Vaccination Policy for the Canada Revenue Agency

Human Resources Branch
Workplace Relations and Compensation Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Sonia Côté
Assistant Commissioner and Chief Human Resources Officer
Human Resources Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Human resources management

Standard or institution specific class of record:

Occupational Health and Safety – Standard Class of Record (PRN 922)

Recruitment and Staffing – Standard Class of Record (PRN 920)

Standard or institution specific personal information bank:

Standard PIBs: Occupational Health and Safety, PSE 907, Employee Personnel Record, PSE 901.

Legal authority for program or activity

Personal information is collected under the authority of sections 30(1)(d) and 51(1)(i) of the Canada Revenue Agency Act and the Policy on COVID-19 Vaccination for the Canada Revenue Agency, and section 124, Part II of the Canada Labour Code.

Summary of the project, initiative or change

Overview of the Program or Activity

The Prime Minister and the Deputy Prime Minister announced on October 6, 2021 that full COVID-19 vaccination would become a new condition of employment for the core public administration. As a separate and large federal employer, the Canada Revenue Agency (CRA) supported and followed the direction outlined in the Treasury Board of Canada Secretariat’s Policy on COVID-19 Vaccination for the Core Public Administration including the Royal Canadian Mounted Police in developing the CRA’s policy. 

The CRA prioritizes the health and safety of employees in the workplace. Vaccination against COVID-19 was a requirement for all federal public servants as part of the approach to protect federal public servants and the community from COVID-19 and ensuring safe workplaces. Vaccination added a layer of protection that worked with other public health measures to combat the spread of the virus.

The Policy on COVID-19 Vaccination for the Canada Revenue Agency (the Policy), which was fully endorsed by the Board of Management, and the CRA Guide for Implementation of the Policy on COVID-19 Vaccination and Testing, came into effect on November 8, 2021. Under the Policy, CRA employees were required to attest to their vaccination status. The requirement for employees to be vaccinated applied whether they were working remotely in accordance with the Policy on Workplace Management, or working on-site. All employees of the CRA were to be fully vaccinated unless accommodated based on a certified medical contraindication, religion, or another prohibited ground of discrimination under the Canadian Human Rights Act.

Other COVID-19 preventative measures also continued to be in place, including encouraging remote work as much as possible, maintaining a physical distance of at least two metres, washing hands, wearing masks in common areas indoors or outdoors, and staying home when sick.

New hires and Interchange participants

All new hires to the CRA, on or after the effective date of the Policy, were required to be fully vaccinated as a condition of employment and to attest that they were fully vaccinated before the start date of their appointment unless accommodated for a medical contraindication, religion, or another prohibited ground of discrimination under the Canadian Human Rights Act.

The requirement for mandatory vaccination also applied to CRA Interchange outgoing and incoming participants. Outgoing participants were still CRA employees while they were on Interchange assignments and therefore, they were expected to comply with the requirement for vaccination as per the Policy. The principles of the Policy also applied to incoming interchange participants, and they also needed to meet the applicable requirements of the Policy.

Volunteers and Visitors

Under the authority of section 30 of the Canada Revenue Agency Act, the CRA extended the requirement to be vaccinated to volunteers and visitors, whose activities involved access to CRA worksites. This would help to ensure the health and safety of volunteers and visitors themselves as well as CRA employees. 

A CRA employee providing access to a volunteer and visitor would confirm their full vaccination status in advance of providing access to a CRA worksite, but would not collect, retain or store any personal information - including proof of vaccination, proof of identification, or responses from the screening questions. In addition, a CRA employee would have advised the volunteer or visitor to respect physical distancing and other public health recommendations implemented at the CRA.

Vaccine attestation verification

As per the Policy, employees had an obligation to provide a true attestation. Making a false statement would have constituted a breach of the Code of Integrity and Professional Conduct and the Values and Ethics Code for the Public Sector and may have resulted in administrative and/or disciplinary action up to and including termination of employment.

All attestation information was subject to verification and audit. In accordance with the Policy, if required, employees provided proof of vaccination, in a format defined by the CRA, and any associated data or information in any system prescribed by the CRA.

Following a high-level review of the suspended Policy, the decision was made by CRA to continue with the suspension of its Policy and to suspend the verification process related to the Policy effective March 30, 2023.

Scope of the Privacy Impact Assessment

The main scope for this PIA is to assess for privacy risks associated with

the operationalization of the Policy. For example, this PIA describes and analyzes how an employee submits an accommodation request via Employee Self-Service and how a manager records a decision in the application, as well as who has access to that ESS entry through direct access or a report.

The following key elements are included in the scope:

The following element is out of scope:

Short and long-term contractors: The Finance and Administration Branch worked with short and long term contractors either through Public Service and Procurement Canada or its own contracting authority to ensure that the vaccination requirement was reflected. It ensured coordination with custodian federal departments, private sector landlords and real property contractors, to offer accessible and safe spaces to provide rapid testing, and to determine waiting areas with the appropriate COVID-19 protocols, if on-site rapid testing was required to be administered on-site. 

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The information would be used to complete the three phases of the verification process to potentially detect fraud.

  1. verification of attestations to confirm the validity of attestations;
  2. verification of the decisions on requests for employees who attested to being unable to be fully vaccinated and requested accommodation;
  3. verification of the administrative leave without pay process for the employees who were non-compliant with the Policy.

Administrative consequences could result such as employees being placed on leave without pay.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Personal information collected includes sensitive health and biographical information, such as an indication of a contradiction to the vaccination, and the nature of a sincerely held religious belief or practice. 

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details:

Aggregate information only such as in statistical reports, may be shared with the Treasury Board of Canada Secretariat (TBS) and/or Health Canada.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

Effective November 8, 2021, under the Policy on COVID-19 Vaccination for the CRA, which was fully endorsed by the Board of Management, and the CRA Guide for Implementation of the Policy on COVID-19 Vaccination and Testing, COVID-19 vaccination became a new condition of employment.

The Board of Management approved the suspension of the Policy effective June 20, 2022. This meant the following:

Following a high-level review of the suspended Policy, the decision was made by CRA to continue with the suspension of its Policy and to suspend the verification process related to Policy effective March 30, 2023.

E) Program population

The program affects most or all employees for internal administrative purposes.

Level of risk to privacy: 2

Details:

This policy applies to employees of the CRA and to any other individuals required to follow CRA policy, and is mandatory to follow. For the purpose of the policy, an employee is a person so defined in Section 2 of the Federal Public Sector Labour Relations Act regardless of whether they work on-site or participate in a virtual work arrangement (for example, telework).

For the purpose of the policy, it also includes:

The principles of the policy are applicable to Interchange participants and volunteers.

There were also implications for visitors who required access to CRA worksites and some candidates for employment at the CRA.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

    Risk to privacy: Yes

  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

    Risk to privacy: Yes

  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details:

In most cases, employees and managers performed their duties under the Vaccination Attestation Program via the Employee Self-Service / Manager Self-Service portal of the Corporate Administrative System which is only accessible from a CRA computer connected directly to the CRA network or secured through secure remote access.

Employees unable to record their attestation in the Corporate Administrative System completed a manual attestation form (in PDF) and sent it by encrypted email to a generic inbox managed by a limited number of employees in the Labour Relations program. Once received, those Labour Relations employees recorded the attestation in the Corporate Administrative System for the employee and stored the PDF form in a folder of the generic inbox to limit access.

External candidates as well as employees from other government departments completed the attestation requirements via a protected Integrated Staffing System questionnaire sent to them through their candidate profile.

Completed questionnaires are submitted by the candidates and reviewed by Integrated Staffing System users with the appropriate role.

On the Integrated Staffing System user side, the application uses role-based access privileges ensuring that individuals have access only to that for which they are authorized.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

Due to the nature of the personal information collected (for example, medical information, religious values) and the sensitivity around vaccination, a privacy breach could potentially result in reputation harm, embarrassment, financial loss and identity theft.

Page details

Date modified: