Identity Protection Services

Collections and Verification Branch
Individual Compliance Directorate 

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Marc Lemieux
Assistant Commissioner
Collections and Verification Branch (CVB)

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns Compliance

Standard or institution specific class of record:

Identity Protection Services Program
CRA CVB 180

Standard or institution specific personal information bank:

Identity Protection
CRA PPU 182

Legal authority for program or activity

Canada Emergency Response Benefit Act

Canada Emergency Student Benefit Act

Canada Recovery Benefit Act

Canada Workers Lockdown Benefit Act

A letter of authorization issued in accordance with section 11 of the Department of Employment and Social Development Act to the Canada Revenue Agency (CRA) regarding sections 4, 5, 9, 10, 12 and 13 of the Canada Emergency Response Benefit Act, signed on April 3, 2020, authorizes the CRA to collect personal information and administer the Canada Emergency Response Benefit Act for Employment and Social Development Canada.

A letter of authorization issued in accordance with section 11 of the Department of Employment and Social Development Act to the Canada Revenue Agency regarding sections 4, 5, 6, 10, 11, 12, 13, 14 and 15 of the Canada Emergency Student Benefit Act, signed on May 12, 2020, authorizes the CRA to collect personal information and administer the Canada Emergency Student Benefit Act for Employment and Social Development Canada.

A letter of authorization issued in accordance with section 11 of the Department of Employment and Social Development Act to the CRA regarding subsection 4(1), sections 6 and 7, subsection 8(2), subsection 11(1), sections 13 and 14, subsection 18(1), sections 20, 21, and 25, subsections 26(1) and (2), section 28, subsections 29(1), (2), and (3), sections 30, 31, and 32, subsections 35(2) and (3), and sections 37 and 38 of the Canada Recovery Benefits Act, signed on October 2, 2020, authorizes the CRA to collect personal information and administer the Canada Recovery Benefits Act for Employment and Social Development Canada.

A letter of authorization issued in accordance with section 11 of the Department of Employment and Social Development Act to the CRA regarding subsection 5(1), sections 7 and 8, section 12, subsections 13(1) and (2), section 16, subsections 17(1), (2), and (3), sections 18, 19, and 20, subsections 23(2) and (3), and sections 25 and 26 of the Canada Workers Lockdown Benefit Act, signed on December 2, 2021, authorizes the CRA to collect personal information and administer the Canada Workers Lockdown Benefit Act for Employment and Social Development Canada.

Income Tax Act
Subsection 220(1) – Minister’s duty
Subsection 220(2) – Officers, clerks, and employees
Subsection 220(2.01) – Delegation
Subsection 220(2.1) – Waiver of filing of documents
Section 231.1 – Information gathering
Section 231.2 – Requirement to provide documents or information
Section 237 – Social Insurance Number

Subparagraph 241(4)(a) – Where taxpayer information may be disclosed, an official may provide to any person taxpayer information that can reasonably be regarded as necessary for the purposes of the administration or enforcement of this Act, the Canada Pension Plan, the Unemployment Insurance Act, or the Employment Insurance Act, solely for that purpose.

Subparagraph 241(4)(d) (vii.6) - Where taxpayer information may be disclosed, an official may provide taxpayer information to an official solely for the purposes of the administration and enforcement of the Canada Emergency Response Benefit Act or the evaluation or formulation of policy for that Act

Subparagraph 241(4)(d) (vii.7) - Where taxpayer information may be disclosed, an official may provide taxpayer information to an official solely for the purposes of the administration and enforcement of the Canada Recovery Benefits Act or the Canada Worker Lockdown Benefit Act, or the evaluation or formulation of policy for those Acts.

Clause 241(4)(d)(xx)(A) - Where taxpayer information may be disclosed, an official may provide taxpayer information to an official of the Canada Revenue Agency solely for the purposes of the administration or enforcement of the Dental Benefit Act.

Subparagraph 241(4)(d)(xxi) and (xxii) - Where taxpayer information may be disclosed, an official may provide taxpayer information to an official of the Canada Revenue Agency solely for the purposes of the administration or enforcement of the Rental Housing Benefit Act, or to a person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of, the Canada Mortgage and Housing Corporation, solely for the purposes of the formulation or evaluation of policy for the Rental Housing Benefit Act.

Subsection 241(5) - Disclosure to taxpayer or on consent

Rental Housing Benefit Act
Section 8 – Minister of National Revenue
Section 13 – Social Insurance Number
Subsection 14(1) – Provision of information and documents

Dental Benefit Act
Section 11 – Minister of National Revenue
Section 15 – Social Insurance Number
Subsection 16(1) – Provision of information and documents

Canada Revenue Agency Act
Section 10 – Direction from other federal ministers
Subsection 30(1)(a) – Matters over which Agency has authority. The Agency has authority over all matters relating to general administrative policy in the Agency;
Section 61 – Contracts, agreements, and arrangements

Summary of the project, initiative or change

Overview of the Program or Activity

On March 25, 2020, the Government of Canada passed legislation to support workers and established the Canada emergency response benefit. As the pandemic continued, the Government rolled out more COVID-19 financial assistance payments, including:

The CRA is administering these benefits for Employment and Social Development Canada. The Identity and Integrity Review Section and the Identity Protection Services Program were created to ensure the integrity of the Canada emergency and recovery benefits by protecting the identity of Canadians in regard to unauthorized use of CRA accounts and services.

With the eventual end of the COVID-19 benefits, the Identity and Integrity Review Section began the consolidation of individual identity review work. The Identity Protection Services Program is gathering T1 individual identity workloads previously handled by the Refund Examination Section. This is being done for a more proactive and streamlined approach to identity theft issues, which will meet the Agency's timelines and service standards.

In February 2022, the Identity Protection Services Program started handling the T1 return workload, following procedures that were established by the Refund Examination Program. Some procedure amendments were introduced, based on lessons learned from recent work related to COVID-19 financial assistance. In December 2022, the Identity Protection Services Program became involved in administering the new Canada dental benefit and the Canada housing benefit, reviewing, and verifying applications suspicious in nature where unauthorized use of taxpayer information was suspected.

The mandate for the Identity Protection Services Program is to verify the identity of a taxpayer whose information is suspected of being used by an unauthorized third party and to take corrective action on the accounts of identity theft victims. In addition to our validation work, our objective is to proactively identify an increasing number of potential victims using business intelligence tools developed during the pandemic, mitigating the overall impact on taxpayers. To achieve this, we are participating in and contributing to filing trends and trend analysis. For example, we do data analysis at Headquarters and in the field to identify anomalies in filing patterns, changes in personal information, system access, etc., to safeguard CRA systems and Canadian taxpayers. This work cannot be achieved in a silo. We must work with other areas, internal and external to the CRA, to share identified trends. This helps groups working in the identity theft sphere to protect social insurance numbers (SINs) from being compromised. In addition, when warranted and as authorized by law, we share taxpayer information with internal and external stakeholders. Our program receives referrals from external parties and internal sections, as well as individuals reporting instances of suspicious activity related to their SIN.

Scope of the Privacy Impact Assessment

The scope of this privacy impact assessment is limited to the verification and confirmation of identities, to the identification of identity fraud and suspicious activity, and to the prevention of fraudulent transactions in regard to individual taxpayers and applicants for payments and refunds under:

The administration of individual returns and the administration of benefits for the CERBA, the CESBA, the CRBA, the CWLBA, the RHBA, and the DBA are excluded from the scope of this privacy impact assessment and are covered under separate privacy impact assessments. 

Risk identification and categorization

A) Type of program or activity

Compliance/regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

Personal information is used to verify and confirm identities, to identify identity fraud and suspicious activity, and to prevent fraudulent transactions.

If unauthorized use of taxpayer information (UUTI) is suspected on an account, control measures are placed on it, which will stop the processing of an income tax and benefit return, and prevent access to benefits under the CERBA, the CESBA, the CRBA, the CWLBA, the RHBA, and the DBA until a review is done. The program uses various control measures to alert identity protection service agents, as well as officers in other CRA program areas, of suspicious activity on an account.

UUTI may be confirmed with a taxpayer by the Identity Protection Services Program. In that case, personal information collected from the taxpayer will be used to adjust their account to accurately reflect their identity. Also, any corrections needed to calculate the taxpayer’s tax or benefit payments owing will be made.

The last step is to determine the control measures that will stay on the file. If UUTI is confirmed, the program maintains certain control measures and places the account in a predetermined monitoring period. However, the taxpayer has some choice in the measures to remain.

B) Type of personal information involved and context

Social insurance number, medical, financial, or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

To run the program, we collect various pieces of information from internal CRA systems for risk profiling. This includes, but is not limited to, the following:

This information gives us a picture of a taxpayer. A review of any changes, as well as experience and knowledge of ongoing trends, help officers to determine if changes are suspicious. If a change is determined to be suspicious, a CRA officer will directly contact the taxpayer to address the matter.

Once an account is flagged due to suspicious activity, taxpayer contact is started to obtain information to verify the taxpayer’s identity. We ask for the following information from all taxpayers:

This information is used to verify that we are in contact with a particular taxpayer and that the information in their account is accurate. Once this has been determined, then depending on activities in the file, we may also verbally verify with the taxpayer (or legal representative): date of birth, date of death, incarceration history, online services usage, authorized representatives, income tax and benefit return filing history, employment history, benefit application history, marital status, eligible dependants, and payment/accounting history. This list is not exhaustive. As schemes change, the systems and details we need to verify a taxpayer will vary.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Within the CRA: Internally with our messaging, we have created processes and procedures to alert internal CRA programs when an account is flagged for suspicious activity, to allow a referral to our program for review. Depending on the program and nature of a referral, a follow-up may or may not be required. Where possible, information is transferred via internal systems, for example, direct-call transfers. However, when this is not possible, referrals are made via encrypted email transfer or internal case management systems.

With other federal institutions: For the delivery of the COVID-19 financial assistance payments, account information continues to be shared with ESDC on a regular basis to alert them of possible compromised accounts and to verify payment information before the release of payments by the CRA. The information to be shared and the methodology are outlined in the various memoranda of understanding with ESDC as well as the existing legislation under the Income Tax Act and Department of Employment and Social Development Act. The program receives personal information about fraud from the Canadian Anti-Fraud Centre.

With provincial, territorial, indigenous, and municipal government(s): The program receives personal information about fraud from regional law enforcement.

Private-sector organizations, international organizations, and foreign governments: To retrieve information from Equifax.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

This is a long-term program.

The program was created to verify benefits to help Canadians facing hardship as a result of the COVID-19 outbreak. Although no more applications can be submitted, enforcement activities could last a few years. As well, the program is being used to combat identity fraud in the T1 program, which has no end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The program affects individuals who apply for COVID-19 financial assistance, housing, or dental benefits, as well as taxpayers who file, or have filed, income tax and benefit returns and suspicious activity has been noted on their account.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

    Risk to privacy: Yes

  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

    Risk to privacy: Yes

  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Personal information related to the COVID-19, dental, and housing benefit applications, is submitted to the CRA electronically using My Account by an individual using wireless or non-wireless technology. Personal information is also submitted via an automated telephone service by an individual to the CRA using a land-based phone line or cellular data. This Protected B information is then stored in various CRA systems and databases, which have access to other systems. In limited circumstances, the information can be transferred to a departmentally approved and secure portable device such as a secure USB key with a higher level of encryption.

Income tax and benefit returns can be submitted electronically (online or Interactive Voice Response) or on paper. The Protected B information is then stored in various CRA systems and databases. Requests for information from a taxpayer to verify filing can be submitted online, by fax, or by mail. This information is then stored in various CRA systems and databases, which have access to other systems and can be transferred to a secure portable device. All personnel may use laptops with full disk encryption and standard secure remote access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

ESDC’s data exchange mechanism, which is supported by Shared Services Canada, has existed for over a decade.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual. However, since the individual is a victim of identity theft, they are the only source from which information can be obtained to begin the verification and account correction process.

Page details

Date modified: