Charities - Public Safety and Anti-Terrorism

Privacy Impact Assessment (PIA) smmary - Review and Analysis Division

Introduction

This document summarizes the Charities – Public Safety and Anti-Terrorism privacy impact assessment (PIA) prepared by the Review and Analysis Division (RAD) of the Canada Revenue Agency (CRA). RAD is responsible for delivering the Agency's mandate under the Anti-Terrorism Act to prevent the abuse of registered charities for the financing of terrorism. This PIA highlights the key points that demonstrate how privacy considerations have been factored into the development and implementation of RAD. For a detailed description of the personal information relevant to this program please refer to the personal information bank number CRA PPU 200 in Info Source.

Description

To contribute to the fight against terrorism financing, and fulfill its international obligations and commitments, Canada put in place a comprehensive domestic regime in 2001, integrated with its existing anti-money laundering regime, to counter terrorism financing. The regime is specifically designed to detect and deter terrorism funding and is administered and enforced through a horizontal structure that unites nine federal departments and agencies including the Canada Revenue Agency – Charities Directorate in a coordinated effort. These departments and agencies in turn work in close cooperation with other governmental entities and the private sector.

As part of the suite of legislation enacted in 2001 under the rubric of the Anti-terrorism Act, that facilitates the anti-terrorism regime, the Parliament of Canada enacted the Charities Registration (Security Information) Act, An Act respecting the registration of charities having regard to security and criminal intelligence information, (CRSIA). The law deals with the rare situation where classified intelligence information about terrorist activities is needed to exclude an organization from registration as a charity. In most situations, open-source information and normal procedures should be sufficient to establish if an organization does not meet the requirements for registration. The purpose of this legislation is three-fold:

1. to demonstrate Canada's commitment to participating in concerted international efforts to deny support to those who engage in terrorist activities;
2. to protect the integrity of the registration system for charities under the Income Tax Act (ITA), and
3. to maintain the confidence of Canadian taxpayers that the benefits of charitable registration are made available only to organizations that operate exclusively for charitable purposes.

Importantly, the legislation requires the balancing of two important principles, specifically that:

1. maintenance of the confidence of taxpayers may require reliance on information that, if disclosed, would injure national security or endanger the safety of persons; and
2. the process for relying on the information referred to in paragraph (1) in determining eligibility to become or remain a registered charity must be as fair and transparent as possible having regard to national security and the safety of persons.

It is within this framework that the Charities Directorate of the CRA established RAD as a standalone unit with specialized personnel who could work with other intelligence agencies to administer CRSIA and related provisions of the ITA.

The ITA was amended to allow for greater information sharing and use of information by the Canadian Security Intelligence Agency and the Royal Canadian Mounted Police and now also allows for information sharing with Financial Transactions and Reports Analysis Centre of Canada. It is because of this new information-sharing framework which helped operationalize the national security strategy that RAD established new mechanisms to collect, use and protect the personal information collected about directors, foreign agents, non-resident donors, employees of charities and organizations seeking to be registered as charities.

In regards to much of the personal information used by RAD, the Division also relies on the same information gathering tools developed and used by the Charities Directorate. The two main tools are the T2050, Application to Register a Charity under the Income Tax Act and the T3010-1, Registered Charity Information Return.

Furthermore, and consistent with other divisions of the CRA, RAD also relies on its own, specially trained team of auditors to conduct investigations relating to charitable organizations who may be abusing the charitable registration system in Canada. RAD auditors rely on Part XV of the ITA to conduct investigations related to the administration and enforcement of the ITA.

PIA Objective

This PIA demonstrates the parameters of RAD's collection, use, retention, disposal and destruction of personal information rooted within the framework of its administrative responsibilities in the Charities Directorate. The privacy analysis examined its adherence to the following 10 fair information principles:

Principle 1: Accountability for Personal Information

The CRA has designated the Director of RAD as the individual accountable for the personal information related to this PIA. To ensure performance requirements are met, the program has a number of security measures in place; audit trails, security and privacy training, in-house dedicated computer systems, system tracking and an on-site security advisor.

Principle 2: Collection of Personal Information

The purposes for the collection and use of the information is to protect the integrity of the registration system for charities under Canada's ITA by screening applications and monitoring charities for the risk of terrorist involvement. RAD analysts may consult open source and public databases for the enforcement and administration of the ITA and CRSIA.

Principle 3: Consent

A notice is included on both the application and on the annual returns of the organization that describes how the information may be shared with certain government departments and agencies. In addition, statutory authority derived from the ITA and CRSIA allows for the collection, use and disclosure of information as necessary for the Acts' administration and enforcement.

Principle 4: Use of Personal Information

All information collected is used for the administration and enforcement of the ITA and/or the CRSIA.

Principle 5: Disclosure and Disposition

Personal information that is disclosed to the public is related to the Charities Directorate's mandate to provide public information about charities and is authorized by the ITA. The personal information to be disclosed will be limited to what is required by or provided by legislation. Personal information shall be retained only as long as is necessary to fulfill those purposes.

Principle 6: Accuracy of Personal Information

Charitable organizations are required to file annual information returns, as part of the filing requirement; organizations are asked to certify that the information provided is accurate and complete. Where information obtained from a publicly available source demonstrates that the information on file is incorrect, the information will be verified to determine accuracy and corrected on the file. Where the information is found to be incorrect it will be discarded.

Principle 7: Safeguarding Personal Information

Security policies on the collection, transmission, storage and disposal of information are documented in chapters 5, 6, 7, and 8 of the CRA Finance and Administration Manual.  System security was considered satisfactory based on the threat and risk assessment that was previously conducted. Use and access is authorized according to security clearance of user and is strictly on a "need to know" basis.

Principle 8: Openness of Information

The Charities Directorate maintains an accessible and regularly updated website. Embedded in that site are guides, forms and pamphlets that describe the work of the Directorate in great detail. This includes information that describes the various issues addressed by RAD in considering applications for registration by organizations and also when reviewing the information returns of registered charities.

Principle 9: Individual Access to Personal Information

Certain statutorily identified information is available on the CRA Internet in accordance with the ITA. Individuals can also request their personal information either through the Privacy Act or the Access to Information Act.

Principle 10: Challenging Compliance

CRA complies with complaint procedures established under the Privacy Act and Treasury Board Policies.

PIA Findings

The privacy analysis identified that RAD places privacy and security of information as an overarching and fundamental consideration in every aspect of its operations.