2020–2021 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

In keeping with section 72 of the Privacy Act, each year the head of every government institution prepares and submits an annual report to Parliament on how their institution has administered the Privacy Act.

The following report is tabled in Parliament under the direction of the Minister of National Revenue. It describes how the Canada Revenue Agency (CRA) administered and fulfilled its obligations under the Privacy Act between April 1, 2020, and March 31, 2021. It also discusses emerging trends, program delivery and areas of focus for the year ahead.

Privacy Act

The Privacy Act protects the privacy of individuals by outlining strong requirements on how government institutions collect, retain, use, dispose of and disclose individuals’ personal information. As well, it gives individuals (or their authorized representatives) a right of access to their own information, with limited and specific exceptions and a right of correction and or annotation.

Individuals who are not satisfied with an institution’s handling of their personal information or of a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.

The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to ask for information online at canada.ca/en/revenue-agency or through the CRA’s toll-free phone lines.

About the Canada Revenue Agency

Operational environment including the impact of COVID-19

Privacy management program

Monitoring compliance

Privacy assessments

Interpretation and explanation of Appendix A – Statistical report

Interpretation and explanation of Appendix B – Supplemental statistical report

Conclusion

Appendix A – Statistical report

Appendix B – Supplemental statistical report

Appendix C – Delegation order

ISSN: 2563-3465

About the Canada Revenue Agency

The Canada Revenue Agency (CRA) promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians. The CRA does this by administering tax programs for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to partner with the provinces, territories and other government bodies to share information and it can administer enhanced services at the request of provinces and territories on a fee-for-service basis.

The minister of national revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.

The Board of Management, established by the Canada Revenue Agency Act, is made up of 15 directors appointed by the Governor in Council, 11 of whom are nominated by the provinces and territories. The other four directors include: the chair; the commissioner and chief executive officer of the CRA; and two directors nominated by the Government of Canada. The board oversees the administration and management of the CRA, including the development of the corporate business plan and management of policies related to resources, services, property and personnel. In fulfilling this role, the board brings a forward-looking strategic perspective to the CRA’s administration, fosters sound management practices and is committed to efficient and effective service delivery.

As the CRA’s chief executive officer, the commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the minister of national revenue’s delegated authority. The commissioner ensures that operations are guided by the CRA’s vision to be trusted, to be helpful and to put people first. As well, the commissioner is accountable to the board for the management of the CRA, which includes supervising employees, implementing policies and managing budgets. The commissioner also assists and advises the minister regarding legislated authorities, duties, functions and Cabinet responsibilities.

The CRA is made up of 12 functional branches and four regional offices across the country:

Branches

Appeals
Assessment, Benefit, and Service
Audit, Evaluation, and Risk
Collections and Verification
Compliance Programs
Finance and Administration
Human Resources
Information Technology
Legal Services
Legislative Policy and Regulatory Affairs
Public Affairs
Service, Innovation, and Integration

Regions

Atlantic
Ontario
Quebec
Western

Chief Privacy Officer

The assistant commissioner of the Public Affairs Branch is the CRA’s chief privacy officer. The chief privacy officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the chief privacy officer:

oversees decisions related to privacy, including privacy assessments
champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
reports to the CRA’s senior management at least twice a year on the state of privacy management at the CRA

Agency Privacy Council

The Agency Privacy Council was inaugurated in July 2020 with membership consisting of nine key senior officers, including the chief privacy officer as the chair. The mandate of the council is to facilitate a horizontal approach to privacy governance, identify privacy risks and outline mitigation strategies for the CRA. The council is positioned as a steering committee, aimed at setting direction on privacy matters and recommending courses of action to senior management committees.

Personal Information Incident Working Group

The Personal Information Incident Working Group was created in July 2019 to facilitate horizontal collaboration and decision-making on emerging issues related to suspicious activities and incidents involving personal information. The working group reviewed and provided input to the completion of the CRA Procedures for Privacy Breaches and reviewed the new privacy key performance indicators.

Access to Information and Privacy Directorate

The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the directorate:

responds to requests and questions under the Access to Information Act and the Privacy Act
responds to consultations, complaints and informal disclosure requests
offers advice and guidance to CRA employees on how to properly manage and protect personal information under the CRA’s control
coordinates the privacy assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and how to avoid or reduce risks
gives training and awareness sessions on access to information and privacy
responds to and manages privacy breaches, enquiries and complaints
communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints and audits
fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on administering the Access to Information Act and the Privacy Act

The director general of the Access to Information and Privacy Directorate has the full delegated authority of the minister of national revenue under the Access to Information Act and the Privacy Act. The director general also manages and coordinates the Access to Information and Privacy Program, leads strategic planning and development initiatives and supports the assistant commissioner of the Public Affairs Branch and chief privacy officer of the CRA in the role of privacy governance.

The directorate supports two main functions: processing and program support, which includes privacy management. Directorate employees are located in Ottawa, Montréal and Vancouver. In 2020–2021, an equivalent of 185 full-time employees administered the Access to Information Act and the Privacy Act.

The following chart shows the structure of the Access to Information and Privacy Directorate.

Image description

First row Assistant Commissioner of the Public Affairs Branch and Chief Privacy Officer

Second row Director General, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch

The three areas of responsibility of the Director General, Access to Information and Privacy (ATIP) Directorate, Public Affairs Branch are listed in the three circles below. They are:

First the Privacy and Access Policy DivisionSecond the Access, Operations, and Analysis DivisionThird and the ATIP Way Forward Modernization Initiative

The four areas of responsibility of the Director, Privacy and Access Policy Division are listed in the four boxes to the right. They are: the Privacy, Policy and Governance Section, the Privacy, Risk and Incident Management Section, the Access to Information Policy and Governance Section, and the Program Support Section.

The six areas of responsibility of the Director, Access, Operations, and Analysis Division are listed in the six boxes below. They are: the Regional Operations Case Section, Vancouver, the Regional Operations Case Section, Montreal, the Strategic Compliance Section, the Complaints and Intake Section, the Corporate and Complex Case Section, and the Legislative & Headquarters Operations Case Section .

The two areas of responsibility of the Director, ATIP Way Forward Modernization Initiative are listed in the two boxes to the far right column. They are: the Analytics and Innovation Section, and the Business Process Improvement Section .

The four teams of responsibility of the Regional Operations Case Section, Vancouver are listed in the four boxes in the far left row. They are: Team A, Team B, Team C and Team D.

The two teams of responsibility of the Strategic Compliance Section are listed in the bottom row first two boxes. They are: the Tax Compliance Team and the Operations and Training Manuals Team.

The two teams of responsibility of the Complaints and Intake Section are listed in the bottom row last two boxes. They are: the Business Process Team and the Operations and the Complaints Team.

The three teams of responsibility of the Legislative & Headquarters Operations Case Section are listed in the three far right row boxes. They are: the HQ Operations Team, the Business Compliance and Risk Assessment Case Team, and the Operations and the Legislative Case Team.

Delegating responsibilities under the Privacy Act

As head of the CRA, the minister of national revenue is responsible for how the CRA administers and complies with the Privacy Act, the Privacy Regulations and related Treasury Board of Canada Secretariat policies. Subsection 73(1) of the Privacy Act gives the minister the authority to designate one or more CRA officials to perform all or part of the minister’s powers, duties and functions under the act.

The Minister of National Revenue signed the CRA’s current delegation order for the Privacy Act on May 15, 2020. The order identifies specific provisions of the Privacy Act and its regulations that the Minister delegated to various positions within the CRA.

The Access to Information and Privacy Directorate’s director general, directors and assistant directors, as well as managers of the units, approve responses to requests under the Privacy Act. Delegations are also extended to the commissioner, the deputy commissioner and the assistant commissioner of the Public Affairs Branch and chief privacy officer.

For the delegation order and schedule, see Appendix C – Delegation order.

Operational environment including the impact of COVID-19

As the chief administrator of federal, provincial and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Public Service of Canada. In addition, the CRA collects and manages the personal information for its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information and the CRA takes the protection of that information very seriously. On the processing front, the Access to Information and Privacy Directorate processes among the largest volume of requests and pages of any federal institution. According to the most recent statistics from the Treasury Board of Canada Secretariat, in 2019–2020, the CRA processed the second largest volume of pages (over two million) of any federal institution to respond to Privacy Act requests and received the fourth largest number of requests.

Fiscal year 2020–2021 was a year like no other. The COVID-19 pandemic had an unprecedented impact on the lives of Canadians. The CRA played a leading role in the Government of Canada’s response and continues to do so. At the start of the pandemic, the CRA quickly adapted and rapidly launched new programs to help deliver the government’s Economic Response Plan: building on the CRA’s people-first approach to service, innovative mindsets and a solid tax and benefit administration foundation. The CRA also adapted its information technology infrastructure and deployed new technology quickly to meet this challenge. Its employees demonstrated their resilience and delivered the support Canadians needed.

To support critical operations at the CRA during the pandemic, the Access to Information and Privacy Directorate management mobilized to resume operations on an urgent basis. This included the creation of waivers, ensuring employees had the required tools to work remotely in a secure manner and coordinating re-entry. Weekly reporting to management was also established at this time. This work continued into fiscal year 2020–2021, including expediting technological solutions as part of the ATIP Way Forward Modernization Initiative. These measures were very successful in helping to minimize the number of employees needed on-site to process requests. For more details on the technological solutions implemented, see the ATIP Way Forward Modernization Initiative.

During the fiscal year, the Access to Information and Privacy Directorate’s Privacy Team played a critical role in ensuring that all privacy implications were considered when the benefit programs were implemented and that timely briefings took place across the CRA, with Employment and Social Development Canada and the Office of the Privacy Commissioner of Canada. Despite the challenging year, the directorate delivered on four CRA corporate business plan deliverables to enhance the agency’s privacy management program. For more details on the corporate business plan deliverables, see the Enhancing the Privacy Management Program, including policies, guidelines and procedures.

At the onset of the pandemic, the processing of requests under the Privacy Act and Access to Information Act were suspended when the agency focused on critical services. However, at the end of the fiscal year, both the backlog and the active inventory were lower than what was carried over in the previous fiscal year. This is remarkable, considering the directorate could not task for records or consultations for a three-month period while the agency provided critical services to Canadians. In fact, in June 2020, following the three-month pause in operations, the backlog of Privacy Act requests was at 1,141 and at the end of the fiscal year it was reduced to 264, which represents a 77% decrease. Further, the active inventory was reduced from 1,596 requests to 963, a 40% decrease.

The number of requests received under the Privacy Act in 2020–2021, 4,120, was 16% lower than in fiscal year 2019–2020 where 4,895 requests were received. The number of requests completed, 4,023, was 15% lower with 4,728 requests completed. The volume completed is impressive given the three-month pause in tasking. For more information about the impact of COVID-19 on operations, see Appendix B.

The following table shows the trend of requests received under the Privacy Act over the past five years.

Image description

Privacy Act requests trend

In 2016–2017, 3174 requests were received, 3,400 were completed, 1,086,917 pages were processed

In 2017–2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed

In 2018–2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed

In 2019–2020, 4,895 requests were received, 4,728 were completed, 1,115,075 pages were processed

In 2020–2021, 4,120 requests were received, 4,023 were completed, 653,853 pages were processed

ATIP Way Forward Modernization Initiative

The Access to Information and Privacy Way Forward Modernization Initiative developed in fiscal year 2018–2019 supports the overall improvement of the directorate’s capacity to effectively and efficiently process access to information and privacy requests. To expedite that goal, in 2020–2021, through the hiring of a senior project lead and a team, a full-scale business transformation was launched using Lean improvement methodology. On an ongoing basis, the ATIP Way Forward Modernization Initiative identifies and manages the implementation of new technologies and processes to improve and modernize operational processes. To support this transformation, technology will be modernized with the goal of being paperless, that is completely digital, by fiscal year 2021–2022.

In 2020–2021, beyond organizational changes as detailed under the Organization changes section of this report, key changes made to enhance productivity and efficiency in the Access to Information and Privacy Directorate included the implementation of the following initiatives:

epost Connect™

The Access to Information and Privacy Directorate fully implemented Canada Post’s epost Connect™ secure solution on November 30, 2020. This solution allows the agency to send access to information and privacy requests to the public electronically. This initiative improved the directorate’s ability to respond to access to information and privacy requests due to restrictions put in place as a result of COVID-19. Adoption of epost Connect™ has been promising, since most responses are now completed electronically.

eFax®

On March 22, 2021, the Access to Information and Privacy Directorate acquired and implemented eFax®. Through this tool, faxes are digitally uploaded to searchable electronic files that are accessible through the network. The implementation of this initiative was even more significant this fiscal year, because the directorate had a reduced ability to receive information by facsimile from Canadians due to restrictions put in place as a result of COVID-19. In fiscal year 2021–2022, keeping with our Lean continuous improvement mandate, the CRA will continue to innovate by introducing methods to modernize the ability to receive documentation from requesters and to enable remote work.

Legal opinion repository

The CRA developed a legal opinion repository and implemented it on March 26, 2021. The repository provides an organized, readily searchable means to access legal opinions received by the Access to Information and Privacy Directorate since 1990. This tool supports the CRA’s ability to consistently apply access to information and privacy legislation. The legal opinions in the repository do not contain any personal or tax-related information.

In 2021–2022, in support of the ATIP Way Forward Modernization Initiative, changes to enhance productivity and efficiency in the directorate include:

continuing to entrench Lean methodology into business processes, to reduce waste, improve efficiency and introduce a culture of continuous improvement
modernizing reporting and improving business analytics for data-driven business decisions
implementing a modernized case management system
digitizing operations to eliminate paper processes, reduce manual work, improve response times, reduce backlogs and enable remote work
identifying, fast-tracking and redirecting low-complexity requests that can be resolved more quickly and at a lower cost than through the access to information and privacy process. It is expected that Lean process improvement such as this will reduce workloads significantly and it will enable the directorate to focus resources on higher complexity files

Organizational changes

In support of the ATIP Way Forward Modernization Initiative, in 2020–2021, a new organizational structure was approved. The new structure supports the workload of the directorate, increases its productivity and improves its capacity to address the expanded access to information and privacy roles within the CRA. Among other changes, two new directors report to the director general: director, Access, Operations and Analysis Division; and director, Privacy and Access Policy Division and an executive was hired on a two-year assignment to lead to the ATIP Way Forward Modernization Initiative.

During the fiscal year, to support the success of the organizational structure, the Access to Information and Privacy Strategic Plan 2021–2024 was drafted. The plan outlines the directorate’s vision and purpose, strategic priorities and initiatives. The plan will be implemented in Q1, 2021–2022.

Human resources

In 2020–2021, the Access to Information and Privacy Directorate undertook many staffing actions to increase its workforce and to fill vacant and planned positions. This included launching several selection processes, including one to permanently staff the new EX-01 positions, an SP-05^{Footnote 1} and three SP-06 processes, one in each of the directorate’s regions. These processes provided opportunities for the entire directorate. During the fiscal year, the directorate also recruited talent through the CRA mobility bank, a new initiative launched by the agency.

The directorate also stabilized various management positions through a Public Affairs Branch staffing initiative. Moving forward, the strategy will be to continue to run selection processes to create pools at all levels to facilitate filling any position that is or becomes vacant.

To ensure cohesiveness and promote a one-office model within the directorate, managers are asked to consider all three directorate locations (the National Capital Region, Montréal and Vancouver) when planning staffing. The one-office model is supported by monthly directorate all-staff meetings, where employees receive directorate updates and participate in special presentations that support health and wellness or those that are specific to the work of the directorate, such as the application of the access to information and privacy legislation.

Modernizing the Access to Information Act and the Privacy Act

On June 21, 2019, Bill C-58, An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts, received royal assent. This resulted in important improvements to the openness and transparency of government.

A provision in the bill requires a review of the act within a year of royal assent and every five years thereafter.

The Treasury Board of Canada Secretariat is leading the Access to Information Act review which was launched in June 2020. The goals of the review are aimed at supporting government openness and transparency and improving access to information for Canadians.

In response to the consultation process to seek input from government institutions, the CRA welcomed the opportunity to share ways to improve openness, transparency and, ultimately, the access to information regime.

During the fiscal year, the Access to Information and Privacy Directorate provided oversight to make sure program areas posted their required proactive disclosures within the legislated timeline. The directorate was also responsible for reviewing briefing note titles and tracking numbers, transition material and Question Period responses to determine if sensitive information needed to be protected according to legislation. The directorate also managed the publication of the briefing note titles and tracking numbers.

The Privacy Act is also in the process of being modernized. In summer 2020, the CRA reviewed the Department of Justice Canada draft policy proposals contained in a discussion paper on the modernization of the Privacy Act. This discussion paper was based on the department’s technical engagement which occurred in summer 2019 when the CRA provided a response which outlined the agency’s major concerns with the existing Privacy Act. The CRA was very pleased that its concerns were outlined within the updated discussion paper.

In 2021–2022, the CRA will continue to work closely with the Treasury Board of Canada Secretariat, the Department of Justice Canada and other stakeholders on the Government of Canada’s commitment to modernize the acts.

Protection of Personal Information Vulnerability Review

At the request of the Chief Privacy Officer in March 2021, the Audit, Evaluation and Risk Branch completed a vulnerability review on the protection of personal information at the CRA. The objectives of the review were to identify key risks facing the CRA, as they pertain to the protection of personal information, assess those risks, identify mitigating controls and activities, test select controls in place and issue recommendations to strengthen control gaps.

CRA management agreed with all of the recommendations in the final report and committed to make the necessary amendments in accordance with agreed-upon action plans.

Training

The Access to Information and Privacy Directorate is committed to promoting and providing access to information and privacy training to CRA employees. This training varies,

depending on the needs of the employees. For instance, employees who have little or no knowledge of the subject are encouraged to take the Canada School of Public Service’s Fundamentals of Access to Information and Privacy course or its Access to Information in the Government of Canada course. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests.

The CRA’s Legal Services Branch provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release, on informal disclosure of records and the interpretation of the acts for specialized CRA employees such as auditors.

Members of the Privacy Team deliver privacy training sessions to other areas of the agency. This past fiscal year they collaborated with the Legal Services Branch to deliver training to subject matter experts at the agency.

In 2020–2021, the CRA continued to offer its suite of 10 web-based modules, which consist of specialized technical training, to directorate employees. This series of modules is the first of its kind for access to information and privacy professionals in the Public Service of Canada.

In November 2020, as part of the ATIP Way Forward Modernization Initiative, directorate employees took part in mandatory Lean White Belt training. Employees who could not attend the training and those on-boarded after it was offered will participate in the training in 2021–2022.

During the reporting period, directorate employees also participated in the International Association of Privacy Professionals’ training in preparation for information privacy manager certification. This training complements and builds on the association’s training taken by several employees in the previous reporting period, which prepared participants to become certified as information privacy professionals.

In 2020–2021, an agency-wide privacy and access to information training and awareness strategy was established. The strategy will be the foundation for privacy and access to information learning at the agency. Activities toward implementation of the strategy are taking place over the 2021–2022 fiscal year.

An Access Policy and Governance section will be created in 2021–2022 in support of the ATIP Way Forward Modernization Initiative. Part of the mandate of the new section will involve coordinating and providing training to directorate and CRA employees as a whole, incorporating the streamlined business processes identified through the Lean Project.

Raising awareness

In 2020–2021, beyond the work the CRA completed to enhance its privacy management program, the Access to Information and Privacy Directorate worked on many projects to make employees more aware of their privacy-related roles and responsibilities.

For the ninth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many international institutions to promote Data Privacy Day on January 28. Data Privacy Day presents an opportunity to highlight the impact of technology on privacy rights, as well as to underscore the importance of valuing and protecting personal information.

In 2020–2021, the CRA’s Data Privacy Day campaign focused on protecting data privacy in the home office. The topic was particularly relevant, since most CRA employees were continuing to work from home in an effort to prevent the spread of COVID-19. Procedures for protecting personal information in the office and home environment were highlighted. In addition, the Data Privacy Day campaign included a live virtual presentation by Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa.

Throughout the year, the Access to Information and Privacy Directorate continued to promote awareness of the role that access to information and privacy play in supporting sound privacy management, by participating in various committees and working groups, providing advice to program areas and through regular communication with employees in the offices of primary interest across the agency.

Collaborating with oversight bodies and other organizations

The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat and other organizations to strengthen privacy at the CRA. Notably, in 2020–2021, the CRA:

communicated frequently with the Office of the Privacy Commissioner of Canada on various subjects, including privacy breaches, privacy assessments and the COVID-19 benefit programs the CRA helped administer
participated in the Department of Justice Canada’s consultation process on the modernization of the Privacy Act
met with Employment and Social Development Canada on a regular basis to assess and address privacy implications in the implementation of the COVID-19 benefit programs, since the CRA was administering several COVID-19 benefit programs for Employment and Social Development Canada. Through this process, privacy impact assessments and privacy compliance evaluations were developed either jointly or in collaboration with Employment and Social Development Canada
worked closely with the Treasury Board of Canada Secretariat to develop draft corporate policy instruments, to identify potential request-processing software solutions for the Public Service of Canada and to respond to the COVID-19 pandemic
collaborated with the access to information and privacy community by co-chairing the ATIP Coordinators Working Group. Through this group, best practices are shared amongst the departments that receive a large volume of requests
collaborated with Agriculture and Agri-Food Canada, Canadian Heritage, Public Safety Canada, Transport Canada, National Defence, Veterans Affairs Canada, Health Canada, the Canada Border Services Agency and Immigration, Refugees and Citizenship Canada on the implementation of epost Connect™
met with the Canada Border Services Agency, the Canadian Security Intelligence Service, Employment and Social Development Canada, Library and Archives Canada and Revenu Québec to review business processes and share best practices to support the business modernization initiative being undertaken by the CRA. Information obtained will be used to support the streamlining of directorate business practices

Privacy management program

Enhancing the Privacy Management Program, including policies, guidelines and procedures

The privacy landscape has continued to evolve dramatically over the past year. Examples of this include: emerging technologies such as artificial intelligence, increased sophistication of cyber breaches that continue to target major organizations and the ongoing review of privacy legislation.

In response to this, in 2020–2021, in consultation with the Agency Privacy Council, the Personal Information Incident Working Group and other agency officials, the CRA implemented an enhanced privacy program, using Privacy by Design principles, including the completion of the following corporate business plan deliverables:

completion of the Procedures for Privacy Breaches, which outline the process for effectively managing privacy breaches and help CRA employees understand their responsibilities for protecting information, including steps to take if an employee suspects or discovers a privacy breach
updated corporate policy instruments including the CRA Privacy Policy, the CRA Directive on Privacy Practices and the CRA Procedures for Privacy Assessments
updated the CRA privacy notice on Canada.ca, which describes how personal information is handled within the agency. The notice is available at canada.ca/en/revenue-agency/corporate/privacy-notice
updated the privacy key performance indicators, establishing 12 metrics derived from best practices and mapped to the key facets of the CRA’s Privacy Management Framework, for example, the incorporation of Privacy by Design principles and privacy breach management

In addition, consultations and review took place for the new procedures for investigative bodies. These procedures will be completed in Q1, 2021–2022.

Also, the new organizational structure of the Access to Information and Privacy Directorate, outlined earlier in this report, including separate teams and additional resources for privacy, risk, and incident management and privacy policy and governance, better address the privacy demands on the CRA.

Lastly, the CRA Privacy Management Framework, published last fiscal year, was reviewed during the fiscal year in the context of COVID-19 and will be reviewed on an annual basis. The Privacy Management Framework is available at: canada.ca/content/dam/cra-arc/migration/cra-arc/scrty/pmf-eng.pdf.

Managing privacy breaches

One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the integrity and the protection of taxpayers’ information very seriously and has strong controls to prevent privacy breaches. Despite the effectiveness of the many controls in place, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.

In 2020–2021, the CRA noticed an increase in activity by unauthorized third parties attempting to gain access to taxpayers’ CRA accounts, particularly to target new

COVID-19 emergency benefits. To detect, protect and prevent potential instances of fraud and identity theft, the CRA routinely monitors accounts for suspicious activity. In the event of a privacy breach, the Access to Information and Privacy Directorate works closely with CRA program areas to manage the breach and assess the impacts to affected individuals.

Where warranted, the CRA offers credit protection services to assist those who have been affected by a breach.

This year, the CRA’s Security and Internal Affairs Directorate informed the Access to Information and Privacy Directorate of 48 incidents of alleged or confirmed improper access or disclosure of personal information by CRA employees. Founded misconduct is dealt with promptly and appropriately. If criminal activity is suspected, the matter is referred to the proper authorities. All CRA employees receive mandatory and ongoing security training, which includes the protection of taxpayer information.

The Access to Information and Privacy Directorate also received 21 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada. For more information, see Part 8 – Complaints and investigation notices received.

In 2020–2021, most privacy breaches at the CRA resulted from misdirected mail, that is, mail that was incorrectly addressed or sent to the wrong person. However, misdirected mail incidents represent 0.003% of the 110 million pieces of mail the CRA handles each year.

The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2020–2021, the CRA reported five significant privacy breaches to these organizations. Of the breaches, three involved unauthorized access to taxpayer information by CRA employees and two involved unauthorized access to taxpayer information by bad actors.

The CRA continues to improve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information, limiting employees’ access permissions to only the information required to do their job and regularly reviewing employee access to CRA systems.

2020 cyber incidents (credential stuffing)

In the summer of 2020, the CRA was the victim of two cyber incidents that affected the GCKey service and the CRA's online portals. The incidents were the result of credential stuffing, where unauthorized third parties used passwords and usernames collected from previous hacks of other organizations and websites to access CRA accounts either through the GCKey service or through CRA portals.

The CRA immediately addressed the cyber incident by taking the portals offline to secure CRA systems, investigate the attack and address vulnerabilities. The portals were back online within a few days, with vulnerabilities addressed and additional system protections implemented.

After a detailed review of CRA security logs, the CRA was able to identify suspicious activities on approximately 48,500 accounts as a result of the cyber incidents. To protect the accounts from further unauthorized access, the CRA suspended online access to the accounts and placed extra security measures on accounts assessed as being at risk.

The CRA is committed to assisting those whose accounts have been compromised. The CRA contacted affected individuals by letter or by phone, which included instructions on how to verify their identities, reactivate their accounts and further protect their personal information. Where warranted, the CRA also offered credit protection services at no cost to affected individuals.

The CRA urged online service users to review their accounts and to report any suspicious activity to the CRA’s tax enquiries phone line. Dedicated employees are at the CRA call centres to prioritize calls from victims of fraud and identity theft.

The Access to Information and Privacy Directorate informed the Office of the Privacy Commissioner of Canada shortly after becoming aware of the cyber incidents. In October 2020, the Office of the Privacy Commissioner of Canada launched two formal investigations into the GCKey and CRA cyber incidents. The CRA continues to work with the office on these ongoing investigations.

Revoked credentials

During the fiscal year, as part of its ongoing efforts to protect personal information, the CRA conducted routine checks to identify credentials (CRA user IDs and passwords) at risk, which might have been available on the dark web for use by unauthorized individuals. Credentials identified as being potentially compromised were revoked, preventing them from being used.

These credentials were not compromised as a result of a breach of the CRA’s online systems. Rather, the credentials may have been obtained by unauthorized third parties and through sources external to the CRA.

Taxpayers with revoked credentials can still log into their CRA accounts if they have a different credential (that is, a different CRA user ID and password, through their online banking credentials, or a British Columbia services card). Otherwise, they can create a new CRA user ID and password.

The CRA is continuing to conduct routine scans to identity and revoke potentially compromised credentials.

Internal procedures manual

The internal procedures manual is an Access to Information and Privacy Directorate guide for all major procedures involved in processing requests made under the Access to Information Act and the Privacy Act. The purpose of the manual is to promote consistent practices across the directorate.

In 2020–2021, the directorate finalized and made available to staff an online version of the manual.

Updating Info Source

Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. Info Source also provides guidance to individuals on how to access information held by government institutions to exercise their rights under these acts.

Each institution subject to the Access to Information Act and the Privacy Act must update its Info Source chapter annually by the due date set by the Treasury Board of Canada Secretariat, normally in June.

Because of the operational realities of the COVID-19 pandemic, many of the CRA program areas were focused on providing critical services during the fiscal year. So the Access to Information and Privacy Directorate updated the Treasury Board of Canada Secretariat on the information the directorate had already reviewed during the fiscal year. The directorate also updated the list of the manuals available in the public reading room.

The CRA's Info Source chapter can be found at canada.ca/cra-info-source.

Monitoring compliance

The Access to Information and Privacy Directorate produces several monthly reports that capture key statistics about the CRA’s inventory of access to information and privacy requests. Management regularly uses the reports to monitor trends, measure the directorate’s performance and identify any process changes needed to improve performance. The reports are presented monthly to senior management at the commissioner-chaired Corporate Management Committee.

In 2020–2021, the Access to Information and Privacy Business Analytics Team reviewed the existing reports and introduced new reports to improve awareness of outstanding access to information and privacy requests. The reports monitor active and closed requests, the status of requests by branch and region, the carry-forward inventory, complaints and deemed refusal volumes.

In addition to the monitoring and reporting mechanisms in place, the CRA’s work to develop enhanced business analytics for its access to information and privacy program continued in 2020–2021. The directorate’s analytics team improved its ability to query the database by using Power Query software, and new software is being tested to boost the team’s reporting capacity.

The directorate’s goal is to produce reports that are directly linked to the source data, with better data visualization and using modern tools such as Microsoft’s Power BI to produce more accurate, user-friendly, automated and customized reports. The directorate has invested in business analytics and will continue to make it a priority as management supports and recognizes the value of using data to make informed business decisions.

Privacy assessments

At the outset of new initiatives, the agency consults with the Office of the Privacy Commissioner of Canada and submits privacy assessments to the office so that potential privacy implications can be identified and mitigated.

Privacy impact assessment

In accordance with the Directive on Privacy Impact Assessment, the Canada Revenue Agency conducts privacy impact assessments when new programs or services raise privacy issues, as well as when changes to programs or services affect the way personal information is collected, used or disclosed.

Privacy compliance evaluation

A privacy compliance evaluation is a privacy assessment process used this fiscal year in place of a full privacy impact assessment for urgent COVID-19-related initiatives that did not continue beyond March 31, 2021. These evaluations were carried out at the discretion of deputy heads or delegates at the assistant deputy minister level.

Privacy protocol assessment

A privacy protocol assessment is a privacy assessment process designed to assess initiatives that have a non-administrative purpose (for example, research, audit, evaluation and statistical purposes) to make sure that they comply with the CRA's privacy practices.

Summaries of completed privacy assessments

The CRA completed five privacy assessments during the 2020–2021 reporting period: three privacy impact assessments, one privacy compliance evaluation and one privacy protocol assessment. As well, the CRA reviewed a significant number of initiatives to assess potential privacy impacts. This review looked at documents such as privacy assessment determination questionnaires, treasury board submissions, threat and risk assessments, local application solutions and written collaborative arrangements.

The CRA publishes summaries of completed privacy assessments at canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.

The following is an overview of the privacy assessments the CRA completed in fiscal year 2020–2021.

Canada emergency response benefit

The Canada emergency response benefit was established to support workers during the COVID-19 pandemic. This benefit provides $2000 every four weeks for up to 28 weeks to workers whose income was affected as a result of the pandemic. The CRA is administering this benefit for Employment and Social Development Canada and is using existing taxpayer information for verification of eligibility, compliance and enforcement.

This privacy impact assessment covers only the administration of the benefit. A privacy impact assessment will be undertaken to address elements such as post verification, compliance and enforcement activities for the benefit.

For the complete privacy impact assessment summary, go to: canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/canada-emergency-response-benefit-privacy-impact-assessment-summary.

Offshore Tax Informant Program V2

The Offshore Tax Informant Program V2 encourages the participation of the public in the identification of major international instances of tax non-compliance. The program offers graduated incentive rewards of 5% to 15% of the additional federal tax assessed and collected, to individuals who come forward with credible information that leads directly to the assessment and collection of additional taxes.

The privacy impact assessment identifies, assesses and addresses any privacy risks associated with this program. These risks include collecting, using and disclosing personal information with federal, international, provincial and municipal partners.

For the complete privacy impact assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/offshore-tax-informant-program-v2.

CRA personnel security screening

Personnel security screening plays a vital role within the CRA Security Program by making sure that all employees are appropriately screened to allow access to information and access to CRA offices required for the performance of their duties.

The first privacy impact assessment (version 1.0) of the Personnel Security Screening Program was completed in fiscal year 2013–2014. The assessment has been updated this fiscal year (version 2.0) to assess recent program activities related to the verbal tax compliance verification process.

Canada Emergency Wage Subsidy Program

The Canada Emergency Wage Subsidy Benefit Program administers the Canada emergency wage subsidy offered to Canadian employers who have seen a revenue drop during the COVID-19 pandemic to cover part of employee wages.

The privacy compliance evaluation identifies and assesses the privacy risks to personal information collected from Canadian businesses for administering the subsidy.

Information collected from the Canada emergency wage subsidy application is verified against existing information within the agency’s data holdings, to validate and process the subsidy claim. Subsequently, personal information will also be used to perform verification and compliance activities.

For the complete privacy compliance evaluation summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/canada-emergency-wage-subsidy-privacy-compliance-evaluation-summary.

Digital Mailroom Project

The Digital Mailroom Project is an enterprise-wide digital content delivery solution that CRA program areas can use either to move from a paper-based process to a digital one or to enhance existing digital processes. The solution will offer the following capabilities: receive, digitize, extract, store and provide internal notification. The project will use the services of a managed service provider to carry out all functions except for internal notification, which will be managed by the CRA.

The privacy protocol assessment identifies, assesses and addresses any privacy risks associated with this non-administrative program.

For the complete privacy protocol assessment summary, go to canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/digital-mailroom-project.

Interpretation and explanation of Appendix A – Statistical report

Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the period of April 1, 2020, to March 31, 2021. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.

Notes

Some totals may be more than 100% due to rounding.

Part 1 – Requests under the Privacy Act

During the reporting period, the CRA received 4,120 new requests under the Privacy Act. This is a decrease of 775 requests (16%) from last year’s total of 4,895 requests. Including the 866 requests carried forward from the 2019–2020 reporting period, the CRA had 4,986 active requests in its inventory.

The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past five fiscal years. The number of requests received and pages processed decreased significantly this fiscal year, as a result of COVID-19.

The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past five fiscal years. The number of requests received has increased significantly and the number of pages processed has more than doubled since 2015–2016.
Fiscal year	Requests received	Requests closed	Pages processed
2016–2017	3,174	3,400	1,086,917
2017–2018	3,791	3,821	920,251
2018–2019	4,789	4,599	896,837
2019–2020	4,895	4,728	1,115,075
2020–2021	4,120	4,023	653,853

Other requests and workload

Beyond the 4,120 requests received under the Privacy Act, the CRA processed a high volume of other requests. The additional volume significantly affected operations, since resources had to be diverted to manage the workload. The additional requests included external and internal consultations, general enquiries and complaints. During the fiscal year, the Intake Team of the Access to Information and Privacy Directorate responded to 4,500 emails and 820 phone enquiries received through the general enquiries mailbox and toll-free phone line.

Part 2 – Requests closed during the reporting period

Disposition and completion time

The CRA continues to complete a large number of privacy requests. The disposition of the 4,023 requests closed is as follows:

1,855 were fully disclosed (46%)
1,077 were disclosed in part (27%)
2 were exempted in their entirety (0.04%)
45 resulted in no existing records (1%)
1,044 were abandoned by requesters (26%)

705 (15%) fewer requests were closed in 2020–2021 than in
2019–2020.

The following chart shows the completion times for the 4,023 requests closed in 2020–2021.

Image description

Completion time

1,615 (40%) in 30 days or under

901 (23%) from 31 to 60 days

496 (12%) from 61 to 120 days

1,011 (25%) in 121 days or more

For more details, see table 2.1 of Appendix A.

Exemptions

The Privacy Act allows an institution to refuse access to specific information when necessary. For example, information about an individual other than the requester cannot be disclosed if the individual has not given consent. For detailed information on each of the exemptions that may be applied, see section 18 of the Privacy Act.

In 2020–2021, the CRA applied the following exemptions, in full or in part, for the 4,023 requests closed during the reporting period:

section 19 – Personal information obtained in confidence (23 times)
section 21 – International affairs and defence (3 times)
section 22^{Footnote 2} – Law enforcement and investigation (271 times)
section 26 – Information about another individual (622 times)
section 27 – Solicitor-client privilege (94 times)

Exclusions

The Privacy Act does not apply to information that is publicly available, such as information in government publications, libraries, and museums. Also, the act does not apply to Cabinet confidences.

In 2020–2021, the CRA did not apply any exclusions for information that was publicly available or a Cabinet confidence.

Format of information released

Requesters can choose to receive their response package in paper or electronically. Persons with disabilities may request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically is more efficient, because it significantly reduces manual processes and it is environmentally friendly and secure.

In 2020–2021, of the 2,930 requests for which information was disclosed in full or in part, 2,153 requests (73%) were released in electronic format.

Complexity

In 2020–2021, the directorate processed an average of 164 pages per request.

The Treasury Board of Canada Secretariat uses two criteria to define complexity: the number of pages to process and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.

For example, to respond to the 3,978 requests closed during the fiscal year (excluding requests where no records exist), the CRA processed 653,853 pages. Of these requests, 627 (16%) involved processing more than 100 pages: 118 of these involved processing more than 1,000 pages and 8 involved processing more than 5,000 pages. For more details, see table 2.5.2 of Appendix A.

Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see table 2.5.3 of Appendix A.

Closed requests

The Access to Information and Privacy Directorate closed 2,392 (59.5%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline.

Deemed refusals and requests closed beyond legislated timelines

A deemed refusal is a request closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.

Of the 4,023 requests closed during the reporting period, 1,631 were closed after the deadline, resulting in a deemed refusal rate of 40.5%. This is a result of the temporary pause in the tasking of requests from April 1, 2020, to June 16, 2020, while the agency provided critical services to Canadians as a result of the COVID-19 pandemic.

Requests for translation

Records are normally released in the language they exist in. However, records may be translated to an official language when requested and when the institution considers a translation or interpretation to be necessary to enable the individual to understand the information.

The CRA received one request for translation in 2020–2021 and it was fulfilled.

Part 3 – Disclosures under subsections 8(2) and 8(5)

Subsection 8(2) of the Privacy Act states that subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent for limited and specific circumstances. This is the case, for example, if the public interest in disclosure clearly outweighs any invasion of privacy. Subsection 8(5) states that if there is a disclosure under subsection 8(2), notice must be provided to the Privacy Commissioner of Canada.

During the reporting period, there were no disclosures of personal information under paragraphs 8(2)(e) and (m) and subsection 8(5) of the Privacy Act.

Part 4 – Requests for correction of personal information and notations

Under the Privacy Act, an individual who believes their personal information contains an error or omission can ask for it to be corrected. When a request for correction has been refused, a notation must be attached to the information reflecting that a correction was requested and refused.

The CRA received one request to correct personal information in 2020–2021. This request did not meet the criteria for a records correction; as such, a notation was attached to the information and the requester was notified.

Part 5 – Extensions

The Privacy Act sets the required timelines for responding to privacy requests. Time extensions are allowed under these circumstances:

meeting the original time limit would unreasonably interfere with operations
there is a need to consult (for example, with a government institution or third party)
there is a need to translate or convert records into another format

Of the 4,023 requests closed in 2020–2021, the CRA applied extensions to 1,463 (36%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining instances were for internal consultation, translation purposes and to convert records into other formats.

Of the 1,463 extensions: 1 was for 1 to 15 days in length, 1,461 were for 16 to 30 days in length and 1 was for 31 days or more because it was applied for translation purposes.

Part 6 – Consultations received from other Government of Canada institutions and organizations

In 2020–2021, the Access to Information and Privacy Directorate received and closed one external consultation request from other government institutions and organizations. To respond to this request, six pages were reviewed. For more details, including disposition and completion times, see tables 6.1 and 6.2 of Appendix A.

Internal consultations

In 2020–2021, 133 internal privacy consultation requests were completed, a 54% decrease from the previous reporting period. To respond to these requests, the directorate reviewed a total of 5,824 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.

The following chart shows the trend for internal privacy consultation requests received over the past five years.

Image description

Internal Privacy Consultation Trends

In 2016–2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.

In 2017–2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.

In 2018–2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.

In 2019–2020, 288 internal privacy consultation requests were received,10,318 pages were processed.

In 2020–2021, 105 internal privacy consultation requests were received, 5,824 pages were processed.

Part 7 – Completion time of consultations on Cabinet confidences

Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services office to determine if requested information should be excluded. If any doubt exists or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.

In 2020–2021, the CRA did not have to consult with Legal Services of the Privy Council Office for Cabinet confidences.

Part 8 – Complaints and investigation notices received

In 2020–2021, the CRA received 13 complaints under the Privacy Act related to privacy requests. The complaints received were related to the following issues:

time delay (4)
non-disclosure (1)
refusal due to exemption (2)
refusal due to general reasons (1)
time extensions (5)

In addition, the CRA received 26 early-resolution complaints: 9 of those were escalated to formal complaints, 13 were closed because the Office of Privacy Commissioner of Canada determined in the early-resolution process that there was no need to complete a formal investigation, and 4 were carried over to the next fiscal year.

During the fiscal year, the CRA closed 20 complaints. This represents a 62% decrease in the number of complaints closed compared to the previous fiscal year. In addition, the CRA completed 32 early-resolution complaints.

Seven complaints were pursued to the Federal Court.

The following chart shows the disposition of the 20 complaints closed during the fiscal year.

Image description

The following chart shows the disposition of the 20 complaints closed during the fiscal year.

Complaint dispositions

1 (5%) Settled during the course of investigation

3 (15%) Not well-founded

4 (20%) Resolved

2 (10%) Discontinued

10 (50%) Well-founded

For definitions of the disposition categories, go to priv.gc.ca/en/opc-actions-and-decisions/investigations/def-cf/.

The Access to Information and Privacy Directorate received 21 privacy-related complaints and allegations from individuals and the Office of the Privacy Commissioner of Canada during the reporting period. These complaints were not related to Privacy Act requests. The directorate closed 13 complaints and allegations during the reporting period, which included outstanding complaints and allegations from previous reporting periods.

Part 9 – Privacy impact assessments and personal information banks

During the reporting period, the CRA sent three privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is described in the “Privacy assessments” section of this report.

A personal information bank must be created in Info Source for any collection or grouping of personal information under the control of a government institution that has been used, is being used, or is available for use for an administrative purpose by a program or activity of an institution. The personal information bank must include how the information is organized and retrieved (for example, a person's name, an identifying number or symbol, or other means). Personal information banks are legislated by section 10 of the Privacy Act. During the fiscal period, there were 45 active personal information banks. In the same period, two were created and two were modified.

Part 10 – Material privacy breaches

Part 11 – Resources related to the Privacy Act

Costs

During the 2020–2021 fiscal year, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $13,716,649. This includes $742,081.35 in credit protection services provided to individuals affected by privacy breaches. However, it does not include significant support and resources from CRA branches and regions. For more details, see table 11.1 of Appendix A – Statistical report.

Human resources

In 2020–2021, an equivalent of 128 full-time employees, in addition to 11 part-time and casual employees, 2 consultants and agency personal and 1 student, were dedicated to administering the Privacy Act.

Interpretation and explanation of Appendix B – Supplemental statistical report

New data on requests affected by COVID–19 measures

In 2020–2021, the Treasury Board of Canada Secretariat included a requirement for institutions to demonstrate the capacity to receive and process requests as a result of COVID-19 measures.

The following is a brief overview of the tables included in Appendix B:

The CRA received and processed requests for 44 of the 52 weeks in 2020–2021. Requests could not be received or processed during the eight-week period of April1, 2020, to May 27, 2020, because the Access to Information and Privacy Directorate’s intake team was not equipped to process requests remotely.
The CRA had partial capacity to process electronic records for 27 weeks and it had full capacity for 17 weeks due to the full implementation of epost Connect™ on November 30, 2020.

Conclusion

Despite a very challenging year, in 2020–2021, the CRA continued to make significant progress in addressing challenges to the protection of personal information and in the processing of privacy requests. The agency did this by:

collaborating with partners to make sure privacy implications were considered for new and revised initiatives involving personal information by building Privacy by Design into the process
completing four corporate business plan deliverables to enhance the CRA Privacy Management Framework, including the development of privacy breach procedures
addressing the backlog of requests received under the Privacy Act
advancing the ATIP Way Forward Modernization Initiative, including implementing technological solutions

In 2021–2022, the Access to Information and Privacy Directorate will focus on the priorities in its strategic plan, including leading the directorate’s business transformation and technology modernization and continuing to create a culture of privacy and accountability.

Appendix A – Statistical report

Statistical report on the Privacy Act

Name of institution: Canada Revenue Agency
Reporting period: April 1, 2020, to March 31, 2021

Part 1 – Requests under the Privacy Act

1. 1 Number of requests

Part 1 - Requests under the Privacy Act
Requests	Number of requests
Received during reporting period	4,120
Outstanding from previous reporting period	866
Total	4,986
Closed during reporting period	4,023
Carried over to next reporting period	963

Part 2 - Requests closed during the reporting period

1.2 Disposition and completion time

Part 2 - Requests closed during the reporting period - 1.2 Disposition and completion time
Disposition of requests	1 to 15 days	16 to 30 days	31 to 60 days	61 to 120 days	121 to 180 days	181 to 365 days	More than 365 days	Total
All disclosed	133	504	582	245	290	101	0	1,855
Disclosed in part	36	180	276	141	184	198	62	1,077
All exempted	0	0	0	0	1	1	0	2
All excluded	0	0	0	0	0	0	0	0
No records exist	9	8	18	1	6	3	0	45
Request abandoned	676	69	25	109	87	56	22	1,044
Neither confirmed nor denied	0	0	0	0	0	0	0	0
Total	854	761	901	496	568	359	84	4,023

2.1 Exemptions

Part 2 - Requests closed during the reporting period - 2.1 Exemptions
Section	Number of requests
18(2)	0
19(1)(a)	7
19(1)(b)	0
19(1)(c)	15
19(1)(d)	1
19(1)(e)	0
19(1)(f)	0
20	0
21	3
22(1)(a)(i)	3
22(1)(a)(ii)	15
22(1)(a)(iii)	1
22(1)(b)	251
22(1)(c)	1³
22(2)	0
22.1	0
22.2	0
22.3	0
22.4	0
23(a)	0
23(b)	0
24(a)	0
24(b)	0
25	0
26	622
27	94
27.1	0
28	0

2.2 Exclusions

Part 2 - Requests closed during the reporting period - 2.3 Exclusions
Section	Number of requests
69(1)a)	0
69(1)b)	0
69.1	0
70(1)	0
70(1)a)	0
70(1)b)	0
70(1)c)	0
70(1)d)	0
70(1)e)	0
70(1)f)	0
70.1	0

2.3 Format of information released

Part 2 - Requests closed during the reporting period - 2.4 Format of information released
Paper	Electronic	Other
777	2,153	2

2.4 Complexity

2.4.1 Relevant pages processed and disclosed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.1 Relevant pages processed and disclosed
Number of pages processed	Number of pages disclosed	Number of requests
653,853	538,726	3,978

2.4.2 Relevant pages processed and disclosed by size of requests

Less than 100 pages processed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.2 Relevant pages processed and disclosed by size of requests - Less than 100 pages processed
Disposition of requests	Number of requests	Pages disclosed
All disclosed	1,727	51,664
Disclosed in part	583	22,822
All exempted	2	0
All excluded	0	0
Request abandoned	1,039	95
Neither confirmed nor denied	0	0
Total	3,351	74,581

101 - 500 pages processed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.2 Relevant pages processed and disclosed by size of requests - 101 - 500 pages processed
Disposition of requests	Number of requests	Pages disclosed
All disclosed	123	19,922
Disclosed in part	287	64,683
All exempted	0	0
All excluded	0	0
Request abandoned	1	138
Neither confirmed nor denied	0	0
Total	411	84,743

501 - 1000 pages processed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.2 Relevant pages processed and disclosed by size of requests - 501 - 1000 pages processed
Disposition of requests	Number of requests	Pages disclosed
All disclosed	5	3,160
Disclosed in part	81	59,114
All exempted	0	0
All excluded	0	0
Request abandoned	4	3,124
Neither confirmed nor denied	0	0
Total	90	65,398

1001 - 5000 pages processed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.2 Relevant pages processed and disclosed by size of requests - 1001 - 5000 pages processed
Disposition of requests	Number of requests	Pages disclosed
All disclosed	0	0
Disclosed in part	118	233,016
All exempted	0	0
All excluded	0	0
Request abandoned	0	0
Neither confirmed nor denied	0	0
Total	118	233,016

More than 5000 pages processed

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.2 Relevant pages processed and disclosed by size of requests - More than 5000 pages processed
Disposition of requests	Number of requests	Pages disclosed
All disclosed	0	0
Disclosed in part	8	80,988
All exempted	0	0
All excluded	0	0
Request abandoned	0	0
Neither confirmed nor denied	0	0
Total	8	80,988

2.4.3 Other complexities

Part 2 - Requests closed during the reporting period - 2.4 Complexity - 2.4.3 Other complexities
Disposition of requests	Consultation required	Legal advice sought	Interwoven information	Other	Total
All disclosed	1	1	2	71	75
Disclosed in part	1	3	1	53	58
All exempted	0	0	0	0	0
All excluded	0	0	0	0	0
Request abandoned	0	2	2	53	57
Neither confirmed nor denied	0	0	0	0	0
Total	2	6	5	177	190

2.5 Closed requests

2.5.1 Number of requests closed within legislated timelines

Part 2 - Requests closed during the reporting period - 2.5 - 2.5.1 Number of requests closed within legislated timelines
-	Requests closed within legislated timelines
Number of requests closed within legislated timelines	2,392
Percentage of requests closed within legislated timelines (%)	59.5%

2.6 Deemed refusals

2.6.1 Reasons for not meeting legislated timelines

Part 2 - Requests closed during the reporting period - 2v.6 - 2.6.1 Reasons for not meeting legislated timelines
Number of requests closed past the legislated deadline	Principal reason - Interference with operations / workload	Principal reason - External consultation	Principal reason - Internal consultation	Principal reason - Other
1,631	743	3	0	885

2.6.2 Number of days past legislated timeline (including any extension taken)

Part 2 - Requests closed during the reporting period - 2.6 - 2.6.2 Number of days past legislated timeline (including any extension taken)
Number of days past legislated timeline	Number of requests past legislated timeline where no extension was taken	Number of requests past legislated timeline where an extension was taken	Total
1 to 15	90	116	206
16 to 30	52	29	81
31 to 60	122	28	150
61 to 120	435	70	505
121 to 180	378	50	428
181 to 365	161	32	193
More than 365	27	41	68
Total	1,265	366	1,631

2.7 Requests for translation

Part 2 - Requests closed during the reporting period - 2.7 Requests for translation
Translation requests	Accepted	Total
English to French	1	1
French to English	0	0
Total	1	1

Part 3 - Disclosures under subsections 8(2) and 8(5)

Part 3 - Disclosures under subsections 8(2) and 8(5)
Paragraph 8(2)(e)	Paragraph 8(2)(m)	Subsection 8(5)	Total
0	0	0	0

Part 4 – Requests to correct personal information and notations

Part 4 - Requests to correct personal information and notations
Disposition for correction requests received	Number
Notations attached	1
Requests for correction accepted	0
Total	1

Part 5 – Extensions

5.1 Reasons for extensions and disposition of requests

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests
Number of requests where an extension was taken	15(a)(i) Interference with operations - Further review required to determine exemptions	15(a)(i) Interference with operations - Large volume of pages	15(a)(i) Interference with operations - Large volume of requests	15(a)(i) Interference with operations - Documents are difficult to obtain
1,463	4	28	1,411	11

Part 5 Extensions - 5.1 Reasons for extensions and disposition of requests (part 2)
15(a)(ii) Consultation - Cabinet Confidences (Section 70)	15(a)(ii) Consultation- External	15(a)(ii) Consultation- Internal	15(b) Translation purposes or conversion
0	1	1	7

5.2 Length of extensions

Part 5 Extensions - 5.2 Length of extensions
Length of extensions (days)	15(a)(i) - Interference with operations - Further review required to determine exemptions	15(a)(i) - Interference with operations - Large volume of pages	15(a)(i) - Interference with operations - Large volume of requests	Documents are difficult to obtain
1 to 15	0	0	1	0
16 to 30	4	28	1,410	11
31 days or greater	N/A	N/A	N/A	N/A
Total	4	28	1,411	11

Part 5 Extensions - 5.2 Length of extensions (part 2)
Length of extensions (days)	15(a)(ii) Consultation Cabinet Confidences (Section 70)	15(a)(ii) Consultation External	15(a)(ii) Consultation Internal	15(b) Translation purposes or conversion
1 to 15	0	0	0	0
16 to 30	0	1	1	6
31 days or greater	N/A	N/A	N/A	1
Total	0	1	1	7

Part 6 – Consultations received from other institutions and organizations

6.1 Consultations received from other Government of Canada institutions and organizations

Part 6 - Consultations received from other institutions and organizations - 6.1 Consultations received from other Government of Canada institutions and organizations
Consultations	Other Government of Canada institutions	Number of pages to review
Received during reporting period	1	6
Outstanding from the previous reporting period	0	0
Total	1	6
Closed during the reporting period	1	6
Carried over to next reporting period	0	0

6.2 Recommendations and completion time for consultations received from other Government of Canada institutions

Part 6 - Consultations received from other institutions and organizations - 6.2 Recommendations and completion time for consultations received from other Government of Canada institutions
Recommendation	Completion time - 16 to 30 days	Total
Disclose entirely	0	0
Disclose in part	0	0
Exempt entirely	1	1
Exclude entirely	0	0
Consult other institution	0	0
Other	0	0
Total	1	1

6.3 Recommendations and completion time for consultations received from other organizations

Part 6 - Consultations received from other institutions and organizations - 6.3 Recommendations and completion time for consultations received from other organizations
Recommendation	Completion time - 1 to 15 days	Completion time - 16 to 30 days	Completion time - 31 to 60 days	Completion time - 61 to 120 days	Completion time - 121 to 180 days	Completion time - 181 to 365 days	Completion time - More than 365 days	Total
Disclose entirely	0	0	0	0	0	0	0	0
Disclose in part	0	0	0	0	0	0	0	0
Exempt entirely	0	0	0	0	0	0	0	0
Exclude entirely	0	0	0	0	0	0	0	0
Consult other organization	0	0	0	0	0	0	0	0
Other	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0

Part 7 – Completion time of consultations on Cabinet confidences

7.1 Requests with Legal Services

Part 7 - Completion time of consultations on Cabinet confidences - 7.1 Requests with Legal Services
Number of days	Less than 100 pages processed - Number of requests	Less than 100 pages processed - Pages disclosed	101 - 500 pages processed - Number of requests	101 - 500 pages processed - Pages disclosed	501 - 1000 pages processed - Number of requests	501 - 1000 pages processed - Pages disclosed	1001 - 5000 pages processed - Number of requests	1001 - 5000 pages processed - Pages disclosed	More than 5000 pages processed - Number of requests	More than 5000 pages processed - Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

7.2 Requests with Privy Council Office

Part 7 - Completion time of consultations on Cabinet confidences - 7.2 Requests with Privy Council Office
Number of days	Less than 100 pages processed - Number of requests	Less than 100 pages processed - Pages disclosed	101 - 500 pages processed - Number of requests	101 - 500 pages processed - Pages disclosed	501 - 1000 pages processed - Number of requests	501 - 1000 pages processed - Pages disclosed	1001 - 5000 pages processed - Number of requests	1001 - 5000 pages processed - Pages disclosed	More than 5000 pages processed - Number of requests	More than 5000 pages processed - Pages disclosed
1 to 15	0	0	0	0	0	0	0	0	0	0
16 to 30	0	0	0	0	0	0	0	0	0	0
31 to 60	0	0	0	0	0	0	0	0	0	0
61 to 120	0	0	0	0	0	0	0	0	0	0
121 to 180	0	0	0	0	0	0	0	0	0	0
181 to 365	0	0	0	0	0	0	0	0	0	0
More than 365	0	0	0	0	0	0	0	0	0	0
Total	0	0	0	0	0	0	0	0	0	0

Part 8 – Complaints and investigations notices received

Part 8 - Complaints and investigations notices received
Section 31	Section 33	Section 35	Court action	Total
13	0	20	7	40

Part 9 – Privacy impact assessments and personal information banks

9.1 Privacy impact assessments

Part 9 - Privacy impact assessments and personal information banks - 9.1 Privacy impact assessments
Number of privacy impact assessments completed	3

9.2 Personal information banks

Part 9 - Privacy impact assessments and personal information banks - 9.2 Personal information banks
Active	Created	Terminated	Modified
45	2	0	2

Part 10 – Material privacy breaches

Part 10 - Material privacy breaches
Number of material privacy breaches reported to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat	5

Part 11 – Resources related to the Privacy Act

11.1 Costs

Part 11 - Resources related to the Privacy Act - 11.1 Costs
Expenditures	Amount
Salaries	$11,653,758
Overtime	$407,677
Goods and Services	$1,655,214
Professional services contracts	$185,826
Other	$1,469,388
Total	$13,716,649

11.2 Human Resources

Part 11 - Resources related to the Privacy Act - 11.2 Human Resources
Resources	Person years dedicated to privacy activities
Full-time employees	128
Part-time and casual employees	11
Regional staff	0
Consultants and agency personnel	2
Students	1
Total	142

Appendix B – Supplemental statistical report

Requests affected by COVID–19 measures

In 2020–2021, the Treasury Board of Canada Secretariat included a requirement for institutions to demonstrate the capacity to receive and process requests as a result of COVID-19 measures.

Table 1 – Capacity to receive requests

The following table reports the total number of weeks the CRA was able to receive access to information and privacy requests through different channels.

The following table reports the total number of weeks the CRA was able to receive access to information and privacy requests through different channels.
-	Number of weeks
Able to receive requests by mail	44
Able to receive requests by email	44
Able to receive requests through the digital request service	44

Table 2.1

The following table reports the total number of weeks the CRA was able to process paper records in different classification levels.

The following table reports the total number of weeks the CRA was able to process paper records in different classification levels.
-	No capacity	Partial capacity	Total
Unclassified paper records	8	44	52
Protected B paper records	8	44	52
Secret and top secret paper records	8	44	52

Table 2.2

The following table reports the total number of weeks the CRA was able to process electronic records in different classification levels.

The following table reports the total number of weeks the CRA was able to process electronic records in different classification levels.
-	No capacity	Partial capacity	Full capacity	Total
Unclassified paper records	8	27	17	52
Protected B paper records	8	27	17	52
Secret and top secret paper records	8	27	17	52

Appendix C – Delegation order

Image description

Privacy Act

Delegation Order

I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to subsection 73(1) of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties, or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.

This designation replaces all previous delegation orders.

Diane Lebouthillier
Minister of National Revenue

Signed in Ottawa, Ontario, Canada this 15th day of May, 2020

The CRA positions that are authorized to perform the powers, duties, and functions given to the Minister of National Revenue under the provisions of the Privacy Act and its Regulations are:

Commissioner

Full authority

Deputy Commissioner

Full authority

Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer

Full authority

Director General, Access to Information and Privacy Directorate, Public Affairs Branch

Full authority

Director, Access to Information and Privacy Directorate, Public Affairs Branch

Full authority

Assistant directors, managers, technical reviewers/advisors, Access to Information and Privacy Directorate, Public Affairs Branch

Full authority except for paragraphs 8(2)(j) and (m) and subsection 8(5)

Page details

Date modified:: 2022-03-14

2020–2021 Annual Report to Parliament on the Administration of the Privacy Act

Introduction

Privacy Act

Table of contents

About the Canada Revenue Agency

Branches

Regions

Chief Privacy Officer

Agency Privacy Council

Personal Information Incident Working Group

Access to Information and Privacy Directorate

Delegating responsibilities under the Privacy Act

Operational environment including the impact of COVID-19

ATIP Way Forward Modernization Initiative

epost Connect™

eFax®

Legal opinion repository

Organizational changes

Human resources

Modernizing the Access to Information Act and the Privacy Act

Protection of Personal Information Vulnerability Review

Training

Raising awareness

Collaborating with oversight bodies and other organizations

Privacy management program

Enhancing the Privacy Management Program, including policies, guidelines and procedures

Managing privacy breaches

2020 cyber incidents (credential stuffing)

Revoked credentials

Internal procedures manual

Updating Info Source

Monitoring compliance

Privacy assessments

Privacy impact assessment

Privacy compliance evaluation

Privacy protocol assessment

Summaries of completed privacy assessments

Canada emergency response benefit

Offshore Tax Informant Program V2

CRA personnel security screening

Canada Emergency Wage Subsidy Program

Digital Mailroom Project

Interpretation and explanation of Appendix A – Statistical report

Part 1 – Requests under the Privacy Act

Other requests and workload

Part 2 – Requests closed during the reporting period

Disposition and completion time

Exemptions

Exclusions

Format of information released

Complexity

Closed requests

Deemed refusals and requests closed beyond legislated timelines

Requests for translation

Part 3 – Disclosures under subsections 8(2) and 8(5)

Part 4 – Requests for correction of personal information and notations

Part 5 – Extensions

Part 6 – Consultations received from other Government of Canada institutions and organizations

Internal consultations

Part 7 – Completion time of consultations on Cabinet confidences

Part 8 – Complaints and investigation notices received

Part 9 – Privacy impact assessments and personal information banks

Part 10 – Material privacy breaches

Part 11 – Resources related to the Privacy Act

Costs

Human resources

Interpretation and explanation of Appendix B – Supplemental statistical report

New data on requests affected by COVID–19 measures

Conclusion

Appendix A – Statistical report

Statistical report on the Privacy Act

Part 1 – Requests under the Privacy Act

Part 2 - Requests closed during the reporting period

Part 3 - Disclosures under subsections 8(2) and 8(5)

Part 4 – Requests to correct personal information and notations

Part 5 – Extensions

5.1 Reasons for extensions and disposition of requests

5.2 Length of extensions

Part 6 – Consultations received from other institutions and organizations

Part 7 – Completion time of consultations on Cabinet confidences