Thank you, Mr. Chair.
Good afternoon to all committee members.
My name is Maxime Guénette. I'm assistant commissioner of the public affairs branch and chief privacy officer at the Canada Revenue Agency. With me today is my colleague Gillian Pranke, deputy assistant commissioner of the assessment, benefit and service branch at the CRA.
The CRA is an organization that touches the lives of virtually all Canadians. We're one of the largest holders of personal information at the Government of Canada. We process more than 28 million individual income tax returns annually. It's therefore critical that the CRA has an extensive privacy framework in place to manage and protect personal information for all Canadians.
Integrity in the workplace is the cornerstone of agency culture. The agency supports its people in doing the right thing by providing clear guidelines and tools to ensure privacy, security and the protection of personal information, our programs and our data.
The agency is subject to the Privacy Act and associated Treasury Board policies and directives for the management and protection of Canadians' personal information. Section 241 of the Income Tax Act also imposes confidentiality requirements on its employees and others with access to taxpayer information.
The agency also adheres to the policy on government security and direction provided by lead security agencies like the Communications Security Establishment and the Canadian Centre for Cyber Security.
In April 2013, the agency appointed its first chief privacy officer, who is also responsible for the access to information and privacy functions within the agency.
Part of my role as the chief privacy officer is to ensure that the CRA's respect for the privacy of the information it holds is reinforced and strengthened by overseeing decisions related to privacy, including assessing the privacy impacts of our programs; championing privacy rights within the agency, including managing internal privacy breaches when they occur; and reporting to CRA senior management on the state of privacy management at the agency.
Our responsibility for sound privacy management goes beyond appointing a chief privacy officer, though. It's a responsibility that all employees share.
Protecting the CRA's integrity includes ensuring that we have the proper systems in place to safeguard sensitive information from external threats. Agency networks and workstations are equipped with malware and virus detection and removal software, which are updated daily and protect the CRA environment from the increasing threat of malicious code and viruses.
At the agency employee level, computers are secured with a suite of security products ranging from anti-virus software to host intrusion software.
External services are conducted on secure platforms and protected by firewalls and intrusion prevention tools to detect and prevent unauthorized access to agency systems.
During online transactions we ensure that all sensitive information is encrypted when it is transmitted between a taxpayer's computer and our Web servers. Regardless of how Canadians choose to interact with the agency, they must complete a two-step authentication process before gaining access to their account.
These steps are crucial to making sure that access to personal information is only available to authorized individuals. The process includes validation of a number of personal and confidential data points, including a person's social insurance number, their month and year of birth, and information from the previous year's income tax return.
The CRA will shortly also be implementing a new personal identification number for taxpayers who choose to use it when calling the individual inquiries line. In addition, the CRA is currently examining additional security procedures to safeguard the information of taxpayers. As cybercrime and phishing scams become more sophisticated and commonplace, the CRA is being proactive in warning the public about fraudulent communications claiming to be from the CRA.
One very simple way in which taxpayers can safeguard against fraudulent activity is to sign up for My Account, or for businesses to sign up for My Business Account, so that they can use the CRA's secure portals to access and manage their tax affairs easily and securely. When an individual is signed up for My Account, they can also sign up for online mail in order to receive account alerts informing them of possible scams or other fraudulent activity that may affect them.
CRA is proud of its reputation as a leading-edge organization committed to excellence in administering Canada's tax system. However, inappropriate fraudulent activity can occur in the workplace. CRA has incorporated a broad array of checks and balances to ensure that those who access taxpayer information are strictly limited to employees required to do so as part of their job and to detect misconduct when it does occur.
Monitoring of employees' access to taxpayer information is centralized, ensuring an independent process that enables the agency to detect and, if necessary, address any suspect transactions in our systems. This provides assurance that authorized users are accessing only the applications and data they are allowed to access based on strict business rules.
In 2017 the CRA implemented a new enterprise fraud management solution, which complements existing security controls and further reduces the risk of unauthorized access and privacy breaches. This solution enables proactive monitoring and detection of unauthorized access by CRA employees. Any allegations or suspicions of employee misconduct are taken very seriously and are thoroughly investigated. When wrongdoing or misconduct is founded, appropriate measures are taken, up to and including termination of employment. If criminal activity is suspected, the matter is referred to the proper authorities.
Upon hire, agency employees are required to read and acknowledge the agency's code of integrity and professional conduct and the values and ethics code for the public sector.
The code clearly outlines the expected standard of conduct, including the obligation to protect taxpayer information in accordance with section 241 of the Income Tax Act. Unauthorized access to taxpayer information is considered to be serious misconduct, as reflected in the agency's directive on discipline.
The code ensures that current and former employees are aware that the obligation to protect taxpayer information continues even after they leave the CRA. All employees are asked to review and affirm their obligations under the CRA's code of integrity every year.
In the event a privacy breach does occur, it is assessed in accordance with TBS policy and procedures to document and evaluate all potential risks to the affected individual. In such a case, the CRA offers support to the affected individual through a dedicated agency representative so that the client has the opportunity to ask questions and find information as well as, on a case-by-case basis, get access to free credit protection services.
On the rare occasion when a taxpayer's information is confirmed to have been compromised, the CRA will act to resolve all outstanding issues. This includes reviewing all fraudulent activity that may have occurred in the account, including fraudulent refund payments.
We at the agency are deeply committed to safeguarding the trust Canadians place in our organization, and to meeting their expectations that we have the right checks and balances in place to secure the information entrusted to us. We have worked hard to earn the public's trust, because it is the foundation of our self-assessment tax system.
A good reputation takes years to establish. We safeguard it by remaining vigilant in our efforts to protect taxpayers from security breaches and to protect Canada's tax administration system from misconduct and criminal wrongdoing.
Thank you, Mr. Chairman. I'd be pleased to answer any questions you may have.
