National Security Disclosures Program v1.0

Legislative Policy and Regulatory Affairs Branch
Charities Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Soren Halverson
Assistant Commissioner
Legislative Policy and Regulatory Affairs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Charities

Standard or institution specific class of record:

National Security Disclosures
CRA LPRAB 292

Standard or institution specific personal information bank:

National Security Disclosures
CRA PPU 202
TBS Registration number: Pending registration 

Legal authority for program or activity

The CRA has the legal authority to disclose taxpayer or confidential information to:

• the head of a Government of Canada institution listed in Schedule 3 of the Security of Canada Information Disclosure Act, or
• an official that the head of that institution designates for the purposes of that act

The following subsections give the CRA that authority:

• 241(9) of the Income Tax Act,
• 295(5.05) of the Excise Tax Act, and
• 211(6.5) of the Excise Act, 2001

Taxpayer or confidential information is defined under subsections:

• 241(10) of the Income Tax Act
• 295(1) of the Excise Tax Act, and
• 211(1) of the Excise Act, 2001

This information can be disclosed when the CRA has reasonable grounds to suspect that the information would be relevant to an investigation of whether:

• a person’s activity may constitute threats to the security of Canada, as defined in section 2 of the Canadian Security Intelligence Service Act, or
• a person may have committed any of the following offences:
  • a terrorism offence as defined in section 2 of the Criminal Code, and
  • an offence under section 462.31 of the Criminal Code, if that investigation is related to a terrorism offence as defined in section 2 of that act.

The CRA has designated responsibility to the Charities Directorate’s Review and Analysis Division to administer information disclosures that are relevant to investigations relating to threats to the security of Canada or to terrorism offences. When disclosing personal information for this purpose, the CRA uses the infrastructure and expertise already in place for protecting Canadian charities from terrorist abuse.

The Commissioner exercises these designation powers under section(s):

• 220 of the Income Tax Act
• 275 of the Excise Tax Act, and
• 8 and 9 of the Excise Act, 2001

Responsible use of the Security of Canada Information Disclosure Act

Best practices for the sharing of personal information by federal government departments and agencies continues to be guided by Canada’s existing legal framework. This framework includes the:

• Security of Canada Information Disclosure Act
• Canadian Charter of Rights and Freedoms, and
• Privacy Act 

With regard to the Security of Canada Information Disclosure Act, responsible information sharing entails:

1. respecting existing handling practices
2. sharing information relevant only to activities with a national security impact that “undermine the sovereignty, security or territorial integrity of Canada or the lives or security of the people of Canada,” and
3. sharing information only with federal government institutions with responsibilities or jurisdictions that are relevant to those activities.

The Security of Canada Information Disclosure Act does not:

• have precedence over any statutory or regulatory prohibitions or limitations on information sharing, nor
• replace the existing information sharing authorities of institutions, whether through an Act of Parliament, the common law, or the Crown’s prerogative.

Summary of the project, initiative or change

Overview of the Program or Activity

On August 1, 2015, the Security of Canada Information Disclosure Act came into force. Its purpose is to encourage timely and effective information-sharing from all federal government institutions to certain government institutions listed in Schedule 3 of the Act. Sharing information will protect Canada against activities that undermine national security.

Before the Government enacted the Security of Canada Information Disclosure Act, the Income Tax Act was the sole legislative authority for the CRA to share charity-related taxpayer information for national security purposes. It was limited to sharing information only with the:

• Royal Canadian Mounted Police
• Canadian Security Intelligence Service, and
• Financial Transactions and Reports Analysis Centre of Canada

Related amendments to the information sharing provisions under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001 expanded the CRA’s disclosure authority to include:

• relevant taxpayer or confidential information, and
• institutions that have a national security mandate and are listed in Schedule 3 of the Security of Canada Information Disclosure Act

Specifically, the CRA must have reasonable grounds to suspect that the taxpayer or confidential information would be relevant to a national security investigation (as defined in the Canadian Security Intelligence Service Act) or an investigation of a terrorism offence (as defined in the Criminal Code). As a result, the CRA created the National Security Disclosures Program to administer the amended provisions.

CRA decides on a case-by-case basis whether to share taxpayer or confidential information in response to a request from a listed government institution.

The CRA can share taxpayer or confidential information with listed government institutions under the following circumstances:

1. Solicited disclosures: Listed institutions request taxpayer or confidential information from the CRA when they suspect the CRA may hold information relevant to a national security investigation.

Upon receiving a request for information, the National Security Disclosures Program assesses whether the request for information meets the statutory threshold for disclosure. If it does, program employees search internal CRA systems for relevant taxpayer or confidential information. After receiving Director approval, the program provides a formal disclosure response to the requesting government institution.

2. Proactive disclosures: During their regular duties, CRA employees may come across or uncover taxpayer or confidential information that could have an impact on Canada’s national security.

The program may proactively disclose this information to appropriate recipient government institutions when it has reasonable grounds to suspect that the information is relevant to their national security mandate.

In both instances, the program will include a written caveat stating that the institution may use the enclosed taxpayer or confidential information only for the purposes of carrying out the related national security investigation.

As well, as a matter of policy, the program takes additional due diligence by ensuring the described threat falls under the recipient government institution’s national security mandate.

Before disclosing taxpayer or confidential information to a government institution, the Director of the Review and Analysis Division must be satisfied that the threshold of “relevance” has been met. “Relevance” means that there must be a reasonable and objective basis to conclude that the information is important to disclose.

Other factors the Director may consider when determining whether the relevance threshold has been met include that the taxpayer or confidential information is:

1. connected to a defined national security activity
2. related to carrying out the national security duty or function

Consistent with the Canadian Charter of Rights and Freedoms and the Privacy Act, federal institutions must balance the fundamental rights and freedoms of Canadians with key national security objectives when disclosing personal information relating to threats to the security of Canada.

The National Security Disclosures Program ensures consistency with Canada’s legal framework by establishing:

1. illustrative examples of what constitutes a national security threat
2. a list of the 17 Government of Canada departments that may receive information
3. a clear threshold for disclosure, and
4. guiding principles for information sharing

The National Security Disclosures Program is responsible for:

• Receiving and documenting requests for taxpayer and/or confidential information from recipient government institutions, as well as receiving and documenting proposed pro-active disclosures of taxpayer and/or confidential information to recipient government intuitions arising from other areas of the CRA;
• Reviewing requests for taxpayer and/or confidential information from recipient government institutions, as well as reviewing proposed pro-active disclosures of taxpayer and/or confidential information to recipient government institutions arising from other areas of the CRA, to determine whether the statutory thresholds for disclosure have been met;
• Conducting searches of CRA internal systems and databases, and collecting taxpayer and/or confidential information from applicable areas of the CRA, to satisfy requests received from, or proposed proactive disclosures to, recipient government institutions when the statutory thresholds for disclosure have been met;
• Analyzing internally collected taxpayer and/or confidential information to determine the relevance of such data to recipient government institutions’ national security requests, investigations, and mandates;
• Processing disclosures by transmitting relevant taxpayer and/or confidential information to recipient government institutions when the statutory thresholds for disclosure have been met; and,
• Tracking, maintaining and destroying disclosure files according to the provisions of the relevant Records Disposition Authority.

The program retains control over whether to share taxpayer or confidential information, as well as the format and scope of the disclosure.

Scope of the Privacy Impact Assessment

The scope of this PIA covers the administration of the National Security Disclosures Program.

The disclosures of charity-related taxpayer information to and from government institutions listed in Schedule 3 of the Security of Canada Information Disclosure Act are addressed in a separate PIA and Personal Information Bank (Public Safety and Anti-Terrorism Program). Therefore, they are not included in this PIA.

Risk identification and categorization

A) Type of program or activity

Criminal investigation and enforcement / national security

Level of risk to privacy: 4

Details:

To administer the National Security Disclosures Program, the CRA gathers relevant information from the taxpayer or confidential information it initially obtained to administer the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001. This information may be from internal CRA systems and databases. The CRA then discloses that information to a recipient government institution to use for its own national security investigation and enforcement.

Specifically, when the request for information meets the statutory thresholds for disclosure under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, the CRA can disclose the information it obtained from other areas of the CRA to help the recipient institution meet its national security mandate. The National Security Disclosures Program can use the information contained in a request for information only for assessing whether legal disclosure thresholds have been met and for processing disclosures. 

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. 

Level of risk to privacy: 4

Details:

When a request for taxpayer or confidential information meets the statutory thresholds for disclosure under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, the CRA can disclose relevant information to government institutions listed in Schedule 3 of the Security of Canada Information Disclosure Act. “Taxpayer information” is defined in subsection 241(10) of the Income Tax Act, and “confidential information” is defined in subsections 295(5.05) of the Excise Tax Act and 211(6.5) of the Excise Act, 2001.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details:

1.  Within the institution:

The National Security Disclosures Program can gather relevant taxpayer or confidential information from any CRA program area for the purpose of disclosure to a recipient government institution listed in Schedule 3 of the Security of Canada Information Disclosure Act, as long as the information meets the statutory thresholds for disclosure under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001. The program can do this according to:

• paragraph 8(2)(b) of the Privacy Act
• subsection 220(1) and subparagraph 241(4)(d)(ii) of the Income Tax Act
• subsection 275(1) and subparagraph 295(5)(d)(ii) of the Excise Tax Act, and
• section 8 and subparagraph 211(6)(d)(ii) of the Excise Act, 2001

2.  With other federal institutions:

Under the disclosure provisions of the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, the National Security Disclosures Program may disclose relevant taxpayer or confidential information to the following government institutions listed in Schedule 3 (subsections 5(1) and 10(3)) of the Security of Canada Information Disclosure Act:

1. Canada Border Services Agency
2. Canadian Armed Forces
3. Canadian Food Inspection Agency
4. Canadian Nuclear Safety Commission
5. Canadian Security Intelligence Service
6. Communications Security Establishment
7. Department of Citizenship and Immigration
8. Department of Finance
9. Department of Foreign Affairs, Trade and Development
10. Department of Health
11. Department of Industry
12. Department of National Defence
13. Department of Public Safety and Emergency Preparedness
14. Department of Transport
15. Financial Transactions and Reports Analysis Centre of Canada
16. Public Health Agency of Canada
17. Royal Canadian Mounted Police

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The National Security Disclosures Program is an ongoing program.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

It can affect individuals whose taxpayer or confidential information has been requested by or sent to a recipient government institution if that information is deemed relevant to threats to Canada’s national security and in support of a recipient government institutions’ national security mandate. 

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   Risk to privacy: No
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transferred to a portable device or is printed.  

Level of risk to privacy: 3

Details:

Taxpayer or confidential information is collected from CRA systems.

Recipient government institutions listed in Schedule 3 of the Security of Canada Information Disclosure Act, including the CRA, transmit and store personal information using devices and systems that support classified information.

CRA employees use laptop and desktop computers with access controls. Laptop access to the CRA network from remote locations must be done using full disk encryption and standard secure remote access. The Information Technology Branch has developed an agency-wide telecommuting platform that offers users secure access to the network.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

As with all taxpayer and/or confidential information, if an individual’s personal information is somehow compromised or disclosed without statutory authority, affected individuals may become the victims of identity theft, and their information may be used without their knowledge in ways that could result in financial or reputational harm. If an individual’s personal information is disclosed to a listed national security institution without statutory authority, the individual’s expectation of privacy in relation to national security investigations may be compromised.