Contracting Integrity Verification

Privacy Impact Assessment (PIA) summary - Administration Directorate, Finance and Administration Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Mark Perlman
A/ Assistant Commissioner, Finance and Administration Branch

Head of the government institution / Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Asset Management - Acquisitions

Description of the class of record and personal information bank

Standard or institution specific class of record:
Procurement and Contracting Class of Record (PRN 912)

Standard or institution specific personal information bank:
Professional Services Contracts  Personal Information Bank (PSU 912) 

Legal authority for program or activity

The CRA has implicit authority to verify compliance with terms and conditions of CRA contracts when those terms are established either pursuant to subsection 42(1) of the FAA and its corresponding regulations, or subsection 750(3) of the Criminal Code. The CRA also has implicit authority to verify compliance with terms and conditions that are implicitly established as a result of CRA’s authority to contract or procure pursuant to sections 61 and 66 of the CRA Act.

Summary of the project / initiative / change

Acquisition Services involve activities undertaken to acquire a good or service to fulfill a properly completed request (including a complete and accurate definition of requirements and certification that funds are available) until entering into or amending a contract.

Risk identification and categorization

A) Type of program or activity

Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.)

The purpose of the Acquisition Services program is to acquire goods and services on behalf of CRA, while ensuring due diligence as a steward of public funds. The Contracting Integrity Verification Program will assist the CRA with this objective, by ensuring the integrity of individuals or companies who may be or already have been awarded contracts with the CRA. This will be done through verification with PWGSC’s integrity assessment database and further criminal record checks with the RCMP where necessary with a view to determine whether or not to award or terminate contracts with said individuals or companies.

Level of risk to privacy: 2

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Personal information collected and used in the CRA overall acquisition services program is described in the PIB cited above. Additional information collected as a result of the integrity verification process includes: criminal records checks/history information.

Level of risk to privacy: 3

C) Program or activity partners and private sector involvement

CRA will be disclosing to PWGSC information that it normally publishes on its website about individuals convicted of tax offenses. PWGSC will form a database from information obtained from CRA and other publicly available information from departments, provinces, territories and federal courts about individuals convicted of specific offenses. PWGSC will subsequently be providing integrity database verification for all CRA procurement transactions as defined by the CRA. In the event of a match in the integrity database, a Criminal Record Verification will be conducted by the RCMP. PWGSC will advise CRA of the results of the Criminal Records Verification.

Level of risk to privacy: 2

D) Duration of the program or activity

Long-term program

Existing program that has been modified or a new program or activity is established with no clear "sunset."

The Acquisition Services Program is a permanent solution established by CRA. The Integrity Assessment Program is also a permanent solution established by PWGSC whereby all individuals wishing to enter or having entered into contract with government institutions must be checked for any criminal history vis-à-vis specific offenses. CRA, although not subject to TB contracting policies, has decided to adopt PWGSC’s program to ensure the same standard of integrity for its own contracting process.

Level of risk to privacy: 3

E) Program population

The program affects certain individuals for external administrative purposes.

Anyone desiring a contract or already contracting with CRA, whether an individual or company (including sole proprietors and partners in partnerships) as well as any employee, shareholder or owner of a company, its parent, affiliates or subsidiaries forms part of the population of the Acquisition Services program. Those individuals and companies will be checked against the PWGSC Integrity Database. In the event of a match, with consent, they will also be subjected to criminal records check with the RCMP. Award and/continuation of contract will be determined by CRA based on this information.

Level of risk to privacy: 3

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity a modification of a legacy IT systems and services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Identify the applicable category(ies): N/A

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

A yes response to any of the above indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Personal information collected for the purpose of an integrity check and CCRV forms will be provided by suppliers to the CRA via email or FAX. CRA will transmit personal information in accordance with the requirements of the Policy on Government Security as per item 11.4 of the Memorandum of Understanding between CRA and PWGSC. Occasionally, wireless devices may be used by CRA employees to send those emails to PWGSC.

Level of risk to privacy: 4

H) Risk impact to the individual or employee

Individuals could become victims of identity theft and be exposed to significant financial risk. The types of personal information collected, if wrongfully disclosed, may also cause embarrassment or financial harm to a company or an individual and potentially hinder the individual or company from obtaining further contracts with other government departments.

I) Risk impact to the institution

The disclosure of personal information may result in a loss of the public’s trust and confidence in the CRA. This could damage the Agency’s image, and carry a risk of legal liability.