Collections Tax Programs – Privacy impact assessment summary
Collections and Verification Branch
Collections Directorate
Overview & PIA initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Michael Snaauw
Assistant Commissioner
Collections and Verification Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator
Name of program or activity of the government institution
Collections
Description of the class of record and personal information bank
Standard or institution specific class of record:
Collections
Record Number: CRA CVB 190
Standard or institution specific personal information bank:
Collections
Bank Number: CRA PPU 050
Legal authority for program or activity
Section 2 of the Canada Revenue Agency Act (CRAA) defines program legislation as being any Act of Parliament or any instrument made under it, or any part of an Act or instrument that the Governor in Council or Parliament authorizes the Minister, the Agency, the Commissioner or an employee of the Agency to administer or enforce. This provision explicitly names the Air Travellers Security Charge Act (ATSCA), the Customs Act (CA), the Excise Act (EA), the Excise Act, 2001 (EA, 2001), the Excise Tax Act (ETA), the Income Tax Act (ITA), and the Softwood Lumber Products Export Charge Act, 2006 (SLPECA) resulting in these statutes becoming program legislation.
The Canada Pension Plan (CPP) and the Employment Insurance Act (EIA) are not identified in section 2 of the CRAA; however, subsection 92(2) of the CPP and subsection 97(1) of the EIA make the Minister of National Revenue responsible to administer and enforce certain parts of those statutes. Accordingly, the CPP and EIA are also included in the program legislation.
Section 241 of the ITA prohibits the disclosure of personal information unless there are specific circumstances which are identified in the legislation that allow the information to be disclosed. With the exception of ATSCA, all of the program legislation has similar provisions to those of section 241 of the ITA.
Summary of the project / initiative / change
Brief overview of the program or activity
The Collections Tax Programs (CTP) of the Canada Revenue Agency (CRA) is responsible for the collection of outstanding debts on behalf of the Government of Canada (GoC), all Provinces with the exception of Quebec, and the Territories. The types of debts that the CRA collects include; individual and corporate taxes, taxes owed by deceased individuals, estates and trusts, individual credit and benefit overpayments, payroll deductions, non-resident Part XIII tax, air travellers security charges, softwood lumber products export charges, Goods and Services/Harmonized Sales Taxes (GST/HST), duties and levies on products manufactured or services used in Canada, as well as fees, other charges, penalties, and interest. In regards to GST revenues that are charged within the Province of Quebec, those debts are collected on behalf of the GoC by Revenu Québec.
This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information relating to the administration of CRA’s CTP activities. Therefore, when preparing the PIA consideration was given to such things as:
- policies and procedures;
- training;
- the role of technology including such things as automated collection strategies, use of macros, computer systems including development, enhancements and their use in workload management;
- budgeting and resourcing;
- the evaluation of and reporting on the CTP; and
- collection activities such as tracing, communications with clients, legal actions and the exercise of discretion through the delegation of Ministerial powers.
Also considered were the sources that the CTP gathers information from which include data on the CRA’s internal systems gathered by other CRA program areas, clients, third parties, social media, as well as public and private sector organizations that are external to the CRA.
Examples of issues not considered when preparing this PIA include; auditing and verification processes, systems maintenance, notices of assessment issued to establish the amounts of debts, the dispute process, Tax Payer Relief, and the accounting functions as these are under the responsibility of others CRA programs. Privacy impacts that concern the collection of debts relating to either the Collections – Government Programs (GP) and Customs Collections Programs (CCP) are not addressed in this PIA.
What's new
The federal government is in the process of implementing levies for cannabis as well as a carbon tax. If these new revenues are adopted, Collections Tax Programs will collect any arrears that may arise from these measures if they are adopted. This Collections Tax Program Privacy Impact Assessment will be reviewed and updated should these initiatives be implemented.
Debt Management Call Centre technical officers currently listen to live calls between collection agents and clients by using Remote Quality Listening technology. These calls enable technical officers to provide immediate feedback to the collection agent and assists collection agents with their training and learning needs. While the calls are not recorded at this time, it is expected that they will be recorded in the near future once technology, policies and procedures are developed. The Remote Quality Listening technology is out of scope for this Collections Tax Programs Privacy Impact Assessment. It should be noted that this subject is addressed in the Contact Centre Operations Privacy Impact Assessment IC-096893.
The Collections Verification Workload Management System, currently under planning and development, is intended to be a fully integrated system that will replace a number of the existing technologies currently being used by Collections and Verification Branch to manage workloads. It is expected that this system will feature a comprehensive client view with increased functionality and will be a more effective workload management system. The first workload to migrate to this new system will be incoming referrals received from tax treaty partners. This is scheduled to commence in the fall of 2019, but the system will only have limited functionality initially.
Atrium is being developed as a stand-alone IT solution which will enable Collections Tax Programs to share personal information with Government Programs. The Atrium system will be used to store the Collections Tax Programs information and to initiate collection actions on Government Programs accounts. Atrium is being adopted in response to legislative amendments made to clause 241(4)(d)(xviii) of the ITA. This solution will ensure that the personal information, once communicated to Government Programs, will only be available and used for the intended purpose of assisting in the collection of Government Programs debts as required by the legislation.
Collections Tax Programs is developing technology and a process that will enable banks to electronically send documents to the CRA by secure means when responding to Requirements for Information. Banks will not be compelled to use this process and can choose to opt in or opt out. TD Bank and CRA have entered into an agreement regarding this method of document transmission and a pilot with the bank is expected to be implemented in due course.
Collections Tax Programs has implemented policies and procedures regarding the use of social media to gather information that concerns clients who are under review by Collections Tax Programs. The policies and procedures that pertain to these activities are contained in internal communication products. When Collections Tax Programs officers collect information from internet and social media sites, newspapers, media reports, etc., they must ensure the information is accurate before inputting it into Collections Tax Programs’ electronic systems.
In order to ensure that there is no risk to personal information, the Collections Tax Programs has also implemented new procedures when information is shared between the CRA and Revenu Quebéc. Due to existing incompatibilities between CRA and Revenu Quebéc email systems, Security and Internal Affairs Directorate and Strategy and Integration Branch have approved the use of WinZip to send and receive information by secure email.
The Collections Directorate has developed a privacy statement for use with electronic letters. Currently all letters in the Electronic Letter Creation System in use by Collections Directorate are under review. As part of this review consideration will be given as to which letters should include the Privacy Statement. This review may take up to one year. In addition to the foregoing, Collections Directorate will consider whether a verbal privacy statement should be developed and implemented.
The Program Risks and Analysis Section (PRAS) in conjunction with the Business Intelligence, Research & Analytics Division (BIRAD) are developing a business-intelligence self-service solution, to enable the Collections Program to perform more trend analysis, using historical data and other variables, extracted directly from the Agency’s Data Warehouse. PRAS currently sends multiple queries to BIRAD who then retrieves the data and forwards it to PRAS. The queries often need to be modified due to the complexity of activities being analyzed, or the type of research being conducted. By using Cognos based analytical software, data can be obtained directly from a predetermined list of elements, making it timelier and a more cost efficient use of resources for both the PRAS and BIRAD teams. The data will be stored in the same manner as it is now on secured shared drives, with limited staff access. The data is needed to analyze and explain the current state of the Collections Program performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to collection strategies, workflows, or procedural changes. This new tool is expected to be available by the first quarter of 2019 or sooner.
Scope of the privacy impact assessment
This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information relating to the administration of CRA’s Collections Tax Programs activities. Among other things, this PIA considers the sources the Collections Tax Programs collects information from, which includes clients, third parties, social media, as well as public and private sector organizations that are external to the CRA.
Collections Tax Programs policies, procedures, training, systems, plans and strategies for program delivery, as well as the evaluating and reporting regarding the completion of the program, were examined when completing this PIA.
This assessment does not include auditing and verification processes, maintaining systems, the establishment of debts, the dispute process, Taxpayer Relief, or the accounting functions, as these are under the responsibility of other CRA programs. Privacy impacts relating to the collection of Government Programs debts are discussed in a separate PIA. Customs Collections Program debts will be examined in a separate PIA.
Risk identification and categorization
A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3
Details: The personal information collected by Collections Tax Programs is used to undertake and perform collection activities, such as tracing to locate clients, determining ability to pay, negotiating payment arrangements, and searching for recovery sources (e.g., employers, revenue sources, assets, etc.). The information also assists in making decisions to initiate legal actions, such as garnishment or certifying debts in the Federal Court of Canada when clients have not co-operated or voluntarily paid the amounts owed. In addition to collecting the assessed arrears, CTP may pursue some limited compliance activities such as requesting overdue tax returns or following up on missing remittances for employers’ source deduction accounts or Goods and Services Tax (GST) / Harmonized Sales Tax (HST) accounts. These activities are required in order to administer and enforce the Collections Tax Programs legislation.
Personal information is used to:
- identify potential dangers of loss early in the collection process by assigning automated risk scores to accounts;
- develop new or enhance existing collection strategies through the use of business intelligence;
- assign low-risk accounts to particular collection strategies that have the best probability for the accounts to be resolved without human intervention; or
- allocate higher-risk accounts to Debt Management Call Centres, National Verification and Collection Centres, or Tax Services Office which involve human intervention and will result in more immediate attention.
B) Type of personal information involved and context
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: Personal information includes many different data elements. Examples include names, dates of birth, Social Insurance Numbers (SINs), contact information, marital status, and financial information. The information is used to verify clients’ identities and to determine clients’ ability to pay. Collection officers may request clients to provide information concerning their current and past employment, as well as families’ Incomes, Expenses, Assets, and Liabilities. In some instances, other relevant personal information may be gathered, in order to verify their unique circumstances. For example, medical information may be requested to justify extraordinary expenses to substantiate clients’ limited ability to pay debts or to determine if legal actions are appropriate, such as the seizure and sale of principal residences when clients, spouses, or their dependants have disabilities and reside there. This information may also support requests for Taxpayer Relief due to financial hardship. In such instances clients are directed to send their submissions for relief to Appeals Branch for consideration. Data may also be used to evaluate the progress regarding the completion of the program, assess employee performance, adherence to policies and procedures, as well as for other operational or reporting purposes. These data elements may be obtained or gathered from the Canada Revenue Agency’s (CRA) internal systems, from clients directly, or from external sources outside of the CRA.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments.
Level of risk to privacy: 4
Details: Collections Tax Programs gathers personal information while undertaking collections and limited compliance activities. In addition to the information that is gathered from CRA’s systems or directly from clients, information may also be obtained from other federal, provincial, or municipal organizations as well as from private sector service providers. Examples of such sources of information include provincial ministries of transportation, public registries, and credit bureau searches. The information obtained is helpful to locate clients, search for income sources that could be garnisheed, or identify assets that could be seized to recover amounts that are owed in the event that clients do not voluntarily pay the amounts they owe.
Collections Tax Programs has investigative body status for the purposes of the Privacy Act. This enables the Collections Tax Programs to obtain information from some federal organizations that it would not otherwise be able to have access to.
Collections Tax Programs shares personal information with other CRA program areas, such as Appeals Branch to support assessments or International, Large Business and Investigations Branch to assist with their compliance actions. Collections Tax Programs may also share personal information with outside parties, which is only done under specific circumstances and when there is a legal authority that enables the information to be released. In the case of tax treaty partners, when Collections Tax Programs initiates or receives requests for assistance under the Assistance in Collection Agreements or for personal information under Exchange of Information Articles, the requests are coordinated by the Competent Authority Services Division of the International, Large Business and Investigations Branch. Policies, procedures, and legislation are in place to ensure the information that is shared is used only for the intended purpose it was released for.
D) Duration of the program or activity: Long-term program
Long-term program
Level of risk to privacy: 3
Details: Collections Tax Programs is a long-term program, which will remain in place indefinitely, as it is a key function that collects and protects Canada’s revenue base.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The Collections Tax Programs affects individuals who have outstanding debts. In some instances, third parties can also be affected by the Collections Tax Program by becoming subject to prosecution or being held jointly and severally liable for the debts of clients. Examples of such third parties include:
- non-compliant recipients of Requirements for Information;
- non-arms’ length transferees who receive assets from indebted clients for consideration of amounts that are less than fair market value;
- corporate directors when the corporations have not complied with all of the reporting and remitting requirements;
- legal representatives who disposed of clients’ assets without having obtained a clearance certificate; and
- recipients who have not complied with CRA’s garnishees that concern indebted clients.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Details: There are four items highlighted. The first item involves legislation which was passed to enact clause 241(4)(d)(xviii) of the Income Tax Act (ITA) which permits personal information to be communicated to assist with the collection of most Government Programs debts. Atrium, currently in use at the Department of Justice, is being customized/developed by Collections Directorate and is intended to be the electronic solution to implement the recent legislative change. The amendment permits personal information to be communicated when it assists with the collection of Government Programs debts and this clause will apply to most Government Programs debts. Atrium, which will be a stand-alone system, will be used to share and store Collections Tax Programs information.
The second item concerns the new Collections Verification Workload Management System which is under development. This system is intended to replace a number of Collections Tax Programs’ existing technologies that are currently being used to manage Collections Tax Programs’ workload.
The third item is an electronic solution to enable banks to respond electronically to Collections Tax Programs’ Requirements for Information.
The last item is an IT self-service solution under development which will enable Program Risks & Analysis Section (PRAS) to extract data directly from the Agency Data Warehouse. Currently Business Intelligence, Research and Analytics Division (BIRAD) extracts the data and sends it to PRAS. PRAS analyzes the information to identify trends, explain the current state of the Collections Program performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to collection strategies, workflows, or procedural changes.
Appropriate policies and procedures will be developed and implemented as these initiatives are being launched.
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
Details: The Collections Verification Workload Management System is intended to be a replacement for a number of Collections and Verification Branch’s technologies that are currently being used to manage Collections Tax Programs’ workload.
The new or modified program or activity involves the implementation of one or more of the following technologies.
Enhanced identification methods
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A
Use of Surveillance
This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: Yes
Details: On occasion, this program may involve the use of surreptitious surveillance of clients who are the subject of collection action. For example, under certain circumstances field officers may follow clients who have histories of receiving cash payments in order to identify income sources for garnishment purposes.
Use of automated personal information analysis, personal information matching and knowledge discovery techniques
For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details: Similar to other tax administrations, the CRA collects, analyzes, and stores a vast amount of data. New technologies and faster processing enables the CRA to more effectively access, integrate, and analyze this data. This enables Collections Directorate to take advantage of better business intelligence, in an effort to predict clients’ behaviours and create opportunities for the CRA to positively influence clients’ to comply with time requirements for reporting and payment requirements. In turn, this enables accounts to be selected and streamed through various strategies to collect debts in the most efficient way possible. Automated strategies may include issuing reminder letters, making well-timed phone calls, to assigning accounts to collection officers for collection action.
After the automated strategies have been applied and the accounts are assigned to a Debt Management Call Centre, clients’ personal information is used to program the auto-dialer. In turn the auto-dialer selects the next most appropriate account, dials the clients’ number, then directs the call to an available collection agent. The data is also useful to:
- design programs and allocate resources;
- monitor the progress and results of the Collections Tax Programs throughout the program period;
- adjust priorities when required;
- identify when modifications or new policies and procedures are needed; and
- identify gaps in training.
- Business Intelligence (BI) to develop new or enhance existing collection strategies or workflows;
- predictive modelling which mines and analyzes data to predict client behaviour and determine the probability of which actions or interventions are most likely required to resolve particular accounts; and
- the Business Rules Engine to direct the accounts to the appropriate collection strategies or workflows.
Although the Collections Tax Programs make use of BI, it is out of scope for this Privacy Impact Assessment. BI is addressed in Collections and Verification Business Intelligence PIA, IC-076952.
The automated processes are drivers for changes to collection strategies, workflows, systems, or procedures to allocate workload and make the best use of Collections Tax Programs’ resources. Opportunities to make use of IT tools are constantly being explored. For example, the Specialty Workloads Section is currently working with Technology and Business Intelligence Directorate to use BI to automate the identification and assignment of accounts that are assessed as a result of Underground Economy initiatives and corporate registry reviews. Currently these accounts are being identified, assigned, and tracked manually. This use of BI will enable the Collections Tax Programs to re-direct resources more efficiently to program tasks rather than using them for administrative support purposes.
One current outcome regarding the use of BI resulted in the development and implementation of the Business Rules Engine which does the following:
- gathers and analyzes information from CRA’s internal systems to predict client behaviours and accounts that are likely to ‘self-resolve’;
- develops and implements workflow strategies to collect debts in the most efficient way possible;
- employs a ‘nudge’ approach, for lower risk accounts, enabling reminder letters to be sent, or using the Debt Management Call Centre auto-dialer to leave automated messages to inform and educate clients of their obligations and the benefits of filing and paying on time;
- identifies accounts with the highest risk and to assign risk scores to accounts which allows the Collections Tax Programs to focus its resources and efforts on debts that have the highest risk to the Crown; and
- captures and analyzes data to consistently report information over time to identify trends and make adjustments to the policies, procedures, or reset priorities as appropriate.
G) Personal information transmission
The personal information is transferred to a portable device or is printed.
Level of risk to privacy: 4
Details:
Information obtained using macros
Collections Tax Programs uses macros that are automated technology-based information processes, which retrieve and analyze personal data from CRA mainframe applications. Collection officers who require this information to perform their duties can run many of the macros themselves.
Transmission of personal information not obtained by macro
In some cases, personal information may be transmitted electronically via secure remote access and by using wireless technology. Examples include Collections Tax Programs officers who may have a telework arrangement, as well as managers who use Blackberry devices.
Use of wireless technology
Only Protected A and B information is transmitted using wireless technology. Protected C information is not transmitted to any remote location devices.
H) Risk impact to the individual or employee
Details: In the event of privacy breaches, such as inadvertent disclosures of personal information to unauthorized persons or loss of individuals’ personal information, the impact may be significant. If personal information becomes compromised, the initial concern is misuse of the information, which could potentially lead to the individuals becoming victims of identity theft and financial fraud. The information may be used without their knowledge or consent in ways that could result in damage to their reputations or result in financial losses (e.g., debts being incurred on their behalf from fraudulent loans or credit cards). The CRA has implemented safeguards to protect personal information. Examples include:
- Social Insurance Number (SIN) masked on most outgoing correspondence;
- confidential client information sent by encrypted email;
- profiles designed to match the needs for each Collections Tax Program job position to access the information needed to perform the duties;
- unique user-IDs and passwords assigned to each employee. System accesses are tracked and monitored using the National Audit Trail System to ensure information was only accessed when it was needed to perform the work;
- employee profiles reviewed twice yearly and accesses amended as required to ensure that employees’ ability to view information electronically from CRA’s systems continues to match the requirements of their jobs; and
- permission given to enable access to shared drives (note: in some cases required software is installed on individual employees’ computers to access information).
Page details
- Date modified: