Assessment, Benefit and Service Branch (ABSB) Contact Centre Operations v3.0

Assessment, Benefit and Service Branch
Contact Centre Services Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Gillian Pranke
Assistant Commissioner
Assessment, Benefit and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate
Public Affairs Branch

Name of program or activity of the government institution

Communications Services

Communications Services involve activities undertaken to ensure that Government of Canada communications are effectively managed, well-coordinated and responsive to the diverse information needs of the public. The communications management function ensures that the public – internal or external – receives government information, and that the views and concerns of the public are taken into account in the planning, management and evaluation of policies, programs, services and initiatives.

Standard or institution specific class of record:

Communications
Record Number: PRN 939

Standard or institution specific personal information bank:

Public Communications
Bank Number: PSU 914

Legal authority for program or activity

Income Tax Act

• Subsection 220(1)
• Section 237
• Paragraph 241(4)(h)
• Paragraph 241(4)(j)
• Subsection 241(5)

Excise Tax Act

• Subsection 275(1)
• Paragraph 277(1)(d)

Financial Administration Act

Additional acts of Parliament that fall under the Canada Revenue Agency’s mandate.

Summary of the project, initiative or change

Overview of the Program or Activity

All external clients using the services of Canada Revenue Agency (CRA) contact centres are referred to as “taxpayers” throughout this document.

Contact centre operations

The Assessment, Benefit and Service Branch (ABSB) has eight enquiries contact centres that support three lines of business: individuals, benefits, and business enquiries.

Enquiries contact centres

ABSB enquiries contact centres provide support to individuals, benefit recipients, businesses, and trusts. This support helps those groups:

• meet their tax obligations
• be aware of their benefit entitlements, and
• get answers to general or account-specific enquiries

The contact centre program gives taxpayers the accurate and timely information they need to comply with Canada’s tax legislation. It also gives taxpayers the chance to address any issues or get any information they require to meet their tax obligations and receive their benefits.

The enquiries contact centres handle millions of enquiries every year and remains a key channel for providing service to taxpayers. Agents respond to these enquiries through live discussions, automated messages, and chat responses.

The contact centres use the Interactive Voice Response (IVR) system to offer general and account-specific (secure and authenticated) information. The IVR system is provided on the Hosted Contact Centre Service (HCCS) platform.

As the technical and financial authority, Shared Services Canada owns, maintains, and supports the infrastructure of the HCCS platform. The CRA owns and controls the data it generates or stores in databases within either Shared Services Canada’s or IBM Canada Ltd.’s infrastructure. The HCCS platform accepts calls originating from across Canada, and internationally, and routes them to contact centre agents throughout Canada. Agents, supervisors, and contact centre administrators who are employed or contracted by the CRA are all located at CRA facilities or other authorized locations within Canada.

The HCCS platform provides ABSB contact centres with the following technologies:

• A centralized automated network routing solution that provides the capability to redirect calls to the first available agent in any contact centre across Canada and allows agents to make outbound calls to taxpayers.
• A centralized standardized IVR system that allows ABSB to present timely messages to callers, helping callers to self-serve.
• A routing system that directs calls to agents based on IVR menu selections. Agent skills are programmed in the system according to their training profile, including their ability to speak English and French. Bilingual agents may receive a call in either official language at any time. Cross-trained agents receive calls of any skill they’ve been trained in.
• A workforce management solution assists with tasks related to forecasting, agent scheduling, and traffic management.
• A quality monitoring solution comprised of various attributes (call recording, and evaluation forms) to monitor and support agents on call handling. This improves the quality of the calls, resulting in improved service to callers.

ABSB currently has two quality assurance programs:

• the National Quality Assurance Program, and
• the Local Quality Assurance Program

Quality assurance allows the CRA to monitor and verify the quality and accuracy of the information provided to taxpayers. Both programs have quality evaluators who use a standardized quality checklist to evaluate how agents meet service quality and information accuracy standards.

ABSB relies on call and screen recordings to perform ongoing quality-assurance monitoring. A core group of quality evaluators, made up of coordinators, team leaders, and managers, examines these recordings. When monitoring a call, the quality evaluators focus on an employee’s accuracy, identify training and coaching needs, areas where further training material is required, and locate opportunities to improve the process. Over time, the expected outcome from monitoring calls is improved accuracy of the information given to taxpayers.

Observations from the Local Quality Assurance Program are used to:

• provide feedback to individual agents
• identify individual training needs
• identify trends, and
• realize efficiency gains

Observations from the National Quality Assurance Program are used to identify the following items across ABSB’s enquiries contact centre network:

• trends
• issues, and
• training needs

Any agent training coming from observations the evaluators make during monitored calls is meant to help improve the accuracy of information provided to taxpayers.

Team members of the National Quality Assurance Program have access to all call recordings across the country. However, team members of the Local Quality Assurance Program have access only to the call recordings for the agents within their contact centre.

ABSB contact centres rely on call recordings to perform ongoing performance evaluations. Nationally, contact centre team leaders use agent performance and quality tools to assess an agent’s performance. These tools:

• provide a complete overview of the knowledge, behaviour, and skills that the CRA expects agents to demonstrate during their telephone interactions with callers, as well as aspects of their off-phone performance
• determine how compatible agents are with the contact centre environment and routine telephone duties
• support the quality and accuracy of responses agents give to taxpayers, and
• provide a fair and transparent assessment process for the agents across all contact centres

Contact centre team leaders use these tools to provide performance overviews throughout the year. Performance evaluation records are not entered or stored in the HCCS platform.

In addition to call recordings, contact centre team leaders use remote quality listening through the supervisor desktop to complete performance evaluations. Remote quality listening enables team leaders to remotely listen in on calls, speak to the agent only, or speak to both the agent and the taxpayer.

During feedback sessions, team leaders give agents their results from monitoring live calls, recorded calls, or both.

The quality monitoring solution enables quality evaluators and team leaders to consistently and objectively assess interactions between agents and taxpayers. Call recordings capture audio interactions between taxpayers, agents, and resource officers. Consultation calls between agents and resource officers are also recorded but not used for performance or quality evaluations.

Quality evaluators use an application, SpeechMiner, to evaluate call recordings. This application is hosted on the Genesys Interaction Recording platform. SpeechMiner has a built-in media player that allows calls stored on the platform to be played back. Selected evaluators can search for calls using an agent’s ID, a line of business, an agent’s skill set (by using the agent’s ID), call duration, and a variety of other searchable metadata.

More information captured as part of the quality assurance program using SpeechMiner includes:

• employee information (limited to the name, office location, and user ID of the employee being evaluated)
•  the name of the quality evaluator performing the review and quality evaluation
• the date the evaluator reviewed and evaluated the recordings, and
• the quality evaluator’s observations on the employee’s communication skills, knowledge of policy and procedures, information-seeking skills, and accuracy of responses when handling a call

Recordings are not exported from the SpeechMiner database to administer the quality assurance programs and they are not kept on an employee’s or a taxpayer’s file.

Each call recording is uniquely identified with an interaction ID number. When recordings are reviewed as part of performance management or quality monitoring, it is the unique reference number that will be noted in the employee’s file. This allows for any relevant recordings to be referenced manually back to the employee’s file.

SpeechMiner provides an option that protects a recording from automatically being deleted. The automatic feature to purge call recordings may be turned off, and authorized individuals may export recordings if required to respond to administrative requests.

SpeechMiner is also capable of recording calls through a screen recording feature. This feature records the screens that an agent accesses while on a call with a taxpayer. Currently, this functionality is not widely available, enabled, or used.

The CRA is currently reviewing existing processes and procedures surrounding the use of recordings for quality monitoring and performance management.

What’s New

Online chat

The CRA offers an online chat service to taxpayers who seek an alternative channel to communicate with the CRA. The online chat service is hosted on the Canada.ca website. When a taxpayer selects this option, they are presented with a privacy statement advising them to not share any personal information other than their first name.

In the online chat, specially trained agents answer general non-account specific questions. Agents answering chats do not access taxpayer accounts while on online chat duties.

The online chat service is offered in both official languages. To ensure taxpayers receive service in the official language of their choice, agents can transfer taxpayers to other agents who are proficient in the taxpayer’s preferred language.

The first version of the online chat was launched on the Microsoft Dynamics platform in February 2022. This platform launched a rudimentary version of the OLC service to test its viability.

The second version of the online chat was launched on the Amazon Web Solutions platform in March 2023. This platform is approved for Protected B information, which means that personal information can be safely transmitted on this platform, even though agents are handling only non-account specific enquiries at this time. The CRA is currently exploring expansion into account-specific chats through My Account.

The online chat does not currently collect personal data, such as a social insurance number (SIN). If a SIN is entered in the chat, the SIN is masked and appears as “XXX XXX XXX” in both the chat window and transcript.

The chat transcripts are collected and stored in the Amazon Web Solutions’ Protected B Cloud. Chat transcripts contain the history of the chat conversation, timestamps of the messages, the agent’s name, and the taxpayer’s first name.

Gen AI

In May 2023, the CRA began exploring the potential benefits of using generative artificial intelligence (Gen AI) to assist CRA contact centre agents. The goal of this exploration was to measure if and how Gen AI technology could enhance agents’ efficiency and accuracy when responding to general, non-account specific, taxpayer enquiries.

The online chat service was chosen as a testing platform because it is an online service available on Canada.ca, that allows Canadians to connect with an agent to enquire about general, non‑account specific, tax topics.

The CRA evaluated two artificial intelligence (AI) models to determine which one, if either, could provide superior assistance to contact centre agents. The data gathering period lasted 5 weeks, beginning in August 2023 and ending in September 2023.

Due to privacy requirements, the CRA did not use Gen AI to analyze any personal or protected information. Since online chat exclusively handles non-account specific enquiries, the pilot did not involve the use of personal or protected information, and it did not involve any administrative decisions or determinations on taxpayer’s accounts. Taxpayers who used the online chat service interacted directly with the contact centre agents, not with the AI.

Amazon Web Services

From April 2020 to March 2021, the CRA used Amazon Web Services as an emergency solution to reduce high call volumes. These web services were put in place to handle only non-account specific calls from taxpayers enquiring about COVID-related benefits. These web services collected minimum personal information. The only information they collected were telephone numbers and phone statistics, which were used for statistical analysis purposes.

In 2022, the CRA was tasked to help administer a one-time direct benefit payment for Canadians facing housing affordability challenges. It launched the one-time top-up housing benefit payment at the end of December on behalf of the Canada Mortgage and Housing Corporation.

From December 2022 to March 2023, ABSB contact centres used the Amazon Web Services telephony platform to handle calls about the one-time top-up housing benefit. The web services routed the calls to contact centre agents. The services continued to collect only telephone numbers and phone statistics for analytical purposes. These calls were not recorded, but they were listened to for quality assurance and performance management.

Online chat through My Account

Effective October 2024, the CRA is piloting an online chat service to allow call centre agents to answer account-specific enquiries from taxpayers through the CRA’s secure online portals after the taxpayer has authenticated themselves. Data residency is maintained in Canada and when taxpayers connect to the chat through My Account, a privacy notice is displayed. Call transcripts may be used for business intelligence reporting, quality assurance, verification, and security.

Business intelligence reporting tools

In fall 2024, the CRA will begin using business intelligence tools to compile and supply summary reports on employees’ performance measurements, including statistical evaluation average comparisons. The intelligence tool will pull the information in the summary reports from existing performance measurement programs and employees can correct any inaccuracies through existing procedures at the original source.

Use of call recordings for training purposes

In addition to quality assurance, the CRA anonymizes (removes any identifying information from) selected live call recordings for training purposes. The goal is to ensure employees can understand and address real life situations. A privacy statement informs callers of the new-use case of recordings when they call the CRA. Voices and content are changed to ensure that no one is identifiable or recognizable and sound effects are used to hide personal information.

Multifactor authentication will be implemented in the contact centre in February 2025 as an additional security feature. When a taxpayer calls one of the enquiries lines, the CRA will send them a one-time passcode by short message service (text message) or by automated phone call after the taxpayer provides their identification details. The CRA agent will ask them for the passcode as an additional authentication support service. 

Scope of the Privacy Impact Assessment

This PIA identifies and assesses privacy risks to personal information relating to enquiries and programs handled by ABSB’s contact centres.

The use of:

• Gen AI to answer non-account specific queries in an automated online chat bot is under discussion and will be assessed in a future version of the PIA
• the video relay service, online chat through My Account, and the creation of a database for business intelligence purposes will be assessed in the next version of the PIA, and
• the multi-factor authentication system will be assessed in the authentication and credential management PIA

Contact centre agents may collect and use a taxpayer’s personal information to access and update program-specific systems at the taxpayer’s request. This collection, use, and potential update of personal taxpayer information is done on behalf of various CRA programs. The personal information that is gathered related to these activities is assessed in the applicable program PIAs. However, this PIA considers the level of risk to the personal information that ABSB contact centres capture, as well as the safeguards in place to protect that information.

Furthermore, because Shared Services Canada is mandated to centralize and manage the Government of Canada’s telecommunications networks, this PIA does not cover the following topics:

• Government of Canada HCCS platform user’s personal data elements collected to deliver, administer, and manage the infrastructure of the HCCS platform, including security monitoring and auditing activities
• Data network services, including all software, servers, data centres, databases, networks, telephone switches, wiring, hubs, routers, and all other hardware required to support data communications between computing devices (in other words, the infrastructure)
• Voice communication services, including local and long-distance services globally, as well as secure voice and other related services, and
• Connectivity from the CRA’s contact centre agent locations to IBM Canada Ltd. data centres

Those topics are instead addressed in Shared Service Canada’s HCCS platform PIA.

Currently, additional features and enhancements that are available through the HCCS platform are not a part of ABSB’s contact centre operations.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services 

Level of risk to privacy: 2

Details:

The CRA uses personal information to administer contact centre operations. This administration includes validating the identity of the caller (if applicable); assisting taxpayers with their personal tax, business, or benefits account enquiries; and monitoring agent and taxpayer interactions. Call recordings capture taxpayer interactions for quality assurance and performance purposes.

B) Type of personal information involved and context

Social insurance number, medical, financial, or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Contact centre agents may ask a caller for specific personal information (SIN, address, contact information, date of birth, and other identification numbers) to validate the caller’s identity. In addition, they may collect, disclose, and use other personal information to respond to specific caller enquiries, address compliance related matters, send specific information to the taxpayer, update a caller’s account, or various other service and tax-related reasons. Some examples of other personal information are employee personnel information, identification numbers, and financial information; language; biographical information; and medical information. That list is not exhaustive, and additional types of personal information may be collected.

The CRA collects and uses personal information to support the administration of specific tax and benefits programs. The collection of personal information for these programs is also assessed in those programs’ individual PIAs as well.

Quality monitoring

The Quality Assurance Program captures employee information, such as name, office location, user ID of the agent being monitored, name of the employee doing the monitoring, and the date of the monitoring session. Employee information can also include the monitor’s observations of the agent’s communication skills, the agent’s accuracy of responses when handling calls and answering enquiries, and how the agent follows policy and procedures during calls. Recordings are reviewed only to complete evaluation forms and are not kept in the taxpayer’s file.

Performance management

Performance management programs in ABSB’s contact centres capture employee information, such as name; office location; user ID of the agent being evaluated; the name of the team leader; the dates of the evaluations; the team leader and/or quality program’s observations of the agent’s knowledge, behaviour, and skills when answering taxpayer’s calls; and how compatible the agent is with the contact centre environment and phone duties. Recordings may be reviewed if the agent disagrees with their performance evaluation. Calls used for performance evaluations will not be reflected in taxpayer’s file.

Workforce management, reporting functions, set-up, and administration

Workforce management solution can automate tasks related to forecasting, agent scheduling, and traffic management. Additional personal information collected through workforce management includes employees’ language qualifications, skills set, and other individual metrics coming from their use of the HCCS systems when performing their job-related duties.

Telephone call properties

The HCCS captures telephone call properties, including date, time, telephone numbers, and length of the call. Outbound calls made by the automated outbound dialer also captures this information, including whether the call was answered and to whom the call was transferred to upon connection. All inbound telephone numbers without “call blocking” turned on are also captured. This type of caller information is under the CRA’s control and is collected and stored in the vendor’s data centre. It is collected and stored for statistical reasons and call tracing, as well as to perform quality assurance reviews.

The Amazon Web Solutions telephony platform captured telephone call properties, including date, time, telephone numbers, and length of the call. The system does not capture call recordings or personal information. Information collected through this platform is used for statistical analysis.

Online chat

In the current phase of the online chat service, personal data such as the SIN is not collected. If a SIN is entered in the chat, the SIN is masked and appears as XXX XXX XXX in both the chat window and transcript. However, the chat transcripts are collected and stored in the Amazon Web Solutions’ Protected B cloud. Chat transcripts contain the history of the chat conversation, timestamps of the messages, name of the agent, and the name the taxpayer enters.

There are two storage locations for transcripts. The first location is for the online chat service, and the second location is specifically for the Gen AI pilot. The storage for online chat is rated for Protected B information.

Gen AI

The Gen AI pilot was tested only on the online chat. Since the online chat exclusively handles non-account specific enquiries, the Gen AI pilot did not include the use of personal or protected information, and it did not involve any administrative decisions and determinations on taxpayers’ accounts. However, if personal information was collected inadvertently due to human error, procedures were in place to promptly remove the chat transcript from storage as well as track the instances it happened. During the whole pilot, there were no incidents involving collecting taxpayers’ personal data in error.

Chat agents receive detailed procedures, technical job aids, and training specifically tailored to their role. They were also extensively briefed on identifying personal information. As the Gen AI tool was integrated into the online chat service platform, chat agents were trained to not activate the Gen AI if any personal or protected information was disclosed during a chat.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details:

The CRA ABSB Contact Centre partnered with Shared Services Canada to perform a security assessment of the contact centre’s platform and its databases and to ensure identified risks are addressed immediately. Shared Services Canada provides operational support to CRA and is responsible for security operations processes when required by IBM Canada Ltd., or the CRA. Shared Services Canada provides service portal account creation and management activities for CRA administrators.

All personal information under the CRA’s control and held on the contact centre platform is stored in encrypted format. As well, it is not readily accessible to users outside of CRA contact centre programs. Access is restricted to those users necessary for application support.

Additional contracts and agreements are held with IBM Canada Ltd. for security and administrative purposes.

In 2023, the Information Technology Branch and ABSB formed a partnership to get the services of two AI models. The purpose of these models was to investigate the potential benefits of employing Gen AI technology in assisting ABSB contact centre agents to answer general online chat enquiries.

The Contact Centre uses the services of an electronic, private sector, service provider to maintain and support the infrastructure and to store databases. IBM Canada Ltd. may also collect or derive metadata about the use and operation of the systems on the HCCS platform and their functionality to ensure those systems meet quality and security objectives. IBM Canada Ltd. will also collect and log information regarding the user, system, application, database, and security system events. This is required to ensure confidentiality, integrity, availability, and auditability of the system. The Amazon Web Services system did not collect personal information.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

The contact centre is a long-term support program with no sunset date. Certain activities conducted within the contact centre are short-term projects with an established sunset date. Online chat is a long-term program with no established end date.

The CRA launched the first version of the online chat program on the Microsoft Dynamics platform in February 2022. The second version was launched on the Amazon Web Services platform in March 2023. Currently, there is no end date for this online chat program, and the CRA is exploring expansion.

Gen AI

The Gen AI pilot lasted 5 weeks. During this pilot, the CRA stored the data generated by two AI models in the CRA’s Amazon Web Services cloud account for a maximum of 6 months from the date of the project’s launch.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The CRA contact centre operations affect certain employees (for example, contact centre agents), as well as individuals who contact the CRA through the contact centres. Calls are recorded for quality and performance evaluation purposes. This may affect the contracts of contact centre agents. Personal information is collected from external individuals who contact the agency for security and verification purposes and program administration.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

   Risk to privacy: Yes

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: Yes

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Call recordings are used to administer quality assurance program and performance management activities.

Information captured in the quality assurance program evaluation forms may be printed out in report format. These reports will not include a transcription of the call. These reports do not contain caller’s personal information; however, they may contain the employee’s personal information. The call recordings used in these evaluations will be kept within the SpeechMiner application for two years. After that, they will be automatically deleted from the system.

Call recording reviews are used to assess contact centre agents for performance management purposes. Unlike the quality assurance program, there is no evaluation form in SpeechMiner for performance management. Team leaders use agent performance and quality tools along with call recordings. These tools do not include call transcripts but may contain the employee’s personal information and other call properties.

As an infrastructure service, the HCCS platform collects and stores personal information, and provides connectivity between clients (the public and other Government of Canada employees) and agents (CRA employees or contractors). The HCCS platform solution is hosted on the IBM Canada Ltd. premises. The IBM Canada Ltd. solution is connected to Shared Services Canada’s Security Operations Centre for security event monitoring and coordination with the IBM Canada Ltd. incident response capability. The current plan is to store all recordings on the IBM Canada Ltd. servers unless otherwise required to export them. IBM Canada Ltd. servers are certified to protect information up to, and including, Protected B material.

The HCCS platform-managed service can accept calls from across Canada and internationally, and will route them to agents throughout Canada. It also allows outbound calls to be made from contact centres.

Callers can contact the CRA using traditional telephony (public switched telephone network, Centrex, private branch exchange, or mobile) and alternate contact channels such as Voice over Internet Protocol (VoIP).

To access account-related information through the IVR self-serve application, a caller selects the IVR service. This then prompts the caller for identification information (for example, SIN, date of birth, and line 15000 of their income tax return). The IVR application sends this information through the IVR Interface Manager to the mainframe. The information is then translated to a voice-recorded message to the taxpayer.

CRA employees work on government-issued laptops and cellphones using secure remote access and wireless technologies.

The pilot project for the online chat service used wireless cloud-based technologies.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

Due to the nature of the personal information collected and used during contact centre operations, a privacy breach could result in embarrassment, financial loss and identity theft, and harm to their reputation. In limited cases, a breach could result in physical or psychological harm.