Information & Ethics Committee on April 8th, 2014

We certainly view it as a shared responsibility.

With regard to what we ask Canadian taxpayers to do to protect the information that they send to us, we always ask them to make sure that they have verified that they are dealing with us, that whenever they're in doubt, they take advantage of our 1-800 numbers and call us to be sure that they're sending the information to the right people in the right way. We're quite involved with the Competition Bureau and financial literacy month, which is another area that we participate in. We do think it's important and helpful for Canadians to understand how their finances work and the kind of information they should be ensuring is kept secure.

Along those lines, a lot of it is around common sense, in some respects, absolutely. But we do have a significant amount of information on our website that helps people understand what the tax system is about and at which points they should be interacting with it, with very careful direction on how to do that so that they are, in fact, sharing only the information they should be sharing with us, and protecting it.

I was just thinking about all the things that we do in CRA, and my colleague alluded to them in her opening remarks, about outreach to try to warn people of the risks to their privacy. On our website we give them tips on what to do to help guard against identity theft.

I'm not sure that we'd be best placed to answer that. From the standpoint of the Canadian Human Rights Commission, those new offences are not offences that come under our purview. They are not matters that people could come to us for in terms of complaints, so I'm not sure what the impact has been on other organizations on this.

If I may, from the Human Rights Commission's perspective, we should keep a human rights lens on whatever measures we put forward, including measures to prevent and redress identity theft. From our standpoint, putting a human rights lens on policies, whatever they may be, is not in competition with the goals of those policies, but it will really, ultimately, strengthen the policies. That would be our broad recommendation on this.

We didn't look at that specifically, so I would be reluctant to say one way or the other.

But we do believe that it's useful to ask that question for any process or approach. It's important to consider whether the process, which may have emerged from the best of intentions, has a negative impact on seniors, women or individuals with disabilities. And if it does, the solution is not simply to put an end to the measure automatically, but to determine whether it is necessary and whether the discriminatory impact can be reduced.

That's what we tried to do with our impact assessment tool. The idea isn't just to identify the practice as a barrier in principle, but to try to help organizations. It's not easy to achieve these objectives, but they do have to be achieved.

Again, this area is a little outside of our area of expertise. What I can tell you is that we have a very big recertification process for all of the software that is available through our site, commercial software, to file income tax and benefit returns. These cannot be certified by the CRA until they've met our very high security standards.

I can also tell you that with regard to our own systems and portals that are used by businesses, individuals, and representatives to deal with us on a variety of matters and access several services, including filing returns, we use the same high level of security that is used by Canadian financial institutions for online services. They are monitored at all times, obviously particularly during tax season, but we're very cognizant of the fact that security, the security of those portals, is instrumental to Canadians having confidence in sharing their information with us, so we have a very rigorous security system around the CRA system.

It essentially is a tiered system. It starts with Shared Services Canada. That has a number of security mechanisms around the outer layer. The next layer is CRA's own firewall, which is extremely strong. In the very rare instances where some kind of malware may get past that firewall, we have a second firewall that also bounces back any kind of malicious software or malicious attack. We have one of the strongest, if not the strongest, security regimes around our technological systems of any government department, for precisely the reasons you're talking about.

Well, that's...yes, we can—

Oh, oh!

Obviously all of the information on a person's income tax and benefit return...so that would be the SIN, their income, and the credits they're applying for. To apply for some credits, you need to provide additional information. It could be medical information, if you're applying for a disability tax credit, for example.

For businesses, the general approach is the same. They must obviously provide business income. They must provide information on the GST and HST that they have collected on behalf of the government. If they are applying for credits, for example, business credits like the research and experimental review credit, they will have to provide information on the work they're doing in order to qualify for that credit.

It's very hard to summarize it in a way that's concise, but yes, we collect a significant amount of information. That's really only a taste of it.

Possibly, yes.

It's probably important to mention also that we do collect information on behalf of some provinces and territories as well, as a more streamlined approach, so we do have provincial information that we collect on their behalf too.

Unfortunately, this is not information that we've collected, the impact on privacy.... We would look at the impacts on the human rights of Canadians of discrimination and so on. I can't provide that.

It may be quantified, but it's not something that the Canadian Human Rights Commission would be quantifying.