Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Anonymous Internal Fraud and Misuse Reporting Line v4.0

Security Branch
Security Services Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Vicki Walker
Director General
Security Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Travel and Other Administrative Services

Standard or institution specific class of record:

Security
PRN 931

Standard or institution specific personal information bank:

Security Incidents and Privacy Breaches
Bank Number: PSU 939

Legal authority for program or activity

Summary of the project, initiative or change

Overview of the Program or Activity

The Canada Revenue Agency (CRA) relies on an effective and integrated security framework, which helps prevent, detect, recover and respond to events that could compromise the security and safety of the information, employees, and assets it holds.

The Internal Investigations Program is responsible for developing corporate policy instruments, initiatives, strategies, and implementation plans for the effective delivery of the CRA’s investigations program and for conducting independent administrative investigations into allegations of employee misconduct including fraud, misappropriations and violations of the Financial Administration Act, the Income Tax Act, the Excise Tax Act, the Excise Act, the Privacy Act, the Code of Integrity and Professional Conduct, and various CRA policies, guidelines and regulations.

The CRA Anonymous Internal Fraud and Misuse Reporting Line helps support the above-mentioned Program. It is intended to give employees an anonymous, confidential, and secure way to report suspicions of fraudulent activity engaged in by employees and management. This communication channel is managed by an independent third party contractor.

By making the reporting line available to individuals, the CRA is ensuring that they are able to speak up with confidence. The external service provider is completely independent from the CRA, and the reporting line system, ClearView Connects™, resides on their own secure servers.

An individual may use either the web-based system or the telephone line system to report allegations of internal fraud and misuse. Individuals will be able to write text in freestyle form in the web application and choose the category of the allegation. Individuals that are reporting will be reminded not to include any of their own personal information or any information that would identify them. The reporting line system assigns them a secure login ID and password for the report that they submitted. They can log into the system or call the line and use their login ID and password to check the status of their report. Since the login ID and password are created by the system, their anonymity is maintained.

This method of reporting internal fraud or misuse is completely anonymous: the information reported will not be audio recorded or traced. If individuals are using the online system, the session is encrypted and the IP address is not identified with the report. If individuals are calling the telephone line and speaking to a live operator, the call is not recorded, nor is caller ID used. The report is transcribed by a trained operator into the reporting line system verbatim (in the exact words, word for word).

The external service provider system collects the information and submits it to designated employees of the Internal Affairs Division (IAD), which are automatically notified (via email) by the system when a report has been submitted. They can log in to view the report and may ask follow-up questions and inform the reporter about how the report is being addressed. The external service provider does not review reports submitted into the system. This is the responsibility of authorized individuals in the IAD’s Security Services Directorate, who make sure reports are reviewed and investigated as needed, in a fair and timely manner—as they would do for any reports received through other channels.

The IAD reviews all allegations received through the anonymous reporting line to decide if it is about a current CRA employee, and if it relates to internal fraud or misuse. If so, the matter will be investigated. If not, when possible, the matter will be referred to another sector of the CRA; otherwise it will be closed. While individuals will be encouraged to only use the reporting line for what it is meant, a “no wrong door” approach will be applied. When individuals report something that is not considered internal fraud or misuse, the situation will be handed to the proper avenue, and is out of scope for this privacy impact assessment. In addition, the interactive feature of the tool will be used to inform employees of the proper channel for the matter individuals reported.

All personal information collected and held by the external service provider will be the property of the CRA. As such it will be subject to the Access to Information Act and the Privacy Act in the same way as any information held by the IAD. All records, created or received in relation to the contract, will be sent to the CRA when the contract ends, when the contract is terminated, or when the CRA requests it. Upon delivery of the personal information to the CRA, they will have no right to keep that information in any form and must make sure no record of the personal information remains in their possession.

What’s New

The CRA created a new Security Branch on April 1, 2022. At the same time, and following organizational changes, the Security and Internal Affairs Directorate was renamed the Security Services Directorate and the Internal Affairs and Fraud Control Division was renamed the Internal Affairs Division. In addition, the CRA has entered a one‑year contract extension with ClearView Strategic Partners Inc. effective April 1, 2023 until March 31, 2024. The contract conditions remained unchanged.

Scope of the Privacy Impact Assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Anonymous Internal Fraud and Misuse Reporting line activities. The investigation activities stemming from allegations obtained through the reporting line, and reports which have been transferred to other areas because they are not deemed to be internal fraud or misuse, are out of scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

The reporting line is available to individuals to report allegations of internal fraud and misuse of CRA employees. If it is decided that the allegation is about a current CRA employee, and if it relates to internal fraud or misuse, the matter will undergo a preliminary review, which may lead to a formal investigation.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details:

The information expected to be received through the reporting line includes allegations of employee misconduct related to internal fraud or misuse and is not different than the information already received through other channels and reported to the Internal Investigations Program. The information may include personal information of employees and occasionally it might include taxpayer information, such as name, contact information, financial information, marital status, etc. Individuals that are reporting will be able to write text in freestyle form in the web application and choose the category of the allegation (for example, financial management and fraud, abuse of authority, breach of trust). Individuals that are reporting will be reminded not to include any of their own personal information or any information that would identify them.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

The information or allegation received through the reporting line may be shared within the CRA. The reporting line is being hosted by a privately‑owned Canadian corporation through an online (web) system and telephone line system. However, no information on the allegations received (for example, the total number of cases investigated, or investigation results) will be shared with the third party.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The reporting line is an ongoing CRA activity with no expected sunset date.

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Details:

The initiative will only affect certain CRA employees based on allegations of misconduct received through the CRA anonymous internal fraud and misuse reporting line.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: No
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: No
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

G) Personal information transmission

The personal information is transferred to a portable device or is printed.  

Level of risk to privacy: 3

Details:

When a report is received by the external service provider system, notifications are automatically sent through email to the CRA’s authorized reviewers in the Internal Affairs Division (IAD). Authorized reviewers are also automatically notified whenever an individual includes additional information, either through a comment, or by uploading documents or further information. The CRA‑authorized reviewers will access the allegation through ClearView Connects provided by the external service provider.

The reporters will receive a login ID and password when submitting a report so that they can login again later to check the status of their report.

They can also include an email address (which will remain anonymous) to receive email notifications whenever their report has been updated by a CRA reviewer. Reporters’ email addresses, provided to the contractor using the Reporter Notification feature, will not be accessible by CRA’s authorized reviewers. To maintain anonymity, ClearView gives a unique identifier for each allegation. ClearView will also:

The reporter can turn off the email notifications at any time by logging into clearviewconnects.com and changing the email notification settings. The reporter will be notified when ClearView deletes their email address. Email notifications will only remind the reporter to log into clearviewconnects.com and will not contain any report information.

All allegations received through the reporting line will be copied and pasted in the IAD case management system. The system tracks the Branch or Region, the category of allegation, where it was referred (if it did not meet the IAD mandate) and the result of the preliminary analysis. The information is stored on a server and in a shared network drive only accessible by authorized employees of the IAD, for internal use (referral to other areas, closed cases or cases requiring investigation services). There is no direct link or connection between the external service provider system and CRA systems.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

There is a risk that the individual may suffer embarrassment that could have a negative effect on an individual’s career and reputation if the report is disclosed without their knowledge or consent. There is also a risk that such a privacy breach could influence their career in terms of how their performance is assessed.

Page details

Date modified: