Authentication and Credential Management V3.0

Digital Services Directorate
Assessment, Benefit, & Service Branch

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment Initiation (PIA)

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment and Benefit Services Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Information Technology

Standard or institution specific class of record:

Information Technology
Class of Record Number: PRN 932 

Standard or institution specific personal information bank:

Authentication and Credential Management Service
Bank Number: CRA PPU 607

Legal authority for program or activity

The Canada Revenue Agency (CRA) is designated as a separate Agency under Schedule II of the Financial Administration Act and as such has overall responsibility over its administration, contracts and human resources management. 

Personal information is collected in order to allow access to online systems for the purposes of administering program legislation as per the Income Tax Act and the Excise Tax Act. Personal information is also collected as required under the Policy on Government Security as it relates to the Directive on Identity Management as per agreement with the President of the Treasury Board.

The legal authority for entering the MOUs for the Portageur, also known as Identity Exchange Facility, and the Linked eAccounts services is under section 61 of the Canada Revenue Agency Act, which states that the CRA is responsible for implementing agreements or arrangements between the CRA and departments or agencies of the Government of Canada to administer a program or carry out an activity. The authority for disclosing information to Veterans Affairs Canada for Portageur or Employment and Social Development Canada for Linked eAccounts is under section 241(5) (consent) of the Income Tax Act. The authority to collect personal information in order to know whose information to disclose under section 241 is section 220 of the Income Tax Act.

Subsection 241(5) of the Income Tax Act, subsection 295(6) of the Excise Tax Act, subsection 211(8) of the Excise Act, 2001, and subsection 8(1) of the Privacy Act, authorize the CRA to provide confidential or personal taxpayer information relating to an individual, to any other person with the consent of the individual.

For the Non-Resident Representative Number, personal information is collected under the authority of subsection 220(1) of the Income Tax Act. It will be used by the CRA to process applications for a non-resident representative applying for a non-resident representative number.

The CRA collects the social insurance number under subsection 237(1.1) of the Income Tax Act for income tax purposes and section 220 of the Income Tax Act to identify the individual to allow him/her access to their income tax and benefit information online and to associate the individual’s anonymous credential to them.

For the British Columbia Digital Identity for Federal Services, and for the MyAlberta Digital ID integration CRA-Alberta the personal information is collected under the authority of section 220 of the Income Tax Act, and section 275 of the Excise Tax Act. It will be used by the CRA to allow Canadians who hold a British Columbia Services Card, or respectively MyAlberta Digital ID, immediate digital access to the federal government services and programs offered through the CRA’s My Account.

Summary of the project, initiative or change

Overview of the Program or Activity

The CRA has been a major stakeholder in the Government of Canada Cyber-Authentication Renewal Initiative. The CRA has played an active role and supports arrangements for federated identity. As part of the Cyber-Authentication Renewal Initiative, the CRA also provides its own authentication and credential management service for individuals, business owners and representatives to use when accessing its online services.

The CRA’s Authentication and Credential Management Service relies on its systems to provide identity proofing, identity validation, access control and/or credential management services to the CRA online services.

The systems provide two separate but interrelated functions. The first function is responsible for ensuring that individuals are authenticated prior to associating an individual’s account with an anonymous credential provided by the second function, as well as ensuring that the current status of the individual’s account does not contain any restrictions to access that account. The system is responsible for provisioning and maintaining an anonymous credential that will be associated with an individual’s CRA account.

The following is a list of the CRA online services that use the system of the Authentication and Credential Management Services.

CRA Online Portals

• My Account: Individuals can view their personal income tax and benefit information, and manage their tax affairs online.
• My Business Account: Business owners (including partners, directors, and officers) can access their GST/HST, payroll, corporation income taxes, excise taxes, excise duties and other levies accounts online.
• Represent a Client: Employees and representatives can access an account on behalf of their employer or clients. Prior to the CRA granting a representative access to information and services on behalf of individuals or businesses, a representative must first be authorized by the individual or the business owner.

CRA Mobile Apps

• MyCRA Browser App: MyCRA is a web-based mobile application for individual taxpayers. Individuals can securely access and view key portions of their personal tax information and pay their tax balance owing.
• My Benefits Browser App: MyBenefits CRA is a web-based mobile app that offers individual benefit recipients a quick view of their benefit and credit payment details and eligibility information.
• CRA BizApp: CRA BizApp is a web-based mobile app for small business owners and sole proprietors. The application offers secure access to make payments, view accounting transactions, and more.

The CRA Tax Information Web Services listed below require users to be registered for a CRA login service - My Account for Individuals, My Business Account, or Represent a Client. Once registered, users are able to use the following services within their certified software product.

• Auto-fill my return: Individuals and authorized representatives can automatically fill in parts of a current year income tax and benefit return using various NETFILE/EFILE certified software.
• Express NOA: Express NOA is a secure CRA service that allows individuals and authorized representatives to view the notice of assessment (NOA) in their software, right after the return has been received and processed by the CRA.
• T2 Auto-fill: T2 Auto-fill is a secure service that lets business owners and authorized representatives download information from the CRA to their tax preparation software.
• Address change and Direct Deposit through Netfile: Users of NETFILE tax preparation software can change the mailing address or update direct deposit information using a link to CRA's login services.
• Account Information Retrieval Service: The Account Information Retrieval Service is a secure CRA service that allows individuals, businesses and their authorized representatives using CRA certified software to automatically obtain balance owing account information that the CRA has available at the time.

Others CRA Login Services

Business Registration Online: The business registration online service allows individuals to register for a business number, register for six types of program accounts, and link to other online business registries for some provincial programs.

Careers – Candidate Profile: The Candidate Profile service allows individuals to apply for job opportunities with the CRA.

Partnerships

The CRA’s Authentication and Credential Management Service also includes the Portageur service, which leverages the systems. Individuals consent to the electronic transfer of personal identity information to another organization. The other organization can then use this trusted information as a part of its own business process (e.g., identification/authentication process in order to validate and authenticate the identity of the individual for access to their online service). Currently, the systems provide assisted enrolment for users of online programs for Veterans Affairs Canada, and selected Employment and Social Development Canada programs and the Province of Nova Scotia.

What’s New

British Columbia Digital Identity for Federal Services

On February 10, 2020, the CRA collaborated with Employment and Social Development Canada and the province of British Columbia on a project wherein the Federal Government accepted a provincial Trusted Digital Identity to access CRA’s My Account and Employment and Social Development Canada’s My Service Canada Account following an assessment under the Pan Canadian Trust Framework.

This project provides Canadians who hold a British Columbia Services Card possible digital access to the federal government services and programs offered through My Account and My Service Canada Account. Canadians who hold a British Columbia Services Card are required to complete a secondary process that allows them to use their British Columbia Services Card as a credential for the CRA’s My Account service. In essence, it streamlines the My Service Canada Account and the CRA My Account registration process for British Columbia residents by relying on an approved provincial Trusted Digital Identity instead of a federal credential and identity validation process. British Columbia citizens are able to use their British Columbia Services Card to access their My Account and their My Service Canada Account. It removes the need for multiple login options (e.g., user IDs/passwords), as well as for a letter in the mail or an email which provides the security code or access code for online registration.

MyAlberta Digital ID integration CRA-Alberta

On February 7, 2022, the CRA is entered into a collaboration with Service Alberta, the Province of Alberta, and the Employment and Social Development Canada, wherein the Federal Government now accepts MyAlberta Digital ID as a provincial Trusted Digital Identity in order for an individual to access the CRA My Account and, through the linked accounts developed in a previous initiative, to access the Employment and Social Development Canada’s My Service Canada Account. MyAlberta Digital ID was re-assessed in July 2021 by the Treasury Board of Canada as a Trusted Digital Identity in conformance with the Pan Canadian Trust Framework version 1.3.

This collaboration now provides Albertans holding Verified MyAlberta Digital ID immediate access to the federal government services and programs offered through CRA My Account for individuals and My Service Canada Account, provided that no restrictions, inhibits or flags have been placed on file since the previous sign in (e.g., such as IDENT restrictions or access to My Account has been disabled). By relying on the trusted digital identity issued by the province, the streamlined process eliminates the need to receive the security code by mail for the registration to online services and eliminates steps in the sign-in process.

Multi-factor Authentication

Multi-factor authentication is a mandatory enhanced security measure that was implemented throughout our CRA sign-in services. When users enroll they are asked to provide at least one cell or landline phone number. Users will then be sent a one-time passcode that is required to be entered when they sign in to our online services. This code is good for a single sign-in session. A new one-time passcode will be sent via short message service or provided in an automated message to the telephone number selected each time the user signs in to the CRA sign-in services using this option in the future.

CRA has introduced an enhancement to multi-factor authentication which is the Passcode Grid option. A passcode grid is a table made up of numbered rows and lettered columns, similar to a Bingo card. The CRA will ask for combinations (e.g., B,1; A,3) and users will need to match the column and the row to provide the 3 letters that are shown in the square. The CRA will ask for three of these combinations each time a user signs in to the CRA’s sign-in services. The passcode grid is an option upon enrollment and it can also be added later in the Manage my multi-factor authentication settings.

Automation and Fraud Defense

The CRA is now using security solutions on its website to identify any unauthorized attempts to access and use online services. The solutions monitor and analyze web traffic data generated from a user web session to detect automated and malicious activities against CRA websites.

Scope of the Privacy Impact Assessment

This PIA provides information related to the collection and use of personal information required to access the CRA external secure online program services and applications, including services from other government departments that utilize the CRA’s authentication services.

This PIA does not cover information related to the services available within the CRA Online Portals, CRA Mobile Apps, CRA Tax Web Information Services, Business Registration Online, Careers, British Columbia Services Card or MyAlberta Digital ID.

Risk identification and categorization

A) Type of program or activity

Criminal investigation and enforcement / National Security

Level of risk to privacy: 4

Details:

Personal information such as the social insurance number, non-resident representative number, postal/ZIP code, date of birth, last name, province and information from the individual’s income tax and benefit return is used to identify the individual for the purpose of accessing the CRA’s suite of services that use AMS/CMS.

As part of the registration process for services that leverage CMS, an individual must create a credential (CRA user ID and password), or login with their external credential. The individual no longer needs to validate his/her identity in subsequent logins with that same credential. In order to provide additional security and recovery options, the individual will need to provide security questions and answers. These questions and answers do not reference any specific tax related information, social insurance number or specific identifying information.

To assist with a criminal investigation, the Digital Services Directorate in conjunction with the Information Technology Branch will provide the Criminal Investigations Directorate with information concerning a taxpayer’s online activity. Requests may include information related to a taxpayer’s registration or login information, transaction logs as well as IP addresses.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Personal information collected such as the social insurance number, date of birth, and information from the individual’s income tax and benefit return is sensitive information, as is information from an individual’s application for a non-resident representative number. With respect to this identity validation process, only the social insurance number and the non-resident representative number are retained in the CRA’s directory. The individual’s social insurance number or the non-resident representative’s non-resident representative number is associated with his/her anonymous credential.

For the Linked eAccounts initiative, to transfer an individual's identity between portals, the CRA and Employment and Social Development Canada will make use of the authenticated individual's social insurance number, and an identity credential. The identity credential will include the individual's persistent unique identifier and their Treasury Board of Canada Secretariat identity assurance level. The persistent unique identifier is a meaningless but unique number assigned to an individual that does not directly identify them. There will be no transfer or exchange of tax or benefit information between the two organizations.

For the British Columbia Digital Identity for Federal Services, the province of British Columbia provides the individual’s surname, date of birth, province, directed identifier and level of assurance of the British Columbia credential. The directed identifier is a meaningless but unique number assigned to an individual that does not directly identify them. Individuals need to provide consent for the CRA to request their personal information from the province of British Columbia.

For the MyAlberta Digital ID Integration CRA-Alberta, the province of Alberta will provide the individual’s surname, date of birth, province, the unique federal identifier and the identity assurance level and credential assurance level of the Alberta credential. The unique federal identifier is a meaningless but unique number assigned in Alberta’s system to an individual that does not directly identify them. Individuals need to provide their consent for the CRA to request their personal information from the province of Alberta.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

The directory that stores the AMS and CMS data is maintained by Shared Services Canada. The CMS data is anonymous. The CRA also provides assisted enrolment for users of online programs for Veterans Affairs Canada, Employment and Social Development Canada and to the Province of Nova Scotia.

For the Linked eAccounts initiative, the CRA and Employment and Social Development Canada will share an individual's social insurance number and an identity credential (Persistent Unique Identifier and Treasury Board of Canada level of identity assurance) to transfer the individual between the CRA's My Account and Employment and Social Development Canada's My Service Canada Account, to accurately identify the individual, and to display his/her information to him/her. The individual will consent to the transfer and to the sharing of his/her social insurance number.

For the British Columbia Digital Identity for Federal Services, the province of British Columbia provides the individual’s surname, date of birth, province, directed identifier and the level of assurance of the British Columbia credential in order to access CRA’s My Account. The directed identifier is a meaningless but unique number assigned to an individual that does not directly identify them. Individuals need to provide consent for the CRA to request their personal information from the province of British Columbia. When an individual logs in to My Account for the first time with their British Columbia Services Card, the individual will also be required to enter their social insurance number. The CRA uses this data along with the information provided by British Columbia in order to validate the individual’s identity. For subsequent logins, the directed identifier associated to the individual’s social insurance number will be recognized as a returning user. Returning users will not be required to provide their social insurance number to the CRA and will instead be sent directly to My Account.

For the MyAlberta Digital ID Integration CRA-Alberta, the province of Alberta will provide the individual’s surname, the date of birth, the province, the unique federal identifier and the identity assurance level and credential assurance level of the Alberta credential. The unique federal identifier is a meaningless but unique number assigned in Alberta’s systems to an individual that does not directly identify them. Individuals need to provide consent for the CRA to request their personal information from the province of Alberta. When an individual signs in to My Account for the first time using the MyAlberta Digital ID, the individual will also be required to enter their social insurance number. The CRA uses this data along with the information provided by Alberta in order to validate the individual’s identity (for the matching process). For subsequent signing in, the unique federal identifier associated to the individual’s social insurance number will be recognized as a returning user, and the individuals will not be required to provide their social insurance number and, upon successful multi-factor authentication, they are granted immediate direct access to the CRA My Account, provided that no restrictions, inhibits or flags have been placed on file since the previous sign in (e.g. such as IDENT restrictions or access to My Account has been disabled).

For hCaptcha, we use an anti-bot service on our website to monitor network traffic to identify any unauthorized attempts to access our online services. The hCaptcha evaluates information including the IP address, how long the user has been on the website or app, mouse movements made by the user, information from the browser, and the user’s answers to any challenges. This information is shared with the third party responsible for the hCaptcha service.

For Automation and Fraud Defense, we use security solutions on our websites to identify any unauthorized attempts to access and use online services. The solutions monitor and analyze web traffic data generated from a user web session to detect automated and malicious activities against CRA websites.

For multi-factor authentication, we collect the telephone number (landline or cell) for the one-time passcode (telephone call or short message service) and language of choice to receive the one-time passcode that the user provides when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending the code. The code entered is also shared with the third party to ensure it matches before allowing the user access to the login services. For the passcode grid option, the CRA will generate the passcode grid, which is stored on the CRA’s database, but no personal information from the taxpayer is collected or stored.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

There is no “sunset date” for this activity as it is in keeping with the Government On-Line initiative, a key component of the Government of Canada’s service strategy.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The program affects individuals that choose to use the CRA’s suite of services that use Authentication Management Services.  It also affects individuals who choose to use the CRA’s systems as a means of assisted enrolment for Veterans Affairs Canada, Employment and Social Development Canada, and the Government of Nova Scotia. It also affects residents of British Columbia who choose to use their British Columbia Services Card to access the CRA’s My Account and the residents of the province of Alberta who choose to use the MyAlberta Digital ID to access the CRA’s My Account.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: Yes
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?
4. Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
   Risk to privacy: No
5. Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
   Risk to privacy: No
6. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
   Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

CRA together with Shared Services Canada use a shared Oracle server. Strict filtering of external network connections, application filtering and architecture restrictions prevent external connection to these systems. The CRA will be sharing the social insurance number with Employment and Social Development Canada for My Service Canada Account. The data will be included in a security assertion markup language response which is encrypted and digitally signed specifically for Employment and Social Development Canada. The CRA and Employment and Social Development Canada have exchanged encryption and digital signature keys. The CRA also shares data via the secure systems of partner organizations (Veterans Affairs Canada, Employment and Social Development Canada and the province of Nova Scotia) as part of personal information matching for Portageur purposes.

For the British Columbia Digital Identity for Federal Services, the data will be included in a security assertion markup language response which is encrypted and digitally signed specifically for British Columbia. For the British Columbia Digital Identity for Federal Services, the CRA doesn’t share the social insurance number or any other data with British Columbia. The CRA only obtains the personal information for individuals who hold a British Columbia Services Card: surname, date of birth, province, directed identifier, from British Columbia through security assertion markup language, in order to authenticate the user.

For the MyAlberta Digital ID Integration CRA-Alberta, the data will be included in a security assertion markup language response which is encrypted and digitally signed specifically for the province of Alberta. The CRA doesn’t share the social insurance number or any other data with the province of Alberta. CRA only obtains the personal information for individuals who hold a MyAlberta Digital ID: surname, date of birth, province, the Unique Federal Identifier and their identity assurance level and credential assurance level from Alberta through security assertion markup language transmission technology, in order to authenticate the user.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

A breach of personal information such as the social insurance number and date of birth could have a financial impact on the individual, as it could lead to identify theft.