Xenon Web Crawling Initiative

Privacy Impact Assessment (PIA) summary

What is the Xenon Web Crawler?

Xenon is a web crawling or web spider program that allows users to identify businesses operating on the Internet by sector or type of business. It does not monitor web sites, capture transactions, identify tax fraud or perform risk assessment. Xenon replaces existing Internet business identification processes that have been done manually in the past.

The Canada Revenue Agency (CRA) intends to implement the Xenon Web Crawler to identify eCommerce businesses for the purpose of identifying those that are failing to report income from Internet sales. The type of information that will be identified by the Xenon Web Crawler consists of:

• The URL or domain name of the web site,
• Web page contact data, and
• WHOIS data.

This technology is currently being used by other tax administrations seeking to enhance the compliance of persons engaged in electronic commerce.

How is this used?

Xenon results may be used to identify businesses for special Internet tax compliance projects or to enhance existing CRA risk assessment systems. Xenon may also identify active businesses that are not filing tax returns. In other cases, this information can be used to enhance how we select audits. See How we select files to audit on the CRA website for more, detailed information.

With the use of this software tool, the CRA is taking steps to ensure that businesses operating on the Internet are meeting their tax obligations. By continually gathering and assessing information about our operating environment and by applying this knowledge through our risk management processes, the CRA maintains a high level of integrity. The Agency works toward two strategic outcomes:

• Taxpayers meet their obligations and Canada's revenue base is protected; and
• Eligible families and individuals receive timely and correct benefit payments, contributing to the integrity of Canada's income security system.

Protecting Personal Privacy

The protection of personal information is paramount to the CRA. Our obligation to protect taxpayer information is established by the many acts we administer such as the Income Tax Act, Excise Tax Act and the Privacy Act. The CRA is committed to ensuring that information is protected according to the legislation. To accomplish this, internal assessments were conducted to identify and address privacy and security risks.

Furthermore, a Privacy Impact Assessment (PIA) was undertaken to ensure that the CRA is compliant with privacy requirements as outlined in the Privacy Act and other relevant legislation. The Office of the Privacy Commissioner (OPC) has been consulted prior to the development of the PIA; a Preliminary Privacy Impact Assessment was submitted for discussion purposes to assist in identifying privacy risks with this new technology.

Summary of the Xenon PIA

Identification of businesses operating on the Internet is a key step in accomplishing the CRA mandate of administration and enforcement of the ITA and ETA. Electronic Commerce Compliance Division (ECCD), Audit Professional Services Directorate had determined from previous initiatives that manual identification of Internet businesses is slow and labour intensive. ECCD started to examine software to crawl the Internet and has decided to implement the Xenon Web Crawler.

The Xenon information could be used, for example to:

• Identify Internet businesses for compliance projects, and
• Create an eCommerce segment for the CRA's existing risk assessment systems that would link the website(s) operated by a business to the known legal entity's BN (T1, T2 and/or GST account etc.). This will be used to develop risk assessment rules for file screening purposes for the eCommerce portion of the business, as is currently being done for various other CPB programs.

The privacy analysis examined the adherence to the ten privacy principles provided in the PIA Guidelines. The Xenon project involves the collection, and retention of personal information. A legal review of relevant aspects of the Xenon initiative was conducted and it confirmed that the CRA has the authority to collect personal taxpayer information in the manner proposed. Furthermore, the CRA recognized the importance of ensuring the public's continued confidence in the tax system. The Agency will guard against acquiring more personal information than it requires to perform its duties under the Income Tax Act and Excise Tax Act.

To increase awareness of the importance of safeguarding personal information, the CRA provides training to its employees outlining relevant policies regarding breaches of security and privacy. To this end, a Security and Privacy Awareness session has been developed and is being made available to CRA employees. As an additional safeguard, only authorized individuals have access to this data.
It is anticipated that the various program areas responsible for risk assessment systems within CRA will want to have access to the Xenon Web Crawler. A governance structure has been put in place to ensure program areas have a completed privacy analysis for any data matching activities (SOSTRA, PIA /or PPIA and IMRA as required). All aspects of physical, information technology and data security have been addressed to Agency standards, which meet or exceed Treasury Board standards.

Finally, procedures have been created to access personal information according to CRA information management, privacy, and security policies. View access profiles limit the type of data an end user can access.