Leads Repository

Privacy Impact Assessment (PIA) summary - Research Risk and Business Management Directorate

Introduction

This document summarizes the Leads Repository (LR) privacy impact assessment (PIA) prepared for the Research Risk and Business Management Directorate (RRBMD) of the Canada Revenue Agency (CRA). This PIA focuses on mapping the business model and personal information (PI) data flows, identifying privacy issues and providing strategies for mitigating the identified risks relating to the collection, use, retention and possible disclosure of PI. For a detailed description of the personal information relevant to this program please refer to the personal information bank number Detections and Investigations - CRA PPU 095 in Info Source.

Description

The LR is a centralized national system for dealing with both internal and external leads regarding individuals that may not be in compliance with either the Income Tax Act or the Excise Tax Act. The LR enables all Tax Services Offices (TSOs) to create, review and control internal and external leads, tracking actions that result from internal and external leads. Personal information is stored in the LR.

This system will service CRA’s Compliance Program Branch (CPB), including, but not limited to the Enforcement and Disclosures Directorate (Informant Leads Program and Special Enforcement Program); CRA – Non CPB users; and the Public (to submit leads but not access the personal information in the repository). The application is intended to be made available, based on the user roles.

User groups will have clearly defined “roles” managed with a set of business rules.

Prior to the Leads Repository, the Canada Revenue Agency was already accepting leads from individuals regarding potentially non-compliant individuals or businesses however, the LR project is centralizing the information regarding leads and adding the capacity to submit a lead over an internet portal.

There is no intention for the program to collect any information in addition to what was already being collected; no new uses or disclosures of the information are currently being considered.

The value in amalgamating the databases from CRA’s perspective is that the Agency will be better able to develop business intelligence regarding work flows related to leads enforcements. The java-based software is incapable of allowing report generation within its user interface. The information must be pulled into a Cognos reporting tool for reports. After completing initial research regarding privacy protections, the LR development team has only enabled the capacity to extract data about work items for the purpose of aggregation and managing workload. There is no capacity to create reports that include information about identifiable individuals.

In addition to restrictions on report generation, internal users of the software cannot easily ‘print’ the information within the database. While they are capable of using a ‘print screen’ function, based on the Microsoft Windows operating system, printing of a more general nature has been disabled within the software.

PIA Findings

The CRA’s privacy risk mitigation action plan below summarizes the privacy risks identified through the PIA process along with the proposed recommendations and mitigation strategies.

There are a few areas in which the LR could improve privacy compliance:

1. The webpage that will be made available to informants to provide information regarding their lead must be updated to reflect an accurate privacy notice. In addition, a script should be provided to all personnel within the TSOs so that they can provide oral notice at the point of collection that meets the TBS standards.
   • A privacy notice has since been drafted and will be made available to informants.
2. The personal information bank (PIB) published within Info Source should be updated to reflect the collection of personal information from informants / associated individuals. Consideration should be given to updating the initial description in the PIB to reflect the legal authority for the collection. While not mandatory in the legislation, Treasury Board Secretariat (TBS) is requesting that new / updated PIBs contain this information.
   • The PIB was updated and sent to TBS and is included in Info Source.

In summary, the Leads Repository software application has followed the stringent privacy guidelines / approach as dictated by the Access to Information and Privacy Directorate. The CRA has a strong commitment to protecting the personal information contained within its databases.