Monitoring of electronic access to taxpayer information v 2.0 - Privacy impact assessment summary

Finance and Administration Branch
Security and Internal Affairs Directorate 
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Janique Caron

Chief Financial Officer and Assistant Commissioner

Finance and Administration Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau

Director

Access to Information and Privacy Directorate

Name of program or activity of the government institution

Travel and Other Administrative Services:

Travel and other administrative services include Government of Canada travel services, as well as those other internal services that do not smoothly fit with any of the internal services categories. 

Description of the class of record and personal information bank

Standard or institution specific class of record:

Security - PRN 931

Standard or institution specific personal information bank:

Monitoring of Electronic Access to Taxpayer Information - CRA PPU 718

Legal authority for program or activity

Personal information collected, used, disclosed and stored by the Agency, including the implementation of the Enterprise Fraud Management Solution (EFMS) is governed by the following legislation: 

• Paragraphs 30(1)(a) and (d) of the Canada Revenue Agency Act
• Paragraphs 51(1) (f), (g) and (i) of the Canada Revenue Agency Act
• Section 220 of the Income Tax Act
• Subsection 241(1) of the Income Tax Act
• Sections 7, 8 and 9 of the Excise Tax Act
• Section 275 of the Excise Tax Act
• Subsection 295(2) of the Excise Tax Act
• Section 19 of the Softwood Lumber Products Exports Charge Act
• Subsection 84(2) of the Softwood Lumber Products Exports Charge Act
• Section 11 of the Children’s Special Allowances Act
• Subsection 10(1) of the Children’s Special Allowances Act
• SIN is collected pursuant to the Income Tax Act

Summary of the project / initiative / change

As part of the Canada Revenue Agency’s (CRA) Integrity Framework, the Security and Internal Affairs Directorate (SIAD) of the Finance and Administration Branch (FAB) serves to enhance CRA’s ability to prevent, monitor, detect, and manage breaches of integrity. Through its programs and activities, SIAD is responsible to oversee the national provision of services for internal administrative investigations into allegations of employee misconduct. These activities include a collaborative approach to manage the risk of internal fraud and unauthorized accesses by establishing necessary plans, controls and processes to prevent, detect and deter internal fraud and misuse within the Agency.

The program mandated to address misuse is the Internal Affairs and Fraud Control Program (IAFCP) which provides the Agency with a centralized and consistent approach to the administration, analysis, and reporting of monitoring of employee electronic accesses to taxpayer and other similar information.

Any Agency system processing taxpayer information (including the new Enterprise Business Intelligence [BI] Environment) must capture or record user activities of all employee accesses to taxpayer information in order to support the requirements specified in the Acts and Regulations administered by the CRA.

IAFCP leverages tools such as the Enterprise Fraud Management Solution (EFMS) to support the detection and management of fraud and unauthorized accesses on its systems. The EFMS is a commercial off the shelf software product developed by Bottomline Technologies that has considerably changed the manner in which the end-user activities are monitored within CRA. Using business intelligence, EFMS enables the proactive identification of questionable user activities, using detection models and data matching, along with increased ability to perform trend and pattern analysis, provide reports, and other responses to enquiries that sustain modern risk management. The EFMS also includes a data feed from the CAS and CRA mainframe systems with information about the employee for more effective and accurate detection functions, as well as for creating cases in the case management functionality. Information such as, but not limited to, the employee’s SIN, will be used behind the scenes for data matching purposes. Other CAS information such as employee job title, level, type of employment (indeterminate, term), will be used in the case management component of the EFMS. 

What's new

This PIA has been updated to include:

Prior to 2017, the Internal Affairs and Fraud Control Program (IAFCP) was known as the National Audit Trail Monitoring Program (NATMP) and the program’s system/tool used to monitor employee access to taxpayer information was called the Analysis Tool Audit Trail Records (ATRAT).

ATRAT was an interim solution which was modernized with the implementation of Enterprise Fraud Management Solution (EFMS) on April 1, 2017.  Upon the EFMS implementation date, the ATRAT was sunset and the NATMP program was renamed to the IAFCP. The IAFCP will enhance and strengthen the fraud control capabilities of the CRA.

New sources of personal information (PI):

• Information (same PI elements as previous PIA) will be captured from Business Intelligence (BI) environment;
• For CRA employees hired after April 18, 2016, verification of their SIN is obtained through the CRA user interface to the Phoenix pay system from Public Services and Procurement Canada (PSPC) – formerly verified through the Corporate Administrative Systems (CAS) - as a result of the Phoenix pay system implementation.

Scope of the privacy impact assessment

The PIA approach adopted by the Treasury Board Secretariat (TBS) is iterative in nature and advises that PIA updates should be undertaken at various milestones throughout a project's development life cycle. The methodology and approach outlined in the TBS’ Directive on Privacy Impact Assessment and the Office of the Privacy Commissioner’s (OPC) Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada were used as the basis for this document.

This PIA focuses on the monitoring of employee electronic accesses to taxpayer and other similar information through the Internal Affairs and Fraud Control Program and the Enterprise Fraud Management Solution (EFMS).

Completion of this PIA involved:

• Meetings with the CRA representatives;
• Review of TBS publications such as CRA’s submission to Info Source:  Sources of Federal Government Information;
• Review of legislation and policies pertaining to CRA’s programs; and
• Review of process documents pertaining to the Internal Affairs and Fraud Control Division and the implementation of the EFMS.

Out of scope of the privacy impact assessment

• The investigations into allegations of employee misconduct that may be carried out by the Agency’s Investigation Support and Analysis Section (ISAS) and the Internal Investigation Section is not addressed in this PIA;
• Where fraudulent actions contravene the Criminal Code of Canada or the Financial Administration Act, other corrective measures may be taken by the Agency leading to criminal investigations and prosecution by other investigative bodies (i.e. RCMP). While the potential outcomes of these cases will be referred by CRA for investigation purposes, the actual investigations themselves are considered to be out of scope of this PIA; and
• The Agency provides Revenu Québec (RQ) with the transactions/accesses made by their employees to CRA systems but no other information is added, and no detection models are applied on these transactions. RQ is responsible to monitor the accesses made by their employees to CRA systems.  For this reason, the monitoring of employee accesses to taxpayer and other similar information by RQ is considered to be out of scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

The Canada Revenue Agency collects taxpayer and other similar information for the administration of its tax and benefit programs. Any Agency system processing taxpayer information must capture or record user activities.  These records must determine who has accessed taxpayer information on any Agency system during a given period of time and what was accessed.

The Internal Affairs and Fraud Control program ensures that accesses to taxpayer information are in accordance with an employee’s workload and duties, and to detect possible unauthorized activities.

CRA policies and directives determine the Agency’s approach to managing the risk of internal fraud and misuse, and establishes effective measures for preventing and detecting internal fraud and authorized access where applicable. This may include corrective measures which, result in disciplinary action against an employee where an act of fraud has been committed (e.g. termination of employment). The Enterprise Fraud Management Solution (EFMS) capture technology enables the proactive identification of questionable user activities using business intelligence, detection models and data matching, along with increased ability to perform trend and pattern analysis, provide reports, and other responses to enquiries that sustain risk management and allow the IAFCD to identify unauthorized access, potential fraud or misuse.

In some cases, where fraudulent actions contravene the Criminal Code of Canada or the Financial Administration Act, other corrective measures may be taken by the Agency leading to criminal investigations and prosecution by other investigative bodies (i.e. RCMP). While the potential outcomes of these cases will be referred by CRA for investigation purposes, the actual investigations themselves are considered to be out of scope of this PIA.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

It is necessary to maintain a record of all accesses to taxpayer and other similar information to support the requirements specified in the Acts and Regulations that the Agency administers. In this regard, both employee and taxpayer and other similar information are collected.

Corporate Administrative Systems (CAS) fields feed directly into the Enterprise Fraud Management Solution (EFMS) in order to detect and flag questionable activities.

Employee personal information from CAS may include:  

• User ID
• First name
• Last name
• Home address
• Date of birth
• PRI
• Cost centre
• SIN

For CRA employees hired after the implementation of the Phoenix pay system, employee SINs are no longer stored in CAS. As a result, the CRA uses the Central Index system - owned by the Public Services and Procurement Canada (PSPC) - which holds employee identification information (including SINs) for all Government of Canada employees. In order to identify CRA employees in the Central Index system, all CRA employees have the organization code of NAR associated with their profile.

Newly hired employees’ SIN will be obtained by EFMS which scrapes the Central Index system with an automated program through CRA user interface. A limited number of CRA employees have access to this system including one employee in the CRA Information Security Division and one employee in CRA IT Security and Continuity Division (EFM IT).

Taxpayer and other similar information captured by the Enterprise Fraud Management Solution (EFMS) may include, but is not limited to the following personal information types:

• Account number (SIN, BN, trust, etc.)
• First name
• Last name
• Full name (taxpayer or business)
• Street address
• City
• Province
• Postal code

For clarity, the SIN and last name of the taxpayers are included in these records. The other personal information types may be included as part of the EFMS capture technology. For example, if a CRA employee views a screen with taxpayer credit history, then this information will be captured as part of the capture technology (screen capture). The personal information elements of the employee will be matched against the information contained in these records, which includes taxpayer and other similar information, to ensure that the requirements specified in the Acts and Regulations that the Agency administers are met.

The EFMS captures user activities as an employee navigates through CRA systems. Various fields may be matched to employee information based on the detection models, and then flagged for review for potential unauthorized access, internal fraud or misuse. Similarly, patterns of employee accesses to taxpayer and other similar information, or patterns of actions on a taxpayer account may be flagged for review.  The captures are then reviewed to verify if the employee’s actions were in accordance with his/her workload and duties.

Other information may be captured and reviewed. This information includes, but is not limited to:

• Citizenship status
• Credit information
• Date of death
• Financial information
• Medical information
• Gender

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details:

The monitoring of electronic access to taxpayer and other similar information is an internal activity administered within CRA. However, supplemental information will be obtained from the Central Index system (interface with the Phoenix pay system) owned by the Public Services and Procurement Canada (PSPC). 

D) Duration of the program or activity:

Long-term program

Level of risk to privacy: 3

Details:

The monitoring of electronic access to taxpayer and other similar information is an ongoing Agency activity with no expected sunset date. 

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Details:

The Internal Affairs and Fraud Control program for the administration, analysis, and reporting of monitoring of employee electronic accesses to taxpayer and other similar information to ensure that accesses were in accordance with their workload and duties is an ongoing initiative. The program will only impact those employees with access to electronic taxpayer and other similar information. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? 

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic). 

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: Yes

Details: The Agency has procured an Enterprise Fraud Management Solution (EFMS). The EFMS is a commercial off the shelf software product developed by the software company Bottomline Technologies. The EFMS considerably changes the manner in which CRA’s internal affairs personnel identify and analyze questionable end-user activities via transaction captures and that provide a replay of employee activities within CRA systems.  The EFMS capture technology enables the proactive identification of questionable user activities using business intelligence detection models and data matching, along with increased ability to perform trend and pattern analysis, provide reports, and other responses to enquiries that sustain modern risk management.

The EFMS is completely dependent on data capture and data feeds of supplemental information to enable real-time capturing and retroactive review of end user activity.  All data is filtered, sorted and matched to form compliant transaction records. 

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior. 

Risk to privacy: Yes

Details: The Enterprise Fraud Management Solution (EFMS) enables real-time capturing and retroactive review of employee accesses to taxpayer and other similar information.  All compiled data is filtered, sorted and matched by the EFMS to flag possible internal fraud or misuse.

Information contained in employees’ personnel record, including the SIN, is used to monitor employee access to taxpayer and other similar information via CRA information systems. This information is matched against the information contained in EFMS captures, which includes taxpayer and other similar information, to ensure that the requirements specified in the Acts and Regulations that the Agency administers are met. The EFMS technology enables the proactive identification of questionable user activities using business intelligence, such as detection models and data matching, along with increased ability to perform trend and pattern analysis, provide reports, and other responses to enquiries that sustain modern risk management. 

G) Personal information transmission

The personal information is transferred to a portable device or is printed.  

Level of risk to privacy: 3

Details: The Enterprise Fraud Management Solution (EFMS) data is comprised of the live capture of CRA network traffic from applications on the mainframe or e-Business Computing Infrastructure (eBCI) platforms, imported National Audit Trail System (NATS) audit trail records, and supplemental data through file transfer processes. This includes, but is not limited to: 

• Deployment of network devices to enable real-time data capture.
• One-time migration of historical NATS audit trail records (four years plus current year) at EFMS production date.
• Ongoing import of NATS audit trail record data from applications not yet integrated to EFMS.
• Initial and periodic import of supplemental data.

A data feed from CAS is imported into the EFMS on a regularly scheduled basis, but the two systems will not be directly connected.

The EFMS considerably changes the manner in which CRA’s internal affairs personnel identify and analyze questionable end-user activities.  The EFMS capture technology enables the proactive identification of questionable user activities using business intelligence, such as detection models and data matching, along with increased ability to perform trend and pattern analysis, provide reports (electronically with the possibility to print), and other responses to enquiries that sustain modern risk management.

H) Risk impact to the individual or employee

Details: The sensitivity of information utilized through the Internal Affairs and Fraud Control Program is considered Protected B. Unauthorized use or disclosure of this information could result in loss of privacy, severe personal financial injury and or embarrassment to the employee and/or the taxpayer.