Thank you, Mr. Chair and committee members.
My name is Maxime Guénette. I'm the Assistant Commissioner of the Public Affairs Branch, and Chief Privacy Officer of the Canada Revenue Agency.
With me today is Marie-Claude Juneau, Director of the Access to Information and Privacy Directorate at the Agency, whom you may remember from her appearance before this committee earlier this year in the context of its study of the Access to Information Act.
We are both pleased to appear before you today in support of your study of the reform of the Privacy Act.
With some 40,000 employees, the Agency is one of the Government of Canada’s largest institutions. Very few organizations interact with Canadians as much as we do. In 2014-2015 alone, 31 million individuals and corporate taxpayers interacted with the CRA.
As a result, we have one of the largest personal information holdings in the Government of Canada, as acknowledged by the Privacy Commissioner. Therefore, the Agency takes its obligations under the Privacy Act and related policy instruments very seriously.
This is because the trust Canadians place in the Agency to protect their information is the cornerstone of Canada’s system of voluntary self-assessment. In particular, section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibit the disclosure of taxpayer information by any employee of the Canada Revenue Agency, unless specifically authorized under these Acts. Breach of these provisions is a criminal offence and is subject to strong penalties, up to and including imprisonment.
Accordingly, recognizing the critical importance of sound privacy management, and in keeping with the recommendation of the Privacy Commissioner, the Canada Revenue Agency appointed its first Chief Privacy Officer in 2013, and I have the privilege of having been appointed to this role in two months ago, in August 2016.
As the chief privacy officer, I oversee all privacy management activities within the agency. This oversight is informed by ongoing performance measurement in key areas, including information technology, security, communications, and training.
As part of my duties, I am accountable for the provision of oversight, advice, and support to achieve compliance with legislative and policy requirements. In my capacity as chief privacy officer, I am required to brief the agency's management committee and our board of management on the state of privacy management at least twice yearly. I also chair a senior-level committee that addresses privacy issues as an integral part of the agency's business.
Over the past several years the agency has implemented numerous technological changes to further strengthen privacy management. We have enhanced front-end controls to our systems to ensure that employees have access only to the CRA computer systems that they require to perform their duties. We have also strengthened back-end controls to build on our automated systems for better monitoring of transactions performed by employees. These monitoring controls will be fully implemented next year, and these are as a result of a recommendation from the Privacy Commissioner in the audit from 2013.
Through a phased approach, the agency, so far, has implemented six of the nine recommendations stemming from the Privacy Commissioner's 2013 audit. Three of the recommendations involving multi-year investments continue to be implemented. We expect they'll be implemented in 2017.
Overall, the CRA has invested over $10 million and is planning further significant investment to enhance its identity and access management controls to improve the protection and confidentiality of taxpayer information and to reduce the risk of internal fraud.
We have also improved our procedures to address and manage privacy breaches so as to ensure more timely reporting of material privacy breach incidents to the Office of the Privacy Commissioner and to the Treasury Board Secretariat.
As you know, Canadians are technologically savvy and are avid consumers of online content. This makes them very sophisticated clients. They rightly expect from their government institutions the same high-quality and timely online interactions as they have become accustomed to receiving from service providers, such as Google or Amazon. For instance, we expect more than 86% of Canadians will file their taxes online next year. We expect that number to probably reach about 90% within three years.
The agency is continuing to invest in ways to improve our services to Canadians, largely through ongoing investments in IT-based solutions, such as My Account, Manage Online Mail, and MyCRA app. Yet as we work to keep pace with the latest innovations and with consumer expectations for faster, more user-centric, and more seamless service, we must ensure that appropriate measures are in place to safeguard the personal information we collect as part of our work.
The CRA assesses its new and modified technological advancements, programs, and activities from a privacy perspective by conducting privacy impact assessments, or PIAs. So far this year we have completed 16 PIAs, and we are on track to complete approximately 18 more by the end of the fiscal year. Our PIA plan includes 20 active PIAs at this time. This is one way we balance this fine line between meeting the expectations of Canadians with regard to service improvement, while ensuring new initiatives comply with privacy requirements.
The Agency also strives to ensure that its employees are well aware of their responsibilities in safeguarding the personal information within their custody. Our Code of Integrity and Professional Conduct, and our Integrity Framework, have been important tools to impart on employees the extent to which the protection of the privacy rights of taxpayers is central to their responsibilities, even after they leave the Agency.
Despite these measures and the many efforts to safeguard personal information, breaches do, unfortunately, occur from time to time. The CRA is keenly aware that, due to the nature of the information holdings we have, a breach of personal information can be seriously injurious to an individual or an organization. For this reason, all privacy breach incidents are assessed with a very high level of rigour. There is always room for improvement, and the Agency is continuously looking for ways to enhance its privacy management practices through program, policy and technological changes.
In fact, we regularly consult with the Office of the Privacy Commissioner and the Treasury Board Secretariat on the subject. The Agency has strong processes, policies and procedures to ensure compliance with the Privacy Act and its related policy instruments. Controls are in place, and we continue to assess and improve those controls on an ongoing basis. Our responsibility to protect Canadians’ information is fundamental to who we are and what we do. That is why we continue to dedicate significant efforts to meeting the expectations of Canadians in this regard.
I hope that I've given committee members a useful overview of the Canada Revenue Agency’s operating environment as it relates to the Privacy Act.
Ms. Juneau and I will be very pleased to answer your questions.
Thank you.
Thank you, Mr. Chair.