Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Office of the Taxpayers’ Ombudsperson v3.0

Office of the Taxpayers' Ombudsperson
Canada Revenue Agency

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

François Boileau
Taxpayers’ Ombudsperson
Office of the Taxpayers’ Ombudsperson

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

The Office of the Taxpayers' Ombudsperson allows people to request independent and impartial examinations of service-related complaints if they feel they have been treated unfairly or unprofessionally by the CRA.

Standard or institution specific class of record:

Taxpayers' Ombudsperson
CRA OTO 330

Standard or institution specific personal information bank:

Office of the Taxpayers' Ombudsperson
CRA PPU 222
TBS Registration Number: 20090527

Legal authority for program or activity

Order in council P.C. 2020-0703:

Whereas, pursuant to paragraph 127.1(1)(c) of the Public Service Employment Act, the Governor in Council may appoint a special adviser to a minister;

And whereas the Governor in Council deems it necessary that there be a special adviser to the Minister of National Revenue acting as the ombudsperson for taxpayers;

Therefore, Her Excellency the Governor General in Council, on the recommendation of the Prime Minister, hereby sets out in the annexed schedule the terms and conditions of employment of the special adviser to the Minister of National Revenue, to be known as the Taxpayers' Ombudsperson, who may be appointed by the Governor in Council under paragraph 127.1(1)(c) of the Public Service Employment Act.

Section 4 of the Order in Council identifies the mandate of the Taxpayers’ Ombudsperson to assist, advise and inform the Minister about any matter relating to services provided to a taxpayer by the Canada Revenue Agency (CRA), including to review and address any request for review of a service complaint.

Summary of the project, initiative or change

Overview of the Program or Activity

The Office of the Taxpayers' Ombudsperson (OTO) program conducts impartial examinations of complaints regarding the CRA’s service.

A complainant or their representative can submit complaints to the OTO through mail, email, fax or using the OTO’s online complaint form. Anyone may call the OTO’s general enquiry line for information before submitting a complaint. Complainants must provide the OTO consent to enable the sharing of information between the OTO and the CRA. The forms ask complainants not to include their social insurance number.

The OTO also conducts examinations of systemic issues and emerging trends related to the CRA's service to taxpayers, that can affect a large number of persons or a segment of the population. If not identified and appropriately addressed, a systemic issue could have a negative impact on taxpayers, could recur and generate complaints. Systemic issues are identified through the complaints received by the OTO. The public or media could also help the OTO identify potential systemic issues that may need to be examined. The Minister may also request the Ombudsperson undertake a systemic examination of a particular issue.

Once the systemic examination team has identified a potential systemic issue, the OTO follows three phases before reaching conclusions or making recommendations. These are:

The OTO sends requests for information, requests for action or urgent requests for action that are within their mandate via encrypted email to a restricted mailbox at the Ombudsperson Liaison Office, in the CRA’s Service, Innovation and Integration Branch. 

What’s New

Connect

In 2022, the OTO started using Canada Post’s Connect (formerly known as epost Connect) to send and receive messages and electronic documents to and from taxpayers. Connect is a secure online portal outside of corporate networks, which allows the OTO to securely release the required information directly to the taxpayer in a timely fashion.

More information about the security of Connect can be found below, in section G.

VOCALLS

The Virtual Office Calls Allocation System (VOCALLS) telephone system was implemented in 2020 to facilitate communication between OTO agents and those who call the OTO. 

VOCALLS is a CRA web-based application that allows OTO agents to make inbound and outbound calls without collecting sensitive taxpayer information and only using limited data, such as phone numbers and agents’ names, for statistical and operational purposes.

New Minister of National Revenue

As of December 20, 2024, the Ombudsperson now reports to Élisabeth Brière, Minister of National Revenue.

Scope of the Privacy Impact Assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks relating to the OTO program activities.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services 

Level of risk to privacy: 2

Details:

The OTO conducts impartial examinations of complaints about the CRA’s service. If the complaint is determined to be within the OTO’s mandate, the complainant is required to complete a permission to disclose form which enables the OTO and the CRA to share information about the issue(s) identified by the complainant.

The OTO also conducts examinations of systemic issues and emerging trends related to the CRA's service to, and treatment of, taxpayers that can affect a large number of persons or a segment of the population and reports on the findings.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

The OTO handles service-related complaints only. The complaint form requires the complainant to provide the following personal information:

The OTO will use the language of the complaint to communicate with the complainant.

If the complaint is within the OTO’s mandate, the complainant is required to complete a permission to disclose form which enables the OTO and the CRA to share information about the issue(s) identified by the complainant. Prior to submitting an online complaint, complainants are advised not to send personal information such as your social insurance number or personal tax details.

All social insurance numbers and business numbers are redacted by the CRA’s Ombudsperson Liaison Office prior to sharing information with the OTO. The OTO employees are required to set up their voice mail using a predetermined script which instructs the complainant not to state any personal or tax sensitive information when leaving a message. If the complainant includes personal information, the OTO does not record social insurance numbers. When communicating with the complainant, the OTO employees will advise them that their social insurance number is not required, if the complainant tries to provide it. OTO employees do not have access to the CRA’s mainframe system.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details:

The OTO works to enhance the CRA’s accountability for service, through independent and objective reviews of service-related complaints and systemic issues. The OTO is functionally independent and operates at arm's length from the CRA; however, the OTO relies on a number of CRA internal services for its day-to-day administrative operations, and does not interact with other government bodies when responding to complaints. 

Canada Post provides the secure electronic delivery platform to share documents with complainants. The information exchanged through the service is encrypted. Canada Post does not have access to the information exchanged between the OTO agent and the complainant.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

The Taxpayers' Ombudsperson is appointed as a special advisor to the Minister of National Revenue for a period of five years. At the end of this term, a new Ombudsperson is appointed. The OTO is a long-term program with no sunset date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The program affects any individual who makes a complaint about the service or treatment provided by the CRA. In the case of a systemic examination, the program affects more than one person or a segment of the population.

The Taxpayers' Ombudsperson fulfills their mandate by upholding taxpayer service rights and providing an independent and impartial review of unresolved complaints about the service or treatment provided by the CRA.

The Ombudsperson advises the Minister on any matter relating to the services provided by the CRA, and makes recommendations to improve the CRA’s service delivery and correct service issues.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: Yes
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: No
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

The electronic complaint form is housed in an application that uses a secure socket layer (SSL) certificate with 2048-bit encryption capability.

The SSL certificate transmits communications to the OTO securely through encryption and the use of security certificates. Once a complaint is submitted online, it is received in a generic mailbox only accessed by authorized OTO employees, on a need-to-know basis.

Connect provides a safe, secure, and private center for messages. All Connect activities occur within Connect’s secure portal and are encrypted. Data is protected with 256-bit AES encryption at rest and 128-bit encryption in transit with TLS 1.2. Connect security controls support the processing of Protected B documents. Data is stored only in Canada so that it is not subject to intrusive access to information laws from foreign countries. All users are required to create strong passwords to authenticate themselves before accessing conversations.

All OTO employees have secure CRA laptops and cell phones which comply to the government of Canada’s encryption and security standards. Telework is done through secure remote access.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If personal information was the subject of a breach, it could potentially cause the complainant to become the victim of identity theft, and the resulting financial harm could affect their quality of life. It could also cause psychological harm (e.g. distress, psychological trauma, serious inconvenience, serious embarrassment, etc.) or financial harm that could affect their quality of life.

Page details

2025-07-03