Evidence of meeting #140 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cases.
A recording is available from Parliament.
Conservative
Adam Chambers Conservative Simcoe North, ON
The decision to not report was not a ministerial decision.
Commissioner of Revenue, Canada Revenue Agency
Well, I guess I just take responsibility for it. It was a circumstance that we couldn't...as a result of the workload.
Conservative
Adam Chambers Conservative Simcoe North, ON
Look, here's the issue. For example, since we're on this issue about decision rights, whose decision was it to reverse the decision on bare trusts? Was it a ministerial decision to reverse that decision, or was it a departmental decision to reverse the requirement to file for bare trust?
Commissioner of Revenue, Canada Revenue Agency
I'm trying to remember exactly how we came to that decision. I have some delegated authorities in that regard, and I discussed it with the minister, for sure.
Conservative
Adam Chambers Conservative Simcoe North, ON
A former boss of mine said that you can always delegate responsibility but not accountability. It seems to me that there's a bit of murkiness around decision and veto rights, who makes a recommendation and who, ultimately, decides. On one hand, if it's the department deciding on, as an example, bare trusts.... The testimony is that the CRA can decide on its own to not implement a decision by the government or the finance department. It seems to me that there's a bit of unclarity, or it's unclear about who actually is the final authority on some of these questions. We're going to poke a bit more on that later, I hope.
With respect to these privacy breaches, the CRA says that these are a result of external breaches. There was no compromise to the CRA's systems as a result of these 31,000 cases. Is that...?
Commissioner of Revenue, Canada Revenue Agency
Yes, certainly the vast majority of cases arose from external sources. I don't think any of the 31,000 came from ours, but I'll ask my colleagues about that.
To your previous question, I derive my powers from the minister. She can delegate them to me. I'm sure you know how that works.
I don't know, Marc, whether you want to add to that.
Marc Lemieux Assistant Commissioner, Collections and Verification Branch, Canada Revenue Agency
For the identity theft cases that we're working on, we've been working on these cases since the summer of 2020, when they actually happened. We've been contacting the taxpayers, making sure that we were talking to the right person, and doing an inquiry to figure out what happened. We took all the actions to—
Conservative
Adam Chambers Conservative Simcoe North, ON
I'm sorry, but I'm just going to cut in, because it's a fair bit of time. The IRS has some fairly onerous protocols in place that would prevent payments to people who live on “Tomato Street” or what have you. Why is it that we seem to have taken this position? Have we not learned from COVID that the “pay now, audit later” function really hasn't worked out that well for taxpayers?
Commissioner of Revenue, Canada Revenue Agency
I think what you're raising is actually a very good question. I can say, from talking to my colleagues internationally, including in the IRS, that this is an issue that all tax jurisdictions are facing. As we move into a more digital world, we can do things faster. That's good for service, but we also have to make sure that we have proper risk containment measures in place to prevent bad things from happening.
You can't go to one extreme or the other. If we stopped everything and reviewed every transaction, then things would stop, but we also can't let them go through, clearly. I would argue that it's not clear to me that the IRS or anyone else has a better system for trying to strike that balance.
Conservative
Adam Chambers Conservative Simcoe North, ON
Is there an acceptable level of fraud that you think...? If you pay out—I don't know, insert a number—$100 billion or $60 billion in payments to Canadians, is there a level at which you say, “Do you know what? Speed is important,” so if it's 1%, it's not a big deal?
Commissioner of Revenue, Canada Revenue Agency
I don't have a number for that.
Commissioner of Revenue, Canada Revenue Agency
In a sense, in concept, what you're saying is correct. You have to be able to risk-manage and think about what is an acceptable level, so that you strike that balance between service and scrutiny.
Conservative
Adam Chambers Conservative Simcoe North, ON
In my remaining time, I have a few follow-up questions that are reasonably detailed with respect to the memo from before, so we'll ask for that. I'll provide those to the clerk. I hope we can maybe follow up in writing with some specific answers on what we've spoken about today.
Finally, why, in 2019, would the department be totally fine with telling the public about the largest single corporate tax writeoff of $133 million but today, now, try to hide behind section 241 with the largest corporate write-off?
Commissioner of Revenue, Canada Revenue Agency
Yes, and maybe I will turn to my colleague, Marc Lemieux, for that. I don't have a particular memory of 2019.
Assistant Commissioner, Collections and Verification Branch, Canada Revenue Agency
I was not there in 2019, so I can't respond to that question, but we had that question this year. We validated, and we can't divulge that information.
Conservative
The Chair Conservative John Brassard
Maybe you can circle back on that later, Mr. Chambers.
Ms. Khalid, you have six minutes. Go ahead.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
Thank you very much, Chair.
Thank you to our officials for being here today. I really appreciate it.
I'll start with something that came up in questioning in the previous round with respect to the Privacy Commissioner and your interaction with the Privacy Commissioner. Obviously, we're dealing with significant amounts of data and many privacy concerns for Canadians. You have over 31 million clients, as you would call them, within the CRA, and 60,000 employees. What is your interaction like with the Privacy Commissioner? How often do you communicate with them, with their office, and what are the concerns that you raise with them?
Commissioner of Revenue, Canada Revenue Agency
I'll start, but maybe my colleague Sophie can elaborate, because she's the one who has the closest relationship with that group.
I would describe our relationship as quite good, just for the reasons you've described. We're a big organization with potential risks, and we're very open with them, notwithstanding the delay that we talked about earlier of the 30,000. Not only do we endeavour to report to them completely and transparently—and we are all caught up on that backlog now—but we have regular interactions, and, in some cases, we will even give them an early heads-up if we see something coming. You'll hear from the Privacy Commissioner, and he may have a different take on it, but I don't think so.
Sophie, I don't know if there's anything you want to highlight.
Sophie Galarneau Assistant Commissioner, Public Affairs Branch and Chief Privacy Officer, Canada Revenue Agency
I'll just add that what the commissioner just said is absolutely quite right. We do have a very good collaborative relationship with the Privacy Commissioner, and we're in full respect of regulations and obligations with regard to our reporting obligations.
Within seven days of a material breach being confirmed, we provide those privacy breach reports, and we've been in discussion with them on this 31,000 workload. We were in close discussion with them to determine the best ways to report them after they requested that from us in their February 2024 report. Again, we are now in compliance with that requirement.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
This breach happened multiple years ago. How do you interact on a regular basis? Is it just on an issue-by-issue basis, or do you have a regular framework as to how you communicate and work with the Privacy Commissioner's office?
Assistant Commissioner, Public Affairs Branch and Chief Privacy Officer, Canada Revenue Agency
I would say that it is on a case-by-case basis, and it's when it's required. That said, when we do have cases that arise that we think are significant, even before we're able to confirm, we will give them a call to give them an early heads-up. Certainly I've always found that the lines of communication there are well established and productive.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
Thank you. I appreciate it.
Commissioner Hamilton, you mentioned earlier a criminal investigations unit within the CRA. Can you elaborate on that, please?
Commissioner of Revenue, Canada Revenue Agency
The criminal investigations unit would be involved in things like identity theft, potentially, and other fraud cases, but they also investigate tax evasion more generally, so we have our own set of investigators who can take on criminal cases and, as I mentioned, where appropriate, refer them to law enforcement and others. We talked about the Panama papers earlier. That would be the group that gets involved and pushes forward if there's a criminal activity.
Harry, do you want to add anything to that?
Harry Gill Assistant Commissioner, Security Branch and Agency Security Officer, Canada Revenue Agency
I would add that our criminal investigations section within the CRA investigates cases of tax fraud, GST fraud and legislation that we enforce. It is our link with the RCMP.
The question came up earlier about the RCMP. Our first step is to refer it to them. At that point, our team does its internal processes and makes the decision as to whether it goes to the RCMP. Those details are closely guarded, for obvious reasons, as you would understand, to not compromise any investigations.
We typically don't get feedback on the civil side of things, which is the side I work on. We wouldn't normally get feedback, even from within our criminal investigations function within the CRA, about the progress of a file if it's been referred to the RCMP and that kind of thing. Those details are quite closely guarded.