Telephone Enquiries Program

Privacy Impact Assessment (PIA) summary – Taxpayer Services Directorate, Taxpayer Services and Debt Management Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw,
Assistant Commissioner, Taxpayer Services and Debt Management Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Taxpayer Services - Enquiries

The Taxpayer Services - Enquiries and Information Products program develops and maintains information services and products to assist taxpayers in voluntarily complying with Canada's tax laws. It provides taxpayers with access to timely and accurate responses to their telephone and written tax enquiries and provides tax information through our Web site, as well as other targeted information products and services.

Description of the class of record and personal information bank

Standard or institution specific class of record:
Taxpayer Services - Enquiries Program Class of Record (CRA ABSB 141) - previously (CRA TSDMB 141)

Standard or institution specific personal information bank:
N/A

Legal authority for program or activity

Subsection 220(1) of the Income Tax Act and subsection 275(1) of the Excise Tax Act. Authority to acquire the Social Insurance Number is in the Excise Tax Act, section 277(1)(d) Social Insurance Number Disclosure Regulations. Access to taxpayer information to answer taxpayer enquiries and to validate the identity of the individual making the enquiries (self or authorized representative) is authorized by paragraph 241(4)(j) and subsection 241(5).

Summary of the project / initiative / change

The Canada Revenue Agency’s (CRA) telephone enquiries program provides support to individuals, benefit recipients, businesses and trusts to help them meet their tax obligations and to make them aware of their benefit entitlements, and assist them with their general or account specific enquiries. This program encourages compliance as it allows callers the opportunity to address any issues or obtain any information they need to meet their obligations and receive their benefit entitlements.

The telephone remains the most popular method for individuals to contact the CRA. These enquiries are addressed through agent answered and automated responses. During the fiscal year 2012/2013 over 23 million calls were answered, approximately 80% were account specific. The calls answered consisted of approximately 16.5 million agent answered calls and approximately 6.6 million automated responses.

Systems and processes are in place to support the telephone enquiries program including an Interactive Voice Response (IVR) System providing general and account specific (secure authenticated) information. The systems used by agents in the course of their work are central systems used by other CRA functions that include processing functions. The telephone program also monitors telephone calls for quality assurance as part of its National Quality & Accuracy Learning Program (NQALP). The NQALP is designed to provide a national standardized quality-learning tool to assist telephone agents with the goal of improving quality and accuracy. The results of the NQALP is used to give feedback to individual agents; to identify individual training needs; to identify local, regional, and national trends; and to realize efficiency gains. This leads to improved quality in the service we provide to our clients. No taxpayer data is collected or held as result of NQALP program.

The telephone enquiries program introduced the Email Link Management System which will give telephone call centre agents the ability to send an email to a taxpayer containing a link(s) to a form or publication. Once an agent confirms with a taxpayer that they would like to have the link sent, the agent opens the application prompting the agent to choose the requested publication(s) from a pick list. Once the agent selects the publication(s), the agent enters and confirms the email address of the taxpayer. Agents are not accessing confidential taxpayer information with this application nor are the email addresses stored. The taxpayer receives the email from a "do not reply" CRA email address - Canada Revenue Agency / Agence du revenu du Canada <noreply@cra-arc.gc.ca>.

The scope of this privacy impact assessment (PIA) is limited to the telephone enquiries portion of the enquiries program.

As Shared Services Canada (SSC) has the mandate for the centralization of the management of Government of Canada telecommunications networks, the scope of this PIA will not include:

Risk identification and categorization

A) Type of program or activity

Administrations of Programs / Activity and Services

Level of risk to privacy: 2

Details: Use of personal information in the administration of the telephone enquiries program is mainly focused on asking the caller enough information for the telephone agent to confirm a caller’s identity and respond to the caller’s enquiries. The telephone agent may also provide the following services:

Although the telephone program forwards informant leads to the Compliance Programs Branch for the administration of the informant leads program that may result in criminal charges, the informant leads information is not used as part of the telephone enquiries program and is not retained within the telephone program.

The telephone program uses the National Quality & Accuracy Learning Program (NQALP) to monitor telephone calls for quality assurance purposes. The NQALP is designed to provide a national standardized quality-learning tool to assist telephone agents with the goal of improving quality and accuracy in our telephone enquiry service.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive
Level of risk to privacy: 4

Details: The information provided during telephone enquiries will include anything an individual reveals when calling the CRA for personal, trust or business tax information and benefit related information. This could include the following:

The information is not captured as part of the National Quality and Accuracy Learning Program (NQALP). NQALP monitoring captures employee information limited to the name, office location and user ID of the employee being monitored, the name of the employee doing the monitoring, the date of the monitoring session, and the monitor’s observations on how the monitored employee follows policy and procedures when handling the call and answering the enquiry.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: Information gathered through the telephone enquiries program is entered into the various CRA computer systems and can be used by various CRA areas to administer the related CRA programs. For example, information provided by an individual regarding his or her benefits could be entered in the T1Ben System to be processed by the Benefits program.

Shared Services Canada (SSC) owns the Interactive Voice Response (IVR) system through which calls are routed however; this information is considered to remain under the control of the CRA.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: These activities will continue indefinitely.

E) Program population

The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3

Details: The telephone enquiries program could affect certain employees or individuals who contact the CRA telephone enquiries line.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity a modification of a legacy IT systems and services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: Yes

Details: Call centre agents access various accounts to enable them to answer the callers’ questions.

As per the requirements of CRA’s Logging and Monitoring of Access to Taxpayer Information Policy, all accesses to identifiable taxpayer information are logged (audit trail). The use of an audit trail records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of taxpayer records accessed, including edits or changes made during each user session. The information is used to verify that only authorized users access personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.

The monitoring of audit trails is currently limited to random "spot checks" to ensure compliance with CRA policies and standards and on case by case basis in response to an individual’s complaint, in support of an investigation into allegations or suspicion of unauthorized access or in response to an ATIP request. Audit trail reports are considered Protected B information as defined by the Identifying Protected and Classified Information and Assets Policy. Consequently the communication of the request, the audit trail report, and results of its analysis must be restricted to individuals with "a need to know." Audit trails are kept for seven plus one years.

In addition, CRA’s National Quality and Accuracy Learning Program involves the monitoring of telephone agent’s calls by certified listeners for quality assurance purposes. Both employees and callers are made aware that calls can be monitored. Callers are given the option to opt out however, there is no taxpayer information captured through the National Quality and Accuracy Learning Program.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: If the individual’s enquiry requires access to their account and release of personal or confidential information, the individual will be required to provide identifying information in order to authenticate the individual and to retrieve the required information. The information provided will be matched to the information on file with the CRA.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: Information gathered through the telephone enquiries program is a Level 2 risk. Taxpayer information gathered through the telephone enquiries program is not transferred to portable devices. The information gathered is entered into the various CRA computer systems and can be used by various CRA areas to administer the related CRA programs. Telephone enquiries agents are granted access by CRA program areas to assist callers. As the system owners, the program areas ensure the safeguards are in place.

The National Quality & Accuracy Learning Program application is a Level 3 risk. Information gathered through this program may be printed out in report format. These reports do not contain taxpayer information, however, may contain employee personal information. As such, they are marked as PROTECTED A and must be protected per requirements for PROTECTED A information. If transmitted it must be transmitted with adequate protection for the sensitivity of the information F&A Manual, Security, Chap 7.

H) Risk impact to the individual or employee

Details: Financial harm. If personal tax information is lost, it could result in financial harm to the individual (such as identity theft). NQALP is lower risk level – Reputation harm, embarrassment.

I) Risk impact to the institution

Details: Reputation harm, embarrassment, loss of credibility. If the CRA lost or misused information it would diminish the trust the public has in the CRA which could result in decreased compliance in the future. The Minister of National Revenue and the Commissioner of the CRA would take criticism if information was lost or misused in any way.

Page details

Date modified: