Collections Tax Programs – Privacy impact assessment summary

Collections and Verification Branch
Collections Directorate

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Collections

Description of the class of record and personal information bank

Standard or institution specific class of record:
Collections
Record Number: CRA CVB 190

Standard or institution specific personal information bank:
Collections
Bank Number: CRA PPU 050

Legal authority for program or activity

Section 2 of the Canada Revenue Agency Act (CRAA) defines program legislation as being any Act of Parliament or any instrument made under it, or any part of an Act or instrument that the Governor in Council or Parliament authorizes the Minister, the Agency, the Commissioner or an employee of the Agency to administer or enforce. This provision explicitly names the Air Travellers Security Charge Act (ATSCA), the Customs Act (CA), the Excise Act (EA), the Excise Act, 2001 (EA, 2001), the Excise Tax Act (ETA), the Income Tax Act (ITA), and the Softwood Lumber Products Export Charge Act, 2006 (SLPECA) resulting in these statutes becoming program legislation.

The Canada Pension Plan (CPP) and the Employment Insurance Act (EIA) are not identified in section 2 of the CRAA; however, subsection 92(2) of the CPP and subsection 97(1) of the EIA make the Minister of National Revenue responsible to administer and enforce certain parts of those statutes. Accordingly, the CPP and EIA are also included in the program legislation.

Section 241 of the ITA prohibits the disclosure of personal information unless there are specific circumstances which are identified in the legislation that allow the information to be disclosed. With the exception of ATSCA, all of the program legislation has similar provisions to those of section 241 of the ITA.

Summary of the project / initiative / change

Brief overview of the program or activity

The Collections Tax Programs (CTP) of the Canada Revenue Agency (CRA) is responsible for the collection of outstanding debts on behalf of the Government of Canada (GoC), all Provinces with the exception of Quebec, and the Territories. The types of debts that the CRA collects include; individual and corporate taxes, taxes owed by deceased individuals, estates and trusts, individual credit and benefit overpayments, payroll deductions, non-resident Part XIII tax, air travellers security charges, softwood lumber products export charges, Goods and Services/Harmonized Sales Taxes (GST/HST), duties and levies on products manufactured or services used in Canada, as well as fees, other charges, penalties, and interest. In regards to GST revenues that are charged within the Province of Quebec, those debts are collected on behalf of the GoC by Revenu Québec.

This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information relating to the administration of CRA’s CTP activities. Therefore, when preparing the PIA consideration was given to such things as:

Also considered were the sources that the CTP gathers information from which include data on the CRA’s internal systems gathered by other CRA program areas, clients, third parties, social media, as well as public and private sector organizations that are external to the CRA.

Examples of issues not considered when preparing this PIA include; auditing and verification processes, systems maintenance, notices of assessment issued to establish the amounts of debts, the dispute process, Tax Payer Relief, and the accounting functions as these are under the responsibility of others CRA programs. Privacy impacts that concern the collection of debts relating to either the Collections – Government Programs (GP) and Customs Collections Programs (CCP) are not addressed in this PIA.

What's new

The federal government is in the process of implementing levies for cannabis as well as a carbon tax. If these new revenues are adopted, Collections Tax Programs will collect any arrears that may arise from these measures if they are adopted. This Collections Tax Program Privacy Impact Assessment will be reviewed and updated should these initiatives be implemented.

Debt Management Call Centre technical officers currently listen to live calls between collection agents and clients by using Remote Quality Listening technology. These calls enable technical officers to provide immediate feedback to the collection agent and assists collection agents with their training and learning needs. While the calls are not recorded at this time, it is expected that they will be recorded in the near future once technology, policies and procedures are developed. The Remote Quality Listening technology is out of scope for this Collections Tax Programs Privacy Impact Assessment. It should be noted that this subject is addressed in the Contact Centre Operations Privacy Impact Assessment IC-096893.

The Collections Verification Workload Management System, currently under planning and development, is intended to be a fully integrated system that will replace a number of the existing technologies currently being used by Collections and Verification Branch to manage workloads. It is expected that this system will feature a comprehensive client view with increased functionality and will be a more effective workload management system. The first workload to migrate to this new system will be incoming referrals received from tax treaty partners. This is scheduled to commence in the fall of 2019, but the system will only have limited functionality initially.

Atrium is being developed as a stand-alone IT solution which will enable Collections Tax Programs to share personal information with Government Programs. The Atrium system will be used to store the Collections Tax Programs information and to initiate collection actions on Government Programs accounts. Atrium is being adopted in response to legislative amendments made to clause 241(4)(d)(xviii) of the ITA. This solution will ensure that the personal information, once communicated to Government Programs, will only be available and used for the intended purpose of assisting in the collection of Government Programs debts as required by the legislation.

Collections Tax Programs is developing technology and a process that will enable banks to electronically send documents to the CRA by secure means when responding to Requirements for Information. Banks will not be compelled to use this process and can choose to opt in or opt out. TD Bank and CRA have entered into an agreement regarding this method of document transmission and a pilot with the bank is expected to be implemented in due course.

Collections Tax Programs has implemented policies and procedures regarding the use of social media to gather information that concerns clients who are under review by Collections Tax Programs. The policies and procedures that pertain to these activities are contained in internal communication products. When Collections Tax Programs officers collect information from internet and social media sites, newspapers, media reports, etc., they must ensure the information is accurate before inputting it into Collections Tax Programs’ electronic systems.

In order to ensure that there is no risk to personal information, the Collections Tax Programs has also implemented new procedures when information is shared between the CRA and Revenu Quebéc. Due to existing incompatibilities between CRA and Revenu Quebéc email systems, Security and Internal Affairs Directorate and Strategy and Integration Branch have approved the use of WinZip to send and receive information by secure email.

The Collections Directorate has developed a privacy statement for use with electronic letters. Currently all letters in the Electronic Letter Creation System in use by Collections Directorate are under review. As part of this review consideration will be given as to which letters should include the Privacy Statement. This review may take up to one year. In addition to the foregoing, Collections Directorate will consider whether a verbal privacy statement should be developed and implemented.

The Program Risks and Analysis Section (PRAS) in conjunction with the Business Intelligence, Research & Analytics Division (BIRAD) are developing a business-intelligence self-service solution, to enable the Collections Program to perform more trend analysis, using historical data and other variables, extracted directly from the Agency’s Data Warehouse. PRAS currently sends multiple queries to BIRAD who then retrieves the data and forwards it to PRAS. The queries often need to be modified due to the complexity of activities being analyzed, or the type of research being conducted. By using Cognos based analytical software, data can be obtained directly from a predetermined list of elements, making it timelier and a more cost efficient use of resources for both the PRAS and BIRAD teams. The data will be stored in the same manner as it is now on secured shared drives, with limited staff access. The data is needed to analyze and explain the current state of the Collections Program performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to collection strategies, workflows, or procedural changes. This new tool is expected to be available by the first quarter of 2019 or sooner.

Scope of the privacy impact assessment

This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information relating to the administration of CRA’s Collections Tax Programs activities. Among other things, this PIA considers the sources the Collections Tax Programs collects information from, which includes clients, third parties, social media, as well as public and private sector organizations that are external to the CRA.

Collections Tax Programs policies, procedures, training, systems, plans and strategies for program delivery, as well as the evaluating and reporting regarding the completion of the program, were examined when completing this PIA.

This assessment does not include auditing and verification processes, maintaining systems, the establishment of debts, the dispute process, Taxpayer Relief, or the accounting functions, as these are under the responsibility of other CRA programs. Privacy impacts relating to the collection of Government Programs debts are discussed in a separate PIA. Customs Collections Program debts will be examined in a separate PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details: The personal information collected by Collections Tax Programs is used to undertake and perform collection activities, such as tracing to locate clients, determining ability to pay, negotiating payment arrangements, and searching for recovery sources (e.g., employers, revenue sources, assets, etc.). The information also assists in making decisions to initiate legal actions, such as garnishment or certifying debts in the Federal Court of Canada when clients have not co-operated or voluntarily paid the amounts owed. In addition to collecting the assessed arrears, CTP may pursue some limited compliance activities such as requesting overdue tax returns or following up on missing remittances for employers’ source deduction accounts or Goods and Services Tax (GST) / Harmonized Sales Tax (HST) accounts. These activities are required in order to administer and enforce the Collections Tax Programs legislation.

Personal information is used to:

Telephone contact is only made with clients by the Debt Management Call Centres, National Verification and Collection Centres or Tax Services Offices.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information includes many different data elements. Examples include names, dates of birth, Social Insurance Numbers (SINs), contact information, marital status, and financial information. The information is used to verify clients’ identities and to determine clients’ ability to pay. Collection officers may request clients to provide information concerning their current and past employment, as well as families’ Incomes, Expenses, Assets, and Liabilities. In some instances, other relevant personal information may be gathered, in order to verify their unique circumstances. For example, medical information may be requested to justify extraordinary expenses to substantiate clients’ limited ability to pay debts or to determine if legal actions are appropriate, such as the seizure and sale of principal residences when clients, spouses, or their dependants have disabilities and reside there. This information may also support requests for Taxpayer Relief due to financial hardship. In such instances clients are directed to send their submissions for relief to Appeals Branch for consideration. Data may also be used to evaluate the progress regarding the completion of the program, assess employee performance, adherence to policies and procedures, as well as for other operational or reporting purposes. These data elements may be obtained or gathered from the Canada Revenue Agency’s (CRA) internal systems, from clients directly, or from external sources outside of the CRA.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details: Collections Tax Programs gathers personal information while undertaking collections and limited compliance activities. In addition to the information that is gathered from CRA’s systems or directly from clients, information may also be obtained from other federal, provincial, or municipal organizations as well as from private sector service providers. Examples of such sources of information include provincial ministries of transportation, public registries, and credit bureau searches. The information obtained is helpful to locate clients, search for income sources that could be garnisheed, or identify assets that could be seized to recover amounts that are owed in the event that clients do not voluntarily pay the amounts they owe. 

Collections Tax Programs has investigative body status for the purposes of the Privacy Act. This enables the Collections Tax Programs to obtain information from some federal organizations that it would not otherwise be able to have access to.

Collections Tax Programs shares personal information with other CRA program areas, such as Appeals Branch to support assessments or International, Large Business and Investigations Branch to assist with their compliance actions. Collections Tax Programs may also share personal information with outside parties, which is only done under specific circumstances and when there is a legal authority that enables the information to be released. In the case of tax treaty partners, when Collections Tax Programs initiates or receives requests for assistance under the Assistance in Collection Agreements or for personal information under Exchange of Information Articles, the requests are coordinated by the Competent Authority Services Division of the International, Large Business and Investigations Branch. Policies, procedures, and legislation are in place to ensure the information that is shared is used only for the intended purpose it was released for.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details: Collections Tax Programs is a long-term program, which will remain in place indefinitely, as it is a key function that collects and protects Canada’s revenue base.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The Collections Tax Programs affects individuals who have outstanding debts. In some instances, third parties can also be affected by the Collections Tax Program by becoming subject to prosecution or being held jointly and severally liable for the debts of clients. Examples of such third parties include:

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Details: There are four items highlighted. The first item involves legislation which was passed to enact clause 241(4)(d)(xviii) of the Income Tax Act (ITA) which permits personal information to be communicated to assist with the collection of most Government Programs debts. Atrium, currently in use at the Department of Justice, is being customized/developed by Collections Directorate and is intended to be the electronic solution to implement the recent legislative change. The amendment permits personal information to be communicated when it assists with the collection of Government Programs debts and this clause will apply to most Government Programs debts. Atrium, which will be a stand-alone system, will be used to share and store Collections Tax Programs information.

The second item concerns the new Collections Verification Workload Management System which is under development. This system is intended to replace a number of Collections Tax Programs’ existing technologies that are currently being used to manage Collections Tax Programs’ workload.

The third item is an electronic solution to enable banks to respond electronically to Collections Tax Programs’ Requirements for Information.

The last item is an IT self-service solution under development which will enable Program Risks & Analysis Section (PRAS) to extract data directly from the Agency Data Warehouse. Currently Business Intelligence, Research and Analytics Division (BIRAD) extracts the data and sends it to PRAS. PRAS analyzes the information to identify trends, explain the current state of the Collections Program performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to collection strategies, workflows, or procedural changes.

Appropriate policies and procedures will be developed and implemented as these initiatives are being launched.

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

Details: The Collections Verification Workload Management System is intended to be a replacement for a number of Collections and Verification Branch’s technologies that are currently being used to manage Collections Tax Programs’ workload.

The new or modified program or activity involves the implementation of one or more of the following technologies.

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: Yes

Details: On occasion, this program may involve the use of surreptitious surveillance of clients who are the subject of collection action. For example, under certain circumstances field officers may follow clients who have histories of receiving cash payments in order to identify income sources for garnishment purposes.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: Similar to other tax administrations, the CRA collects, analyzes, and stores a vast amount of data. New technologies and faster processing enables the CRA to more effectively access, integrate, and analyze this data. This enables Collections Directorate to take advantage of better business intelligence, in an effort to predict clients’ behaviours and create opportunities for the CRA to positively influence clients’ to comply with time requirements for reporting and payment requirements. In turn, this enables accounts to be selected and streamed through various strategies to collect debts in the most efficient way possible. Automated strategies may include issuing reminder letters, making well-timed phone calls, to assigning accounts to collection officers for collection action.

After the automated strategies have been applied and the accounts are assigned to a Debt Management Call Centre, clients’ personal information is used to program the auto-dialer. In turn the auto-dialer selects the next most appropriate account, dials the clients’ number, then directs the call to an available collection agent. The data is also useful to:

The Collections Tax Programs uses automated Information Technology (IT) processes. These include:

Although the Collections Tax Programs make use of BI, it is out of scope for this Privacy Impact Assessment. BI is addressed in Collections and Verification Business Intelligence PIA, IC-076952.

The automated processes are drivers for changes to collection strategies, workflows, systems, or procedures to allocate workload and make the best use of Collections Tax Programs’ resources. Opportunities to make use of IT tools are constantly being explored. For example, the Specialty Workloads Section is currently working with Technology and Business Intelligence Directorate to use BI to automate the identification and assignment of accounts that are assessed as a result of Underground Economy initiatives and corporate registry reviews. Currently these accounts are being identified, assigned, and tracked manually. This use of BI will enable the Collections Tax Programs to re-direct resources more efficiently to program tasks rather than using them for administrative support purposes.

One current outcome regarding the use of BI resulted in the development and implementation of the Business Rules Engine which does the following:

Collections Tax Programs officers may also use Accounts Receivable Tables (ART) and Mainframe Macro applications, which automate the collection of personal information from specified CRA systems, such as Automated Collections and Source Deductions Enforcement System (ACSES) and Random Access Personal Information Database (RAPID). These tools facilitate the identification of relevant information needed to complete forms or prepare recommendations and assist in the collection of the accounts. The information is also useful to analyze accounts and inventories, determine program progress and results, and to adjust workload priorities when appropriate. In addition, the macros provide Collections Tax Programs officers tools such as viewing, creating, editing, modifying, storing, organizing and printing account or inventory data.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 4

Details: 

Information obtained using macros

Collections Tax Programs uses macros that are automated technology-based information processes, which retrieve and analyze personal data from CRA mainframe applications. Collection officers who require this information to perform their duties can run many of the macros themselves.

Transmission of personal information not obtained by macro

In some cases, personal information may be transmitted electronically via secure remote access and by using wireless technology. Examples include Collections Tax Programs officers who may have a telework arrangement, as well as managers who use Blackberry devices.

Use of wireless technology

Only Protected A and B information is transmitted using wireless technology. Protected C information is not transmitted to any remote location devices.

H) Risk impact to the individual or employee

Details: In the event of privacy breaches, such as inadvertent disclosures of personal information to unauthorized persons or loss of individuals’ personal information, the impact may be significant. If personal information becomes compromised, the initial concern is misuse of the information, which could potentially lead to the individuals becoming victims of identity theft and financial fraud. The information may be used without their knowledge or consent in ways that could result in damage to their reputations or result in financial losses (e.g., debts being incurred on their behalf from fraudulent loans or credit cards). The CRA has implemented safeguards to protect personal information. Examples include:

Page details

Date modified: