonymous internal fraud and misuse reporting line.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

    Risk to privacy: No

  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

    Risk to privacy: No

  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy No

G) Personal information transmission

The personal information is transferred to a portable device or is printed.  

Level of risk to privacy: 3

Details:

When a report is received by the external service provider system, automatic notifications are sent through email immediately to the CRA’s authorized reviewers in the IAFCD. Authorized reviewers are also automatically notified whenever an individual provides additional information, either through a comment, or by uploading documentation or further information. The CRA authorized reviewers, will access the allegation through ClearView Connects provided by the external service provider.

The reporters will receive a login ID and password when submitting a report so that they can login again at a later date to check the status of their report.

They can also provide an email address (which will remain anonymous) in order to receive email notifications whenever their report has been updated by a CRA reviewer. Reporters’ email addresses, provided to the contractor using the Reporter Notification feature, will not be accessible by CRA’s authorized reviewers. In order to maintain anonymity, ClearView provides a unique identifier for each allegation. In addition, ClearView will:

The reporter can turn off the email notifications at any time by logging into clearview.connects.com and changing the email notification settings. The reporter will be notified when ClearView deletes their email address. Email notifications will only remind the reporter to log into clearviewconnects.com and will not contain any report information.

All allegations received through the reporting line will be copied and pasted in the IAFCD case management system. The system tracks the Branch or Region, the category of allegation, where it was referred (if it did not meet the IAFCD mandate) and the result of the preliminary analysis. The information is stored on a server and in a shared network drive only accessible by authorized employees of the IAFCD, for internal use (referral to other areas, closed cases or cases requiring investigation services). There is no direct link/connection between the external service provider system and CRA systems.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

There is a risk that the individual may suffer embarrassment that could have a negative effect on an individual’s career and/or reputation if the report is disclosed without his/her knowledge or consent. There is also a risk that such a privacy breach could influence his or her career in terms of how his or her performance is assessed.

Page details

Date modified: