Insider Risk Management (Guardian) Program – Phase I

Security Services Directorate
Security Branch

On this page

Overview & Privacy Impact Assessment Initiation (PIA)

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Harry Gill
Assistant Commissioner and Agency Security Officer
Security Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Travel and Other Administrative Services

Standard or institution specific class of record:

Security
PRN 931

Standard or institution specific personal information bank:

Insider Risk Management (Guardian) Program
TBS Registration Number: pending
Bank Number: CRA PPU 921

Legal authority for program or activity

Canada Revenue Agency Act

Matters over which Agency has authority

30(1) The Agency has authority over all matters relating to

Human resources management

51(1) The Agency may, in the exercise of its responsibilities in relation to human resources management,

Summary of the project, initiative or change

Overview of the Program or Activity

The legislative requirements to protect taxpayer information, commits the Canada Revenue Agency (CRA) and the Government of Canada (GC) at large to maintain public confidence in the Agency’s workforce’s ability to protect the information entrusted to the CRA. 

The Guardian Program is managed by a new unit within the CRA’s Insider Risk Monitoring Section (IRMS), a unit under the Personnel Risk Assessment Division (PRAD). The PRAD sits under the Security Services Directorate (SSD), which is one of several directorates under the Agency’s Security Branch.  

Our ongoing commitment to supporting our employees in building taxpayer confidence is the driving force behind the CRA’s Guardian Program, including:

The goal of the Guardian Program is to create a holistic and comprehensive continuous assurance approach to mitigating insider risks. This will be accomplished by leveraging existing CRA capabilities and information, learning from the experience of other government departments and industry best practices, and assisting in the development of new security controls and processes.

An insider risk can be characterized by an individual with access to and/or knowledge of a company, organization, or enterprise that can exploit its vulnerabilities and misuse their access in a manner that negatively affects the company. This may involve espionage, sabotage or intellectual property theft. An insider can be anyone with access to specific resources, networks, systems, and operations and facilities, such as current or former employees, business partners, or contractors. An insider can also be acting on behalf of a foreign state actor, which could constitute a threat to Canada’s national security.

The Guardian program has three key objectives:

The CRA’s approach to personnel security continuous assurance will look closely at both how security incidents related to insider activities happen and why they take place. The outcome will be establishing a framework / mechanism for identifying technical and behavioural indicators that can proactively identify potential risks. This converged approach involves centralizing the orchestration of security and other controls across various threat domains.

During Phase I of the Guardian Program, user information from various CRA systems will be collected and analyzed to identify alerts which are shared with CRA stakeholders, who, in turn, are responsible for further assessing/investigating those alerts. 

The Guardian Program will aim to further protect the information, assets, systems and revenues entrusted to the CRA from insider risks by applying the People First philosophy, while continuing to respect the privacy rights of employees and individuals working for or with the CRA. The Agency’s development of the Guardian program is well aligned with the other continuous assurance initiatives currently underway in the Government of Canada.

Insider risk mitigation includes security controls that detect, prevent, and respond to insider activity by integrating and analyzing available technical information and anomalous behaviour to provide continuous assurance while respecting privacy requirements. Empowering employees to comply with security obligations through education, care, trust and support at the forefront, while verifying the effectiveness of our security controls, are the cornerstone of a robust Guardian Program.

For the purposes of this PIA, the term “Insider Risk” will be used to refer to the topic, in general and to describe more specific incidents involving inadvertent human error, as well as malicious actions.

Scope of the Privacy Impact Assessment

The PIA approach adopted by the Treasury Board Secretariat (TBS) is iterative in nature and advises that PIAs should be undertaken when personal information is used for or is intended to be used as part of a decision-making process that directly affects the individual, and for a new or substantially modified program or activity.

The methodology and approach outlined in the TBS’ Directive on Privacy Impact Assessment and the Office of the Privacy Commissioner’s (OPC) Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada were used as the basis for this document.

This PIA focuses on the implementation (April 1, 2023) of Phase I of the Guardian Program, which includes the description and analysis of the collection, use, disclosure, and retention of personal information. 

Specifically, the scope of this PIA includes the following:

  1. Collection of personal information from internal stakeholders in order to create models;
  2. Storage, access, and use of the personal information collected by the Guardian Program;
  3. Business rules and procedures in creating and analyzing data/data models, as well as the creation of alerts;
  4. The thresholds and procedures utilized to create/not create an alert;
  5.  Sharing an alert with internal stakeholders;
  6. Retention and disposition of Phase 1 records.

The development of this PIA included the following: 

Out of Scope of this PIA

This iteration of the PIA does not include the full slate of detection models and does not include any new systems and/or IT-based tools. Updates to this PIA are anticipated as the CRA determines the scope and timelines of future phases of the Guardian Program.

Also out of scope are the investigative activities and disclosures of internal stakeholders who receive an alert from the Guardian Program, the investigative procedures of those internal stakeholders and the potential subsequent administrative actions (training/awareness, employee discipline, prosecution).  This includes fraudulent actions contravening the Criminal Code of Canada or the Financial Administration Act and other corrective measures that may be taken by the Agency leading to criminal investigations and prosecution by other investigative bodies (i.e., RCMP). While the potential outcomes of these cases will be referred by CRA for investigation purposes, the actual investigations themselves are considered to be out of scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details:

In Phase I, the Guardian Program will create 2 manual-based detection models in order to provide a continuous assurance approach to identifying and mitigating insider risks. The results garnered from the detection models may be shared with internal stakeholders who have the discretion to use the information for training, awareness, and/or employee disciplinary action. 

This will be accomplished by leveraging existing CRA capabilities and information, learning from the experience of other government departments, industry best practices and assisting in the development of new security controls and processes.

The Guardian program has three key objectives, which are to:

  • Develop and implement a continuous assurance framework that leverages innovative technologies to identify and assess the risk of insider activities that could impact CRA’s security posture while respecting the privacy rights and civil liberties of individuals working for or with the CRA.
  • Identify and address CRA policy and culture gaps, as well as related trends in non-compliance using a People First philosophy, that is, to better support service delivery and to make it easier for employees, contractors, and trusted partners to understand and comply with their security responsibilities.
  • Develop and implement a mechanism that supports employees at all levels in consistently applying the CRA Integrity Framework.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. 

Level of risk to privacy: 4

Details:

In order for the Guardian Program to provide the CRA with continuous assurance by way of the detection, deterrence and response to insider risks, personal information on CRA personnel (employees, students, and contractors) is collected and analyzed in order to identify potential issues of concern.  The types of personal information indicators collected from CRA personnel consists of data falling into three categories:

  1. CRA network activity;
  2. Human Resources information; and
  3. Security Branch information.  

These indicators are assessed by the Guardian Program and may result in an alert being created for issues of concern.  The alerts will be shared internally with CRA stakeholders who are required to perform further assessment/investigation. At no time, does the CRA view a single indicator as confirmation of insider risk activity. Instead, the indicators are triggers requiring further assessment/investigation to confirm if insider risk activity has occurred or may be about to occur. The internal stakeholders who may receive indicator alerts from the Guardian Program include Internal Affairs, Personnel Security Screening, Security (incidents and breaches), Security Risk Assessment, IT Security/Cyber Security, Information Security, Internal/External Fraud, Human Resources, and Labour Relations.

C) Program or activity partners and private sector involvement

Within the institution (amongst one or more programs within the same institution)  

Level of risk to privacy: 1

Details:

The Guardian Program is internal to the CRA and there are no external partners involved in the collection of personal information, the creation of data models, or the sharing of alerts. Alerts are only shared with internal stakeholders which is anticipated to be limited to the following CRA groups: Internal Affairs, Personnel Security Screening, Security (incidents and breaches), IT Security/Cyber Security, Information Security, Human Resources, and Labour Relations.

Once an alert is shared with an internal stakeholder, that stakeholder will follow their programs’ internal processes and procedures for resolution/investigation into the alert.  

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

The Guardian Program is a long-term program that seeks to further protect the information, assets, systems and revenues entrusted to the CRA from insider risks, while continuing to respect the privacy rights of CRA personnel.

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Details:

The Guardian Program will impact all CRA personnel, which includes indeterminate employees, casual employees, term employees, students, and contractors.  The impacts may include internal administrative purposes, such as training, awareness, and various types of employee discipline.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

    Risk to privacy: No

  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

    Risk to privacy: No

  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

Phase I of the Guardian Program will leverage existing Microsoft Office products including Microsoft Excel, Access, and Word, with manual data compilation and analysis. Microsoft Office products including Excel, Access, and Word will be used to ingest existing data from multiple sources - within the CRA and on CRA networks - containing personal information for the purpose of conducting further analysis.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

The sensitivity of information utilized through the Guardian Program is considered Protected B.

In the event of a privacy breach (unauthorized use/disclosure), the possible impacts to the individual or employee could include loss of privacy, moderate personal financial injury and or embarrassment to the employee. 

Page details

Date modified: