Office of the Taxpayers' Ombudsperson v 2.0

Office of the Taxpayers' Ombudperson
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Éric Giguère
Office of the Taxpayers’ Ombudsperson

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Taxpayers' Ombudsman

The Taxpayers' Ombudsperson reports directly to the Minister of National Revenue and operates independently at arm's length from the management of the Canada Revenue Agency (CRA) and the CRA Board of Management; provides advice to the Minister of National Revenue about service matters in the CRA. The Office of the Taxpayers' Ombudsperson allows people to request independent and impartial investigations of service related complaints if they feel they have been treated unfairly or unprofessionally by the CRA.

Standard or institution specific class of record:

Taxpayers' Ombudsperson

Standard or institution specific personal information bank:

Office of the Taxpayers' Ombudsperson
TBS Registration Number: 20090527

Legal authority for program or activity

Order in council P.C. 2007 0828:

Whereas, pursuant to paragraph 127.1(1)(c) of the Public Service Employment Act, the Governor in Council may appoint a special adviser to a minister;

And whereas the Governor in Council deems it necessary that there be a special adviser to the Minister of National Revenue acting as the ombudsperson for taxpayers;

Therefore, Her Excellency the Governor General in Council, on the recommendation of the Prime Minister, hereby sets out in the annexed schedule the terms and conditions of employment of the special adviser to the Minister of National Revenue, to be known as the Taxpayers' Ombudsperson, who may be appointed by the Governor in Council under paragraph 127.1(1)(c) of the Public Service Employment Act.

Section 4 of the Order in Council identifies the mandate of the Taxpayers’ Ombudsperson to assist, advise and inform the Minister about any matter relating to services provided to a taxpayer by the CRA, including to review and address any request for review of a service complaint.

Summary of the project / initiative / change

Overview of the Program or Activity

The Office of the Taxpayers' Ombudsperson program conducts impartial examinations of complaints regarding the CRA’s service.

Under the program, complaints are submitted to the OTO by a complainant or their representative via mail, fax or OTO’s online complaint form. In rare cases, the complaints may be hand delivered or taken verbally. Anyone may call the Office of the Taxpayers' Ombudsperson’s general enquiry line for information prior to submitting a complaint. Details of the call will be logged in the General Enquiry phone log.

Complainants are required to complete a permission to disclose which enables the OTO to share information with the Canada Revenue Agency, and also permits the Canada Revenue Agency to provide information to the OTO. The complaint form states not to include Social Insurance Numbers (SIN) on any correspondence sent to the OTO as this information is not required to conduct the program.

Different information requests, Requests for Action or Urgent Requests for Action within OTO’s mandate are sent via encrypted email to a restricted mailbox at the Ombudsperson Liaison Office, in the Service, Innovation and Integration Branch. Hard copies of files are stored on OTO’s premises at 1000-171 Slater Street, Ottawa.

What’s New

On October 1st 2020, the Honourable Diane Lebouthillier, Minister of National Revenue, announced the appointment of the new Taxpayers’ Ombudsperson, Mr. François Boileau, effective October 5, 2020. 

Effective as of October 1st, 2020, the title for the position was changed from Taxpayers’ Ombudsman to Taxpayers’ Ombudsperson.

The OTO expects to be onboarding with the epost Connect solution late fall of 2021. Epost Connect is a secure online portal for electronically sharing sensitive information and documents outside of corporate networks. 

The CRA is now using epost to respond to access to information or privacy requests. The solution allows for communication and sharing of digital files with requestors in a safe, secure and timely manner. 

The OTO will be using the Canada Post epost tool to send and/or receive messages and electronic documents to/from taxpayers. The use of epost Connect will allow the OTO to securely release the required information directly to the taxpayer in a timely fashion (within the 72 hour window).

A Security Assessment Report, SE2021-05003 has been conducted and OTO’s Authority to operate has been approved.

Scope of the Privacy Impact Assessment

This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to the collection of personal information relating to the OTO program activities.

Not in scope for this privacy assessment is the epost solution.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services  

Level of risk to privacy: 2


The OTO conducts impartial examinations of complaints about the CRA’s service. 

If the complaint is determined to be within the OTO’s mandate, the complainant is required to complete a permission to disclose form which enables the OTO and the CRA to share information about the issue(s) identified by the complainant.

B) Type of personal information involved and context

Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

Level of risk to privacy: 2


The OTO handles only service related complaints. The complaint form requires the complainant provide the following personal information: their name, contact information, gender (optional). The language preference is not directly requested on the form but is determined and registered in the system by the language in which the complaint is made. 

If the complaint is determined to be within the OTO’s mandate, the complainant is required to complete a permission to disclose form which enables the OTO and the CRA to share information about the issue(s) identified by the complainant. Prior to submitting an online complaint, complainants are advised that “Personal information such as your social insurance number or personal tax details should never be sent to the Office of the Taxpayers’ Ombudsperson.”

All SINs and BNs are redacted by the CRA/Ombudsperson Liaison Office prior to sharing information with the OTO. The OTO employees are required to set up their voice mail using a predetermined script which specifically instructs the complainant that if and when leaving a message they are not to state any personal or tax sensitive information. In the rare event the complainant includes personal tax information, the OTO does not record the SIN. When communicating with the complainant, the OTO employees advise them that their SIN is not required. OTO employees do not have access to the CRA’s mainframe system.

Privacy Notice for Electronic Complaint Form

C) Program or activity partners and private sector involvement

Within the institution (amongst one or more programs within the same institution)  

Level of risk to privacy: 1


The OTO works to enhance the CRA’s accountability in its service, through independent and objective reviews of service-related complaints and systemic issues. The OTO operates independently and at arm’s length from the CRA and does not interact with other government bodies for the purposes of responding to complaints received.  

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3


The Taxpayers' Ombudsperson is appointed as a special advisor to the Minister of National Revenue for a period of 5 years. At the end of this term a new Ombudsperson will be appointed. The OTO is a long-term program with no sunset date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3


The Taxpayers' Ombudsperson fulfills their mandate by upholding taxpayer service rights and providing an independent and impartial review of unresolved complaints about the service or treatment provided by the CRA.

The Ombudsperson advises the Minister on any matter relating to the services provided by the CRA, and makes recommendations to improve the CRA’s service delivery and correct service issues.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
  2. Risk to privacy: Yes

  3. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
  4. Risk to privacy: No

  5. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy No

G) Personal information transmission

The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4


The electronic complaint form is housed in an application that uses a secure sockets layer (SSL) certificate with 2048-bit encryption capability. The use of this SSL certificate ensures that the information entered and/or received between the complainant’s computer or electronic device and the OTO is encrypted. Encryption is the translation or conversion of data into secret code to restrict and secure access.  

An SSL is a protocol that transmits communications securely over the internet through encryption and the use of security certificates. It enhances the privacy of the information passing between the complainant’s browser and a particular web service. Once a complaint is submitted online, it is received in a generic mailbox that is accessed by authorized individuals on a need to know basis only.

Epost Connect will provide a safe, secure and private option for communications, it is a message center and not email. All Connect activities occur within connect’s secure portal and are encrypted at rest and in transit. Data is protected with 256-bit AES encryption at rest and 128-bit encryption in transit with TLS 1.2. Epost Connect security controls support the processing of Protected B documents. Data is stored only in Canada so that it is not subject to intrusive access to information laws from foreign countries. All users will be required to create strong passwords to authenticate themselves before accessing conversations. 

All OTO employees have been provided with secure CRA laptops and cell phones.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee


If personal information was the subject of a breach, it could potentially cause the complainant to become the victim of identity theft, and the resulting financial harm could affect their quality of life. It could also cause psychological harm (e.g. distress, psychological trauma, serious inconvenience, serious embarrassment, etc.) or other financial harm that could affect their quality of life.

The level of risk is extremely low. Measures are in place to mitigate these types of risks. Only those individuals directly involved in the program have access to this information. Hard copy files are kept under lock when not in use, scanned copies of the files are entered into the secure Shared Case Manage System (SCMS). Access to the SCMS is on a limited need to know basis only. Information going between the Ombudsperson Liaison Office and the OTO is carried out through an encrypted limited access mailbox.


Page details

Date modified: