Collections – Government Programs

Privacy Impact Assessment (PIA) summary - Collections Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Collections

Description of the class of record and personal information bank

Standard or institution specific class of record:
Collection Actions (CRA CVB 190)

Standard or institution specific personal information bank:
Collection Action (CRA PPU 050)

Legal authority for program or activity

Legal authorities for the Government Programs (GP) collections activities come from one or more of the following:

• Canada Revenue Agency Act
  Section 61 authorizes the Canada Revenue Agency (CRA) to enter into contracts, agreements or other arrangements with governments, public or private organizations and agencies or any person in the name of Her　Majesty in right of Canada or in its own name. Note: This gives the Minister of CRA authority to enter into agreements to administer programs on behalf of other government or private sector organizations.
   
• On August 1, 2005, Order in Council SI/2005-73 (OIC) transferred from the Department of Human Resources and Skills Development Canada (now Employment and Social Development Canada (ESDC) to the CRA the responsibility of the collection of certain ESDC debts.

Delegations of Authorities

Canada Disability Savings Act

• Subsection 12(2) of the Canada Disability Savings Act empowers the Minister of National Revenue with the authority to recover debts due under that Act.

Canada Education Savings Act

• Powers, duties and functions relating to the collection of debts under the Canada Education Savings Act were transferred to the Minister of National Revenue under the OIC. As a result of the OIC, section 10 of the Canada Education Savings Act empowers the Minister of National Revenue with the authority to recover debts due under that Act.

Canada Labour Code

• ESDC authorizes the CRA to collect debts arising out of paragraph 251.12(4)(c) of the Canada Labour Code (collection of costs payable pursuant to Referee’s decision). (MOU).

Canada Pension Plan

• Powers, duties and functions relating to the collection of debts under the Canada Pension Plan (CPP) (other than subsections 66(2.1) and (3) and section 107) were transferred to the Minister of National Revenue in accordance with the OIC.
• For greater certainty, the OIC also transferred the authority to collect the administrative penalties imposed under section 90.1 of the CPP. Section 90.1 was added by S.C. 1997, c. 40 and came in force on April 1, 2010, by P.C. 2010-216.
• As a result of the OIC, subsection 66(2) of the CPP empowers the Minister of National Revenue with the authority to recover debts due under that Act, with provisions under delegation instrument, including:
  • Subsection 66(2.2): certification of debt.
  • Subsection 66(2.7): garnishment.
  • Subsection 90.2(6): requirement to provide documents or information.
  • Subsection 90.2(8): requirement to provide documents or information with judicial authorization (unnamed persons).

Canada Student Loans Act and Canada Student Financial Assistance Act

• Powers, duties and functions relating to the collection of debts under the Canada Student Financial Assistance Act (CSFAA) and the Canada Student Loans Act (CSLA) were transferred to the Minister of National Revenue under the OIC.
• As a result of the OIC, section 19 of the CSLA, and section 16.01 of the CSFAA empowers the Minister of National Revenue with the authority to recover debts due under these Acts.
• Additionally, the Minister of ESDC authorizes the CRA under delegation instrument for the following provisions which are not specific to collections:
  • Canada Student Financial Assistance Act:
    • Subsection 16.3(1): requirement to provide documents or information by debtor.
    • Subsection 16.3(2): make certified copies of documents or information.
  • Canada Student Loans Act:
    • Subsection 19.3(1): requirement to provide documents or information by debtor.
    • Subsection 19.3(2): make certified copies of documents or information.

Employment Insurance Act and Unemployment Insurance Act (MOU and Delegation Instrument (DI)).

• The Commission authorizes the CRA to collect debts established under the following provisions:
  • Employment Insurance Act:
    • Subsection 47(1): amounts payable under section 38, 39, 43, 45, 46 or 46.1 and overpayment established under Part VII.1 – benefits for self-employed persons. (MOU)
    • Subsection 65.2(1): penalties. (MOU)
    • Subsection 80.1(2): interest. (MOU)
    • Subsection 126(1): certification of debt. (DI)
    • Subsection 126(3): reasonable costs for the registration of the Federal Court Certificate. (MOU)
    • Subsections 126(4) and (5): garnishments. (DI)
    • Subsection 126(7): failure to comply with garnishments. (MOU)
    • Subsections 126(11) and (12): search warrant for dwelling - house. (DI)
    • Subsection 126(14): requirement to provide documents or information. (DI)
    • Subsection 126(16) requirement to provide documents or information with judicial authorization. (DI)
    • Subsection 126(22): designation of "authorized person". (DI)
  • Unemployment Insurance Act
    • Subsection 35(2): Crown debt - right to recover. (MOU)
    • Subsection 94(3): costs related to Federal Court Certificate. (MOU)

Grants and Contributions (G&C) - ESDC and Labour

• G&C debts arise from:
  • The Employment Insurance Fund under Part II of the Employment Insurance Act (EIA)
  • The Consolidated Revenue Fund (CRF), under the Financial Administration Act (FAA)
• Collection activities are based on the funding source. G&C debts established under the EIA may be collected in the same way as any other debt under the EIA described above.
• G&C debts funded by the CRF can be collected under a garnishment order, after we obtain a judgment in a provincial court. The judgment also allows registration of a lien on the debtor’s property or to take other legal actions.

Government Employees Compensation Act

• ESDC authorizes the CRA to collect debts arising out of the Government Employees Compensation Act. (MOU).

Merchant Seamen Compensation Act

• ESDC authorizes the CRA to collect debts arising out of section 51 of the Merchant Seamen Compensation Act (costs incurred relative to the administration of the Act, including salaries, expenses, fees and commissions, are chargeable against the various employers, apportioned on a basis to be determined by the Minister). (MOU).

Old Age Security Act

• Powers, duties and functions relating to the collection of debts under the Old Age Security Act (other than subsections 37(2.1) and (4) and section 40)) were transferred to the Minister of National Revenue in accordance with the OIC.
• For greater certainty, the OIC also transferred the authority to collect the administrative penalties imposed under section 44.1 of the Old Age Security Act. Section 44.1 was added by S.C. 1997, c. 40 and came in force on April 1, 2010, pursuant to P.C. 2010-216.
• As a result of the OIC, subsection 37(2) of the Old Age Security Act empowers the Minister of National Revenue with the authority to recover debts due under that Act, with provisions under delegation instrument, including:
  • Subsection 37(2.2): certification of debt.
  • Subsection 37(2.7): garnishment.
  • Subsection 44.2(6): requirement to provide documents or information.
  • Subsection 44.2(8): requirement to provide documents or information with judicial authorization (unnamed persons).

Operation and Maintenance Debts

• ESDC authorizes the CRA to collect debts arising out of operation and maintenance debts (e.g., court costs, legal costs). (MOU)

Postal Services Continuation Act, 1997

• ESDC authorizes the CRA to collect debts arising out of section 15 of the Postal Services Continuation Act, 1997 (costs incurred by Her Majesty relating to the appointment of the mediator-arbitrator and the exercise of the mediator-arbitrator’s duties). (MOU).

National Training Act, S.C.1982 (as continued under Part IX of the Employment Insurance Act)

• ESDC authorizes the CRA to collect debts arising out of the Training Allowances Payment System. (MOU).

Wage Earner Protection Program Act

• Subsection 32(2) of the Wage Earner Protection Program Act empowers the Minister of National Revenue with the authority to recover overpayments established under that Act.

Apprentice Loans Act

• ESDC authorizes the CRA to collect debts arising out of Canada Apprentice Loan debts (MOU)

Immigration and Refugee Protection Act

• ESDC authorizes the CRA to administer payment agreements and collection activities pertaining to administrative monetary penalties arising out of the Temporary Foreign Worker Program

The following represent authorities for the Employment and Social Development Canada (ESDC)

Department of Employment and Social Development Act (DESDA)

• Section 10
  For the purpose of facilitating the formulation, coordination and implementation of any program or policy relating to the powers, duties and functions conferred by this Act, the Minister may enter into agreements with a province or a provincial public body, financial institutions and other persons or bodies that the Minister considers appropriate. Note: This gives the Minister of ESDC authority to enter into agreements with any government or private sector organizations making them responsible to administer all, or any part, of a particular GP. This provision was not enacted at the time the responsibility for collecting GP debts were initially transferred to the CRA.
• Section 11
  The Minister may authorize the Minister of Labour, the Commission or any other person or body, or member of a class of persons or bodies, to exercise any power or perform any duty or function of the Minister. Note: This gives the Minister of ESDC authority to delegate persons or organizations to exercise Ministerial authorities and to make decisions that would otherwise be conferred to only the Minister.

Summary of the project / initiative / change

The Canada Revenue Agency (CRA) is responsible for the collection of outstanding taxes, levies and duties, as well as for the collection of Government Program (GP) debts on behalf of Employment and Social Development Canada (ESDC). Canada has one of the best rates of taxpayer compliance in the world, and the monies recovered through CRA’s collections activities help fund public goods and services to support Canadians.

ESDC is responsible for providing the information related to debts/debtors, accounting information, and any updates, such as address changes during the life cycle of debts. The CRA is responsible for recording information that is obtained in the course of collection activities into the Departmental Accounts Receivable System (DARS). It is important to note that ESDC is the owner of all of GP debts and establishes the amount of the debts and authorizes the writing off of the debts.

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to CRA’s collection activities for GP debts. Specifically, the PIA considers CRA’s collections activities, processes, recommendations, and decisions regarding collection actions taken in relation to ESDC program debts, including the recent changes below. Not included in this assessment is determining qualification for benefits or grants and contributions, auditing and verification processes, maintaining systems, the establishment of the debt, the dispute process, the accounting functions, and approving and deleting debts due to being uncollectible, as these are under the responsibility of ESDC.

Recent Changes to the Government Program Collections

Amendment to Income Tax Act

Previously, the information which could be shared for certain GP debts between the tax collections program and the GP was limited to debtors’ last known addresses, employment information, and whether or not amounts are available for set-off. The authority to share this information was provided by subsection 9(3) of the Financial Administration Act (FAA). However, section 241 of the Income Tax Act (ITA) was amended in 2016 to allow for any and all taxpayer information to be shared with the GP collections program. This new legislative change requires that the information communicated must be limited to transmissions for the purpose of assisting with the collection of GP debts. Policies, procedures and systems tools are being developed to ensure that the information, when provided, is only accessed and used for the intended purpose: the collection of debts. In the meantime, status quo will remain in that only limited information will be shared until such time as the policies and procedures are developed and implemented.

New program debts to be collected

A letter of concurrence was signed in February 2017, in order to update the existing umbrella MOU between the CRA, ESDC and the Commission, to reflect two additional ESDC program debts that the CRA will commence collecting: The Canada Apprentice Loan program debts (Apprentice Loans Act, Canada Student Financial Assistance Act), and Temporary Foreign Worker Program’s new Administrative Monetary Penalties.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: The personal information collected is used for the administration of the collection of Government Programs (GP) debts, such as tracing and locating debtors, determining ability to pay and making decisions pertaining to the collection of the debt. Legal actions, such as garnishment or federal court action, are taken when necessary to resolve the account. GP collections does not pursue compliance/regulatory investigation or law enforcement, surveillance or intelligence gathering that targets specific individuals because penalties, criminal charges or sanctions are applied by ESDC. The GP collections program undertakes the recovery activities to collect the unpaid debts.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information includes name, date of birth, contact information and financial information. To determine debtors’ ability to pay and to resolve accounts, collection officers request that debtors provide information concerning their current and past employment, as well as income, expenses, asset and liability information, and other information that may be pertinent. Medical information is collected and used for hardship determinations.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: GP collections employees access information from other CRA programs and other federal, provincial, municipal, or private sector organizations. In some cases, an external third party service may be used to help locate debtors and identify incomes sources. All information that is obtained is stored in DARS.

The federal, provincial, municipal, or private sector organizations sources are the following:

Federal institutions:

• ESDC
• Canada Revenue Agency
• Public Works and Government Services Canada (PWGSC)
• Department of Justice (DoJ)
• Federal Court of Canada
• Industry Canada

Provincial partners:

• Provincial Ministries of Transportation
• Provincial Land Titles Offices
• Provincial Personal Property Registry Offices

Municipal partners:

• Municipalities

Private Sector:

• Canadian Financial institutions
• Equifax
• Iron Mountain: used by the CRA to destroy documents that have personal information on them and is not a source of information for the CRA.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: This is a long term program.

E) Program population

The program affects certain individuals for external administrative purposes

Level of risk to privacy: 3

Details: GP collections affects individuals with debts arising from ESDC programs.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance of individual debtors who are the subject of collection action.

However, as part of the CRA security program, CRA employees who have access to DARS are logged and monitored through the use of audit trails, in order to verify that only authorized employees access personal information and to ensure that the accesses can be linked to specific individuals, to support the investigation of suspected or alleged misuse. This activity is described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Tracing Macro (Local Application Repository - LAR ID: 829 version 11) is the only automated tool used for matching or extracting personal information elements. The Tracing Macro is a technology-based information retrieval process tool. It retrieves personal data (limited to debtors’ names, addresses, and employment histories) from the following CRA mainframe applications:

• ACSES, and
• RAPID:
  • RAPI/DD - INFODEC DISPLAY MENU
  • RAPI/E - INDIVIDUAL IDENT

The Tracing Macro only extracts information; it does not formulate, guide or determine what administrative actions are to be taken.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: N/A

Information obtained using the Tracing Macro:

GP collections uses all of the above elements. The collection, use, and circulation of hardcopy documents having personal information obtained via the Tracing Macro search, are distributed on a secure basis to employees that need the information to perform their duties.

The Tracing Macro is a technology-based information retrieval process and it retrieves personal data from CRA mainframe applications.

Transmission of personal information not obtained via Macro:

In some cases personal information not obtained by use of Tracing Macro is transmitted electronically via secure remote access. Examples include GP collection officers who may have a telework arrangement, as well as managers who use Blackberry devices. The security measures described in CRA’s Standards for the Transmittal and Transport of Protected and Classified Information and Assets are followed.

Access to DARS is based on the AppGate and Citrix application. AppGate login requires the use of authentication tokens or grids instead of Public Key Infrastructure (PKI) certificates, along with ESDC Active Directory user identification (ID) for authorized CRA employees assigned to collection activities on behalf of ESDC. PKI certificates are used to send email via encryption between the CRA and ESDC that contain "Protected B" level information.

DARS connects to a series of ESDC mainframe systems relating to specific programs, including the On Line Insurance System (OLIS) for EI, the Information Technology Renewal Delivery System for CPP, the Canada Student Loans System, and the Enterprise Resource Planning Software. DARS is fed information from these other systems, to establish debts or update addresses. Additionally, when agreed deductions from EI benefits are entered in DARS, this updates OLIS.

Regarding level 4, the use of wireless technology is increasing as well as the need for greater accessibility to the CRA environment from anywhere. The Secure Remote Access (SRA) for laptops and the Blackberry platforms are the Information Technology Branch’s (ITB) answers for accessing the CRA environment while away from the office. Sending Protected A and B information using wireless technology has low risk. Protected C or Classified information must not be discussed, stored, or processed on a BlackBerry device.

H) Risk impact to the individual or employee

Details: In the event of a privacy breach such as, inadvertently disclosing personal information to an unauthorized person or loss of someone’s personal information, the impact on the individual debtor could be significant. If a person’s personal information becomes compromised, the initial concern is misuse of personal information which could potentially lead to the individual becoming a victim of identity theft. His/her information may be used without his/her knowledge or consent in ways that could result in damage to reputation and/or financial loss to that individual (e.g. misuse of the individual’s credit card information, or debts being incurred on their behalf, etc.).

I) Risk impact to the institution

Details: Protecting privacy and confidentiality are paramount to CRA’s administration of GP collections. The biggest risk of privacy breach is the public’s loss of trust in the CRA which could influence compliance behaviour. The negative media attention and potential damage to reputation that would be caused due to a breach would be very challenging to repair. This could even open the CRA to potential lawsuits. The public places a lot of confidence in the CRA and believes that the CRA is vigilant in protecting taxpayers’ personal information. If this information is accidentally or deliberately disclosed, or compromised, it could cause the CRA embarrassment, as well as the loss of credibility and public trust.