The big thing today is online security, or cyber security, and you need to know whether or not your data online with Canada Revenue Agency (CRA). For the most part it is, but there is always a chance. Just remember that the hackers aren’t someone sitting in their mom’s basement in their underwear hacking away on their laptops. It’s criminal organizations as well as government organizations, such as Russia’s FSB or China’s MSS, that are doing the hacking in what’s called ‘hacking farms’ that are the real problem. So, how is CRA taking care of your data?
The Canada Revenue Agency (CRA) takes the security of all taxpayer information very seriously. The CRA keeps a close watch on internal processes to prevent unlawful attempts to obtain tax information and to make sure that taxpayers’ rights are protected.
For the security of taxpayer information, the following policies and procedures are in place:
- Personnel screening – All prospective CRA employees are screened for security before employment.
- Employee awareness of their responsibilities – New employees are trained on their security obligations and security awareness information is regularly communicated to all employees. All CRA employees are subject to strict standards of conduct as defined in the CRA's Code of Ethics and Conduct.
- All taxpayer information is protected – Taxpayer information must be kept physically secure. Employees may not send taxpayer information by email or leave voice messages containing taxpayer information. Employees have to make sure information is shared only with the taxpayer concerned or with a third party only after the taxpayer has given written consent, except where the disclosure is authorized by law.
- Security markings on forms and documents – All CRA forms and documents containing taxpayer information are marked Protected. These markings help CRA employees make sure sensitive information is handled securely.
- Access to taxpayer information is on a need-to-know basis – CRA employees, such as taxpayer services personnel, auditors, investigators, and those handling income tax files, have only the levels of access to taxpayer information required to do their jobs.
- Regular risk assessment – The CRA performs regular risk assessments and internal audits to ensure its internal processes are secure.
- Suspected breaches of confidentiality of taxpayer information – If a taxpayer tells the CRA about a suspected breach of confidentiality of his or her personal information, the Agency can protect that taxpayer's account by disabling all online access whether it is My Account for Individuals, My Business Account, Represent a Client, NETFILE, or EFILE. Online access can later be restored at the taxpayer's request by calling the e-Services Helpdesk at 1-800-959-8281.
- Investigating possible breaches – CRA officers immediately and thoroughly investigate any security breach or allegation of unauthorized access or disclosure of taxpayer information. Any employee found to have acted inappropriately is subject to disciplinary action, up to and including the end of employment. Potential criminal acts are referred to the RCMP for investigation.
The CRA’s legal obligation to safeguard the confidentiality and integrity of taxpayer information for which the CRA is responsible is stated in the following legislation:
Under the Income Tax Act, the Excise Tax Act, and the Excise Act, 2001, an employee may disclose taxpayer or confidential information to the person about whom the information relates. However, no employee can give that information to a third party without the written consent of the taxpayer, except where authorized by law to do so. Similarly, both the Privacy Act and the Access to Information Act do not allow the disclosure of personal information, except under circumstances as stated in the legislation.
The CRA's controls to protect information from external threats
Protecting the Canada Revenue Agency's (CRA) integrity includes ensuring that we have the proper systems and technologies in place to safeguard the sensitive information that we hold from external threats.
The CRA adheres to the Policy on Government Security and direction provided by lead security agencies like the Communications Security Establishment Canada (CSEC) and Public Safety Canada (PSC). Additionally, the CRA publishes, promotes and monitors its own security policies that guide and support the CRA's culture of integrity.
The CRA's team of highly qualified information technology professionals works in conjunction with other departments such as Shared Services Canada and the Treasury Board Secretariat to identify and mitigate cyber threats and risks to privacy and the security of the data we hold. The CRA follows a continuous improvement security program where the effectiveness of the security tools are continuously evaluated and improved.
As part of our commitment to continual improvement and as a result of the CRA's experience in addressing vulnerabilities to caused by the Heartbleed bug, our security controls and policies are being reinforced and updated to ensure that this or similar types of incidents do not re-occur. The CRA is working closely with Shared Services Canada and the Treasury Board Secretariat to ensure our response to security threats and software vulnerabilities is timely. In addition, more monitoring has been put in place to identify potential vulnerabilities in our environment. With these enhancements the CRA is able to respond even more swiftly in the unlikely event of another incident.
A layered approach to security
As threats to security can occur prior to, during, or after the receipt of electronic data, the CRA employs a layered approach to security.
All communications and transactions with the CRA are protected and are conducted on secure platforms. As phishing scams become more frequent, the CRA is proactive in warning the public about fraudulent communications claiming to be from the CRA.
External services are protected by firewalls and intrusion prevention tools to detect and prevent unauthorized access to CRA systems and block malware. During online transactions we ensure that all sensitive information is encrypted —or scrambled—when it is transmitted between your computer and our Web servers. Controls in place to protect our data from external threats include network and host security systems like corporate firewalls, anti-virus software, intrusion detection and prevention measures, and identity and access management controls.
CRA employees must use approved levels of encryption on all removable devices (such as USB storage media) and when transmitting private information externally to authorized recipients. Personal storage devices are not authorized to be connected to the Agency's network and are not permitted on CRA equipment.
Network components such as servers and routers are stored in secured and locked rooms or cabinets, accessible only to authorized personnel. Agency networks and workstations are equipped with malware and virus detection and removal software which are updated daily and protect the CRA environment from increasing threat of malicious code and viruses. At the CRA employee level, computers are secured with a suite of security products ranging from anti-virus software to host intrusion software. Malicious or potentially malicious internet sites, email (e.g. spam) and email attachments are blocked to ensure the CRA's environment remains secure. All software used by the CRA undergoes a rigorous certification process which must meet our strict standards for security.
For more information about the controls in place at the CRA to protect data from external threats, go to Access online services safely.
Internal controls to ensure privacy and security
The Canada Revenue Agency (CRA) is proud of its reputation as a leading-edge organization committed to excellence in administering Canada's tax system. However, inappropriate or fraudulent activity can occur in the workplace. The CRA has incorporated a broad array of checks and balances to ensure that those who access your information are strictly limited to employees required to do so as part of their job, and to detect misconduct in the rare instances when it occurs.
Monitoring of employees' access to taxpayer information is centralized, ensuring an independent process that enables the CRA to detect and address any suspect transactions in our systems. This provides assurance that authorized users are accessing only the applications and data they are allowed to access based on our business rules
The CRA's Internal Fraud Control Program uses a strategic approach to managing the risk of internal fraud by preventing fraud where possible, detecting fraud when it occurs, and fostering a heightened level of deterrence in the CRA. The program is an important component of the CRA's Integrity Framework and contributes to the range of compliance-based activities that detect and deter fraudulent and unethical behaviour.
The CRA has also strengthened its internal audit processes for small and medium-sized enterprises by creating, in 2013, Business Intelligence and Quality Assurance units. This measure further strengthens the integrity of the CRA's internal processes by segregating the duties of auditors during the audit process to ensure strong independent oversight and review of actions taken on a file, and quality control of the files audited. No one auditor can carry an audit file from start to finish. Similar processes are already in place for audit processes pertaining to large corporations.
In addition to the current personnel screening for appropriate security clearance, additional verifications are also conducted for individuals who hold or apply for positions that require a high degree of public trust.
As you can see CRA is doing everything it can to ensure the safety of your data online, and that only yourself, or those you authorize, have access to that information. While nothing can be 100% secure online, it’s good to know our government agency that controls our tax information is doing everything it can to protect that data.