Collections – Government Programs

Privacy Impact Assessment (PIA) summary - Collections Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Collections

Description of the class of record and personal information bank

Standard or institution specific class of record:
Collection Actions (CRA CVB 190)

Standard or institution specific personal information bank:
Collection Action (CRA PPU 050)

Legal authority for program or activity

Legal authorities for the Government Programs (GP) collections activities come from one or more of the following:

Delegations of Authorities

Canada Disability Savings Act

Canada Education Savings Act

Canada Labour Code

Canada Pension Plan

Canada Student Loans Act and Canada Student Financial Assistance Act

Employment Insurance Act and Unemployment Insurance Act (MOU and Delegation Instrument (DI)).

Grants and Contributions (G&C) - ESDC and Labour

Government Employees Compensation Act

Merchant Seamen Compensation Act

Old Age Security Act

Operation and Maintenance Debts

Postal Services Continuation Act, 1997

National Training Act, S.C.1982 (as continued under Part IX of the Employment Insurance Act)

Wage Earner Protection Program Act

Apprentice Loans Act

Immigration and Refugee Protection Act

The following represent authorities for the Employment and Social Development Canada (ESDC)

Department of Employment and Social Development Act (DESDA)

Summary of the project / initiative / change

The Canada Revenue Agency (CRA) is responsible for the collection of outstanding taxes, levies and duties, as well as for the collection of Government Program (GP) debts on behalf of Employment and Social Development Canada (ESDC). Canada has one of the best rates of taxpayer compliance in the world, and the monies recovered through CRA’s collections activities help fund public goods and services to support Canadians.

ESDC is responsible for providing the information related to debts/debtors, accounting information, and any updates, such as address changes during the life cycle of debts. The CRA is responsible for recording information that is obtained in the course of collection activities into the Departmental Accounts Receivable System (DARS). It is important to note that ESDC is the owner of all of GP debts and establishes the amount of the debts and authorizes the writing off of the debts.

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to CRA’s collection activities for GP debts. Specifically, the PIA considers CRA’s collections activities, processes, recommendations, and decisions regarding collection actions taken in relation to ESDC program debts, including the recent changes below. Not included in this assessment is determining qualification for benefits or grants and contributions, auditing and verification processes, maintaining systems, the establishment of the debt, the dispute process, the accounting functions, and approving and deleting debts due to being uncollectible, as these are under the responsibility of ESDC.

Recent Changes to the Government Program Collections

Amendment to Income Tax Act

Previously, the information which could be shared for certain GP debts between the tax collections program and the GP was limited to debtors’ last known addresses, employment information, and whether or not amounts are available for set-off. The authority to share this information was provided by subsection 9(3) of the Financial Administration Act (FAA). However, section 241 of the Income Tax Act (ITA) was amended in 2016 to allow for any and all taxpayer information to be shared with the GP collections program. This new legislative change requires that the information communicated must be limited to transmissions for the purpose of assisting with the collection of GP debts. Policies, procedures and systems tools are being developed to ensure that the information, when provided, is only accessed and used for the intended purpose: the collection of debts. In the meantime, status quo will remain in that only limited information will be shared until such time as the policies and procedures are developed and implemented.

New program debts to be collected

A letter of concurrence was signed in February 2017, in order to update the existing umbrella MOU between the CRA, ESDC and the Commission, to reflect two additional ESDC program debts that the CRA will commence collecting: The Canada Apprentice Loan program debts (Apprentice Loans Act, Canada Student Financial Assistance Act), and Temporary Foreign Worker Program’s new Administrative Monetary Penalties.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: The personal information collected is used for the administration of the collection of Government Programs (GP) debts, such as tracing and locating debtors, determining ability to pay and making decisions pertaining to the collection of the debt. Legal actions, such as garnishment or federal court action, are taken when necessary to resolve the account. GP collections does not pursue compliance/regulatory investigation or law enforcement, surveillance or intelligence gathering that targets specific individuals because penalties, criminal charges or sanctions are applied by ESDC. The GP collections program undertakes the recovery activities to collect the unpaid debts.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information includes name, date of birth, contact information and financial information. To determine debtors’ ability to pay and to resolve accounts, collection officers request that debtors provide information concerning their current and past employment, as well as income, expenses, asset and liability information, and other information that may be pertinent. Medical information is collected and used for hardship determinations.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: GP collections employees access information from other CRA programs and other federal, provincial, municipal, or private sector organizations. In some cases, an external third party service may be used to help locate debtors and identify incomes sources. All information that is obtained is stored in DARS.

The federal, provincial, municipal, or private sector organizations sources are the following:

Federal institutions:

Provincial partners:

Municipal partners:

Private Sector:

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: This is a long term program.

E) Program population

The program affects certain individuals for external administrative purposes

Level of risk to privacy: 3

Details: GP collections affects individuals with debts arising from ESDC programs.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance of individual debtors who are the subject of collection action.

However, as part of the CRA security program, CRA employees who have access to DARS are logged and monitored through the use of audit trails, in order to verify that only authorized employees access personal information and to ensure that the accesses can be linked to specific individuals, to support the investigation of suspected or alleged misuse. This activity is described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Tracing Macro (Local Application Repository - LAR ID: 829 version 11) is the only automated tool used for matching or extracting personal information elements. The Tracing Macro is a technology-based information retrieval process tool. It retrieves personal data (limited to debtors’ names, addresses, and employment histories) from the following CRA mainframe applications:

The Tracing Macro only extracts information; it does not formulate, guide or determine what administrative actions are to be taken.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: N/A

Information obtained using the Tracing Macro:

GP collections uses all of the above elements. The collection, use, and circulation of hardcopy documents having personal information obtained via the Tracing Macro search, are distributed on a secure basis to employees that need the information to perform their duties.

The Tracing Macro is a technology-based information retrieval process and it retrieves personal data from CRA mainframe applications.

Transmission of personal information not obtained via Macro:

In some cases personal information not obtained by use of Tracing Macro is transmitted electronically via secure remote access. Examples include GP collection officers who may have a telework arrangement, as well as managers who use Blackberry devices. The security measures described in CRA’s Standards for the Transmittal and Transport of Protected and Classified Information and Assets are followed.

Access to DARS is based on the AppGate and Citrix application. AppGate login requires the use of authentication tokens or grids instead of Public Key Infrastructure (PKI) certificates, along with ESDC Active Directory user identification (ID) for authorized CRA employees assigned to collection activities on behalf of ESDC. PKI certificates are used to send email via encryption between the CRA and ESDC that contain "Protected B" level information.

DARS connects to a series of ESDC mainframe systems relating to specific programs, including the On Line Insurance System (OLIS) for EI, the Information Technology Renewal Delivery System for CPP, the Canada Student Loans System, and the Enterprise Resource Planning Software. DARS is fed information from these other systems, to establish debts or update addresses. Additionally, when agreed deductions from EI benefits are entered in DARS, this updates OLIS.

Regarding level 4, the use of wireless technology is increasing as well as the need for greater accessibility to the CRA environment from anywhere. The Secure Remote Access (SRA) for laptops and the Blackberry platforms are the Information Technology Branch’s (ITB) answers for accessing the CRA environment while away from the office. Sending Protected A and B information using wireless technology has low risk. Protected C or Classified information must not be discussed, stored, or processed on a BlackBerry device.

H) Risk impact to the individual or employee

Details: In the event of a privacy breach such as, inadvertently disclosing personal information to an unauthorized person or loss of someone’s personal information, the impact on the individual debtor could be significant. If a person’s personal information becomes compromised, the initial concern is misuse of personal information which could potentially lead to the individual becoming a victim of identity theft. His/her information may be used without his/her knowledge or consent in ways that could result in damage to reputation and/or financial loss to that individual (e.g. misuse of the individual’s credit card information, or debts being incurred on their behalf, etc.).

I) Risk impact to the institution

Details: Protecting privacy and confidentiality are paramount to CRA’s administration of GP collections. The biggest risk of privacy breach is the public’s loss of trust in the CRA which could influence compliance behaviour. The negative media attention and potential damage to reputation that would be caused due to a breach would be very challenging to repair. This could even open the CRA to potential lawsuits. The public places a lot of confidence in the CRA and believes that the CRA is vigilant in protecting taxpayers’ personal information. If this information is accidentally or deliberately disclosed, or compromised, it could cause the CRA embarrassment, as well as the loss of credibility and public trust.

Page details

Date modified: