CRA Anonymous Internal Fraud and Misuse Reporting Line

Privacy Impact Assessment (PIA) summary - Security and Internal Affairs Directorate, Finance and Administration Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Roch Huppé
Chief Financial Officer and Assistant Commissioner, Finance and Administration Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Program Activity: Travel and other administrative services include Government of Canada travel services, as well as those other internal services that do not smoothly fit with any of the internal services categories.

Description of the class of record and personal information bank

Standard or institution specific class of record:
Security Class of Record (PRN 931)

Standard or institution specific personal information bank:
Security Incidents and Privacy Breaches Personal Information Bank (PSU 939)

Legal authority for program or activity

Personal information is collected under the authority of Paragraph 30(1)(a) and (d) and Section 51 of the Canada Revenue Agency Act; Section 241 of the Income Tax Act and Section 295 of the Excise Tax Act and is used to verify if transactions are in accordance with the Acts and Regulations that the Agency administers by ensuring that employees view or modify taxpayer or other sensitive information solely within their assigned workloads.

The requirements for repayments, malfeasance or negligence and indictment for officers or persons acting in any office or employment or any person acting in any office or employment connected with the collection, management or disbursement of public money are set out in Subsection 38 (2), section 78, paragraphs 80 (1) (b), (c), (d) and (e), subsection 80 (2) and section 81 of the Financial Administration Act.

Paragraph 16.4 (1) (b) of the Federal Accountability Act sets out the appropriate minister’s responsibilities and accountability to Parliament to maintain effective systems of internal control in the department and Section 122 of the Criminal Code sets out the indictment for an official who, in connection with the duties of his office, commits fraud or a breach of trust.

Summary of the project / initiative / change

This initiative is intended to provide individuals with an anonymous means to report suspicions of fraudulent activity engaged in by employees and/or management. Individuals now have a new communication channel to report suspected internal fraud and misuse through the CRA Anonymous Internal Fraud and Misuse Reporting Line administered by an independent third party contractor.

An anonymous reporting line managed by a third party is offering the additional security of being able to report suspected unethical behaviour anonymously, confidentially, and securely. By making the reporting line available to individuals, the CRA is ensuring that individuals are able to speak up with confidence. The external service provider is completely independent from the CRA, and the reporting line system resides on their own secure servers.

An individual may use either the web-based system or the telephone line system to report allegations of internal fraud and misuse. Individuals will be able to write text in freestyle form in the web application and choose the category the allegation relates to. Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them. The reporting line system assigns them a secure login ID and password for the report that they submitted. They can log into the system or call the line and use their login ID and password to check the status of their report. Since the login ID and password are system-generated, their anonymity is maintained.

The external service provider system collects the information and submits it to designated employees of the Internal Affairs and Fraud Control Division (IAFCD), which are automatically notified (via email) by the system when a report has been submitted. They can log in to view the report and may ask follow-up questions and inform the submitter about how the report is being addressed. The external service provider does not review reports submitted into the system – this is the responsibility of authorized individuals in the IAFCD, Security and Internal Affairs Directorate (SIAD), who ensure that reports are reviewed and investigated as appropriate, in a fair and timely manner – as they would do for any reports received through other channels.

The IAFCD reviews all allegations received through the anonymous reporting line to determine if it is about a current CRA employee, and if it is relates to internal fraud or misuse. If so, the matter will be investigated. If not, the matter will be closed. While individuals will be encouraged to only use the reporting line for what it is meant, a “no wrong door” approach will be applied. If individuals report something that is not considered internal fraud or misuse, the situation will be handed to the proper avenue, and is out of scope for this PIA. In addition, the interactive feature of the tool will be used to inform employees of the appropriate channel for the matter individuals reported.

All personal information collected and held by the external service provider will be the property of the CRA. As such it will be subject to the Access to Information and Privacy Acts in the same manner as any information held by the IAFCD. They will deliver to the CRA all personal information in whatever form and documentation which have been made or obtained in relation to the contract, upon the completion or termination of the contract, or at such earlier time as CRA may request. Upon delivery of the personal information to the CRA, they will have no right to retain that information in any form and must ensure that no record of the personal information remains in their possession.

This method of reporting internal fraud or misuse is completely anonymous: the information individuals report will not be audio recorded or traced.  If individuals are using the online system, the session is encrypted and the IP address is not identified with the report. If individuals are calling the telephone line and speaking to a live operator, the call is not recorded, nor is caller ID used. The report is transcribed by a trained operator into the reporting line system verbatim (in the exact words, word for word). 

The scope of this PIA was restricted to the time an individual files a report to the CRA Anonymous Internal Fraud and Misuse Reporting line via the web site or by using the telephone line, and the review of the allegation to determine if it will be investigated or not.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details: The reporting line is available to individuals to report allegations of internal fraud and misuse of employees of the Agency. If it is determined that the allegation is about a current CRA employee, and if it relates to internal fraud or misuse the matter will be investigated.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details: The information expected to be received through the reporting line includes allegations or suspicions of employee misconduct related to internal fraud or misuse. The information may include personal information of employees and occasionally it might include taxpayer information such as name, contact information, financial information, marital status, etc. Individuals that are reporting will be able to write text in freestyle form in the web application and choose the category the allegation relates to (for example; financial management and fraud; abuse of authority; breach of trust). Individuals that are reporting will be reminded not to provide any of their own personal information or any information that would identify them.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details: The information or allegation received through the reporting line may be shared within the CRA.

The reporting line is being hosted by a privately owned Canadian corporation through an online (web) system and telephone line system; however, no information pertaining to the allegations received (for example the total number of cases investigated or investigation results) will be shared with the third party.

D) Duration of the program or activity

Short–term program:

Level of risk to privacy: 2

Details: The reporting line is currently a short term initiative. A two-year contract was awarded (with an additional optional three-year contract) for the reporting line.

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Details: The initiative will only impact certain CRA employees based on allegations of misconduct received through the CRA anonymous internal fraud and misuse reporting line.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information.

Risk to privacy: Yes

Is the new or modified program or activity requires any modifications to IT legacy systems and/or services?

Risk to privacy: No

Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

Details: However, personal information will be matched manually.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: When a report is received by the external service provider system, automatic notifications are sent through email immediately to the CRA’s authorized reviewers in the Internal Affairs and Fraud Control Division (IAFCD). Authorized reviewers are also automatically notified whenever an individual provides additional information, either through a comment, or by uploading documentation or further information. The CRA authorized reviewers, will access the allegation using an Internet based system provided by the external service provider.

The submitters will receive a login ID and password when submitting a report so that they can login again at a later date to check the status of their report.

All allegations received through the reporting line will be copy/paste in the IAFCD case management system and a tracking sheet used for statistical purposes that contains the IAFCD internally assigned case number, the Branch or Region, the category of allegation, where it was referred if it did not meet the IAFCD mandate and the result of the preliminary analysis. The information is stored on a server and in a shared network drive only accessible by authorized employees of the IAFCD, for internal use (referral to other areas, closed cases or cases requiring investigation services). There is no direct link/connection with the external service provider system and CRA systems.

H) Risk impact to the individual or employee

Details: There is a risk that the individual may suffer embarrassment that could have a negative effect on an individual’s career and/or reputation if the report is disclosed without his/her knowledge or consent. There is also a risk that such a privacy breach could influence his or her career in terms of how his or her performance is assessed.

I) Risk impact to the institution

Details: There is a risk that the Agency may suffer embarrassment, and loss of public and employee confidence if the report is disclosed without the knowledge or consent of the individuals to whom it pertain. Such a breach would have the potential to generate a grievance, privacy complaint, or in the most extreme case, legal action.

Page details

Date modified: