Authentication and Credential Management Services V2

Privacy Impact Assessment (PIA) summary - Digital Services Directorate, Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten,
Assistant Commissioner, Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Information Technology

Information Technology Services involve activities undertaken to achieve efficient and effective use of information technology to support government priorities and program delivery, to increase productivity, and to enhance services to the public.

Description of the class of record and personal information bank

Standard or institution specific class of record:
Information Technology (PRN 932)

Standard or institution specific personal information bank:
Authentication and Credential Management Service (CRA PPU 607)

Legal authority for program or activity

The Canada Revenue Agency (CRA) is designated as a separate Agency under Schedule II of the Financial Administration Act and as such has overall responsibility over its administration, contracts and human resources management.

Personal information is collected pursuant to paragraph 31(1)(a) of the Canada Revenue Agency Act which grants the CRA responsibility for general administrative policy in the Agency. Personal information is also collected as required under the Policy on Government Security as per agreement with the President of the Treasury Board.

The legal authority for the Portageur and the Linked eAccounts services is under paragraph 5(1)(c) of the Canada Revenue Agency Act, which states that the CRA is responsible for implementing agreements or arrangements between the CRA and departments or agencies of the Government of Canada to administer a program or carry out an activity.

Subsection 241(5) of the Income Tax Act, section 295 of the Excise Tax Act, section 211 of the Excise Act, 2001, and section 8 of the Privacy Act, authorize the CRA to provide taxpayer information relating to a taxpayer with the consent of the taxpayer, to any other person.

For the Non-Resident Representative Number (NRRN), personal information is collected under the authority of subsection 220(1) of the Income Tax Act. It will be used by the CRA to process applications for a non-resident representative applying for a non-resident representative number.

Summary of the project / initiative / change

The Canada Revenue Agency (CRA) has been a major stakeholder in the Government of Canada (GC) Cyber-Authentication Renewal Initiative. The CRA has played an active role and supports arrangements for federated identity. As part of the Cyber-Authentication Renewal Initiative, the CRA also provides its own authentication and credential management service for individuals, business owners and representatives to use when accessing its online services.

CRA’s Authentication and Credential Management Service relies on the Authentication Management System (AMS) and Credential Management System (CMS) to provide identity proofing, identity validation, access control or credential management services to the CRA online services.

AMS and CMS provide two separate but interrelated functions. The AMS application is responsible for ensuring that individuals are authenticated prior to associating that individual’s account with an anonymous credential provided by CMS, as well as ensuring that the current status of the individual’s account does not contain any restrictions to access that account. The CMS application is responsible for provisioning and maintaining an anonymous credential that will be associated with an individual’s CRA account.

The following is a list of the CRA online services that use AMS and/or CMS:

• My Account: Individuals can view their personal income tax and benefit information, and manage their tax affairs online.
• My Business Account: Business owners (including partners, directors, and officers) can access their GST/HST, payroll, corporation income taxes, excise taxes, excise duties and other levies accounts online.
• Represent a Client: Employees and representatives can access an account on behalf of their employer or clients. Prior to the CRA granting a representative access to information and services on behalf of individuals or businesses, a representative must first be authorized by the individual or the business owner.
• Auto-fill my return: Individuals and authorized representatives can automatically fill in parts of a current-year income tax and benefit return using various NETFILE/EFILE certified software.
• MyCRA Browser App: MyCRA is a web-based mobile application for individual taxpayers. Individuals can securely access and view key portions of their personal tax information.
• My Benefits Browser App: MyBenefits CRA is a web-based mobile app that offers individual benefits recipients a quick view of their benefit and credit payment details and eligibility information.
• Business Registration Online (BRO): The BRO service allows individuals to register for a business number (BN) and four major Canada Revenue Agency (CRA) program accounts.
• Careers – Candidate Profile: The Candidate Profile service allows individuals to apply for job opportunities with the CRA.

It should be noted that the Quick Access service was decommissioned in February 2015 and is no longer available.

The CRA’s Authentication and Credential Management Service also includes the Portageur service, which leverages the CRA’s authentication and credential systems. Individuals consent to the electronic transfer of personal identity information to another organization. That other organization can then use this trusted information as a part of its own business process (e.g. identification/authentication process in order to validate and authenticate the identity of the individual for access to their online service). Currently, AMS and CMS provide assisted enrolment for users of online programs for Veterans Affairs Canada (VAC), Employment and Social Development Canada (ESDC) and the Province of Nova Scotia (NS).

The CRA and ESDC are exploring new ways to deliver services collaboratively and to move towards new, more digitally focused business models that are cost-effective, efficient, and provide better value-for-money to Canadians. ESDC and CRA have much in common in their client-service objectives. To meet initiatives aimed at improved digital service, the two departments have identified an opportunity to work jointly in order to increase user uptake through their respective digital channels. By means of a convenient link within secure space, ESDC clients who use My Service Canada Account (MSCA) will also be able to access the CRA My Account for Individuals (and vice-versa) without the need to login or to revalidate identity. This joint initiative is referred to as Linked eAccounts. Each organization's respective account registration and identity validation processes will be maintained; both organizations follow the Treasury Board of Canada Secretariat (TBS) Standard on Identity and Credential Assurance. The Linked eAccounts service is expected to be implemented in October 2016.

In addition to recognizing credentials issued by the CRA CMS, users may also login with an external credential using a GC service known as SecureKey Concierge through a Credential Broker Service. This is a commercial service that enables the GC to offer access to government services using certain financial institution-issued credentials. The participating financial institutions are referred to as “Sign-In Partners.”

A separate privacy impact assessment has been prepared for the Credential Broker Service/Secure Key Concierge by Shared Services Canada. It should be noted that in the case of CMS, SecureKey Concierge and other future credential providers, the individual’s data is not shared with the credential provider; these credential providers are known as anonymous providers. To ensure privacy protection, users of the Credential Broker Service will authenticate through a participating Sign-In Partner, but no personal information will be shared with the GC, including their login information and the identity of their financial institution. Similarly, no information about the government service being accessed by the individual will be shared with the individual’s financial institution.

For more information on the CRA registration and login process please visit:
CRA login services

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: Personal information such as the social insurance number (SIN), non-resident representative number (NRRN), postal/ZIP code, date of birth, last name (for BRO) and information from the individual’s income tax and benefit return is used to identify the individual for the purpose of accessing the CRA’s My Account, My Business Account, Represent a Client, MyCRA app, My Benefits app and BRO.

As part of the registration process for services that leverage CMS, an individual must create a credential (CRA user ID and password), or login with their external credential. The individual no longer needs to validate his/her identity in subsequent logins with that same credential. In order to provide additional security and recovery options, the individual will need to provide security questions and answers. These questions and answers do not reference any specific tax related information, SIN or specific identifying information.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information collected such as the SIN, date of birth, and information from the individual’s income tax and benefit return is sensitive information, as is information from an individual’s application for a non-resident representative number (NRRN). With respect to this identity validation process, only the social insurance number and the NRRN are retained in the CRA’s directory. The individual’s SIN or the non-resident representative’s NRRN is associated with his/her anonymous credential.

For the Linked eAccounts initiative, to transfer an individual's identity between portals, the CRA and ESDC will make use of the authenticated individual's SIN, and an identity credential. The identity credential will include the individual's Persistent Unique Identifier (PUI), and their Treasury Board of Canada Secretariat (TBS) identity assurance level. The PUI is a meaningless but unique number assigned to an individual that does not directly identify them. There will be no transfer or exchange of tax or benefit information between the two organizations.

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 3

Details: The directory that stores the AMS and CMS data is maintained by Shared Services Canada (SSC). The CMS data is anonymous. The CRA also provides assisted enrolment for users of online programs for Veterans Affairs Canada (VAC), Employment and Social Development Canada (ESDC) and to the Province of Nova Scotia (NS).

For the Linked eAccounts initiative, the CRA and ESDC will share an individual's SIN and an identity credential (Persistent Unique Identifier and TBS level of identity assurance) to transfer the individual between the CRA's My Account and ESDC's My Service Canada Account, to accurately identify the individual, and to display their information to them. The individual will consent to the transfer and to the sharing of his/her SIN.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: There is no ‘sunset date’ for this activity as it is in keeping with the Government On-Line (GOL) initiative, a key component of the Government of Canada’s service strategy.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects individuals that choose to use the CRA’s online services (My Account, My Business Account, Represent a Client, MyCRA, MyBenefits, Auto-fill my return, Careers and BRO). It also affects individuals who choose to use CRA’s authentication and credential systems as a means of assisted enrolment for VAC, ESDC, and the Government of NS.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: Yes

Details: The CRA uses session and persistent cookies for its login services.

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: Yes

Details: As per the CRA’s Logging and Monitoring of Access to Taxpayer Information Policy, and the CRA’s Monitoring of Employee Electronic Access to Taxpayer Information Directive, all systems with accesses to identifiable taxpayer information (create, view, modify, delete) have an audit trail in place.

The Policy Server generates log files that contain auditing information about the events that occur within the system. These events may have been initiated by the individual, the system, a helpdesk agent, or a headquarter’s officer. These logs are analyzed by SSC for security alerts and forensics purposes.

Audit trail reports are considered Protected B information as defined by the Identifying Protected and Classified Information and Assets Policy. Consequently the communication of the request, the audit trail report, and results of its analysis must be restricted to individuals with "a need to know". The information is retained for a period of 7 years + current year (RDA 98 / 001).

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: In order to verify their identities, individuals will be asked to provide certain information from their income tax and benefit return. This information is then matched to what CRA currently has on record. For the Portageur service, information such as the name, contact information, date of birth and gender may be sent to the other organization and compared to information on that other department’s systems for authentication purposes. For the Linked eAccounts initiative, the CRA and ESDC will share an individual's SIN and an identity credential (Personal Unique Identifier and TBS level of identity assurance) to transfer the individual between the CRA's My Account and ESDC's My Service Canada Account, to accurately identify the individual, and to display his/her information to them.

Non-resident representatives from the United States who want to access Represent a Client will be asked to apply for a non-resident representative number (NRRN). Once the CRA verifies the application and the supporting identification documents and issues an NRRN, the non-resident representative is asked to provide their NRRN and ZIP code. This information is then matched to what CRA currently has on record.

G) Personal information transmission

The personal information is used in system that has connections to at least one other system.

Level of risk to privacy: 2

Details: CRA together with SSC use a shared Oracle server. Strict filtering of external network connections, application filtering and architecture restrictions prevent external connection to these systems. CRA will be sharing the SIN with ESDC for My Service Canada Account. The data will be included in a Security Assertion Markup Language (SAML) response which is encrypted and digitally signed specifically for ESDC. CRA and ESDC have exchanged encryption and digital signature keys. CRA also shares data via the secure systems of partner organizations (VAC, ESDC and NS) as part of personal information matching for Portageur purposes.

H) Risk impact to the individual or employee

Details: A breach of personal information such as the social insurance number and date of birth could have a financial impact on the individual, as it could lead to identify theft.

I) Risk impact to the institution

Details: A privacy breach of any kind, particularly when it involves sensitive personal information such as tax information and the social insurance number, can cause significant harm to CRA’s reputation and may lead to a loss of credibility.