g; [m be Commissariat 1 Of?protection de in Privacy Commissioner vie priv?e du Canada auger-Y of Canada ea r? 1'12? Wm '13. 2. am Marie-Claude Juneau DEC 2 3 2.015 Director, Access to.? Information and Privacy Directorate Canada Revenue Agency 5th Floor, 555 Mackenzie Avenue, Ottawa, Ontario K1A 0L5 PIA 000973 Dear Ms. Juneau: Re: Enhanced Financial Account Information Reporting Part This letter responds to the Privacy Impact Assessment (PIA) for the Canada Revenue Agency (CRA) Enhanced Financial Account Information Reporting initiative. We received the PIA on August 28, 2015. This letter outlines our comments and recommendations on the privacy risks of the above noted initiative. PIA SUMMARY The United States Foreign Account Tax Compliance Act (FATCA) was implemented in 2010 to identify U.S. persons who may be evading U.S. income tax by using ?nancial accounts outside the U.S. Under FATCA, Canadian ?nancial institutions (F1) that fail to report to the U.S. Internal Revenue Service (IRS) on ?nancial accounts held by individuals identi?ed as: U.S. persons face a 30 per cent withholding tax on U.S. source payments. For purposes of FATCA, a U.S. person is de?ned as a citizen or resident of the U.S. This includes individuals who may reside in Canada, but who Spend a signi?cant amount of time in the U.S. The U.S. developed model Intergovernmental Agreements (IGAs) in which partner countries agree to impose FATCA reporting requirements on their own F15 and exchange information directly between government institutions. Canada signed an IGA with the U.S. which came into effect on July 1, 2014. Under this agreement, the CRA and the IRS will collect reports on financial accounts related to persons from the other country from their domestic F13, and will share this information annually. The PIA describes the CRA Enhanced Financial Account Information Reporting program, which has been developed to facilitate the IGA. According to the PIA, the CRA anticipates that FATCA reporting requirements will affect approximately 1,000 He, and will result in 30,000 to 90,000 reports to the CRA. These reports in tum will be passed Onto the IRS. In Canada, FIs will use existing web-based tax reporting systems to provide the required information to the CRA. 30, rue Victoria, 1er ?tage I 30 Victoria Street, 1st Floor Gatineau (Quebec) K1A 1H3 Sans frais/Tollfree 1-800-282'1376 819?994?5444 819-994-5424 -2- Our Of?ce has met with the CRA on a number of occasions (December 2012, August 2013, and January 2014) to discuss this initiative. We have noted risks to privacy associated with the-potential over-collection of personal information and unauthorized access to personal information, and have highlighted the need for apprOpriate technological safeguards for the systems used to administer FATCA reporting, both domestically and internationally. We have also recommended safeguards with regard to accuracy, such as encouraging FIs to provide a means for clients to provide information directly by self-identifying as person's.? PRIVACY RISKS Risks noted during our review of the PIA have been assessed against the Privacy Act, the 10 fair information principles of the Canadian Standards Association Model Code for the Protection of Personal Information (the Model Code), Treasury Board Secretariat (TBS) policies, directives and guidelines, and internationally recognized best practices. Our comments and recommendations on these risks are below. Limiting Collection and Disclosure Under section 4 of the Privacy Act, institutions must not collect personal information unless it relates-directly to ?an operating program or activity of that institution. In previous correspondence with the CRA, our of?ce has noted a potential risk of over-collection when FIs provide personal information to government authorities, particularly when monetary penalties are at play. A 2009 UPC audit of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) found that FIs sent FINTRASC personal information that it did not need or use and that it had no legislative authority to receive. In our letter of recominendatiOn fer the CRA PIA on receipt of international electronic funds transfer (EFT) information, we noted that there is a risk of over-collection in receiving information related to EFTs from a variety of HS, which may have different understandings of What information should be reported. While FATCA sets a minimum $50,000 reporting threshold, the PIA acknowledges the risk, which has been noted in similar programs, that PIS may provide information for accounts that do not meet this threshold. Engaging in outreach and education activities with FIsto ensure that reporting requirements are understood and consistently applied may assist in mitigating the risk of over?collection. Recommendation: In order to mitigate risks of over-collection, the CRA should engage in ongoing outreach activities with FIs to help ensure that FATCA requirements are consistently and accurately interpreted. The CRA should immediately dispose of any personal information that it receives which it is not necessary to the administration of the IGA. 30, rue Victoria, 1"r ?tage I 30 Victoria Street, 1?~Floor Gatineau (Qu?bec) KIA 1H3 Sans frais/Toll free 1-800-282-1376 819-994-5424 Limiting Use, Disclosure, and Retentitm The PIA references both a 10 year retention period for personal information collected by the CRA from the IRS and an 11 year retention period for personal information provided by the CRA to the IRS. However, the published retention period for individual returns is seven years. The PIA does not provide justi?cation for the extended retention-period for ?nancial information Collected for FATCA compliance nor does it indicate why the retention period differs between countries. Extended retention periods enhance the risk of a breach and should be justi?ed. Recommendation: The CRA should re-evaluate and provide justification for the retention of personal information obtained under the FATCA IGA. If the retention period is not justi?ed it should be adjusted accordingly to the minimum period of time necessary. The PIA indicates that secondary uses of personal information collected by the CRA from the IRS will be described in future PIAs. In order to assess the risks associated with the collection and use of personal information, this PIA should include a complete list of all proposed uses and disclosures contemplated for information received as a result of FATCA compliance measures. Each use and/or disclosure should be justi?ed as necessary. Section 7 of the Privacy Act notes that personal information should only be used for the purpose for which it was obtained or for a use consistent with that purpose. Recommendation: The CRA should update the PIA to re?ect all proposed uses and disclosures of personal information collected under FAT CA compliance measures. In accordance with the Privacy Act, personal information collected under the FATCA IGA should only be used for purposes consistent with the purpose for which it was obtained Safeguards The will use the Shared Services Canada (SSC) International Data Exchange Service (IDES) to transfer personal information to the IRS. The PIA states that a Threat and Risk Assessment (TRA) for CRA use of the IDES was to be completed by the end of September 2015. The PIA should be updated to reflect the outcome of that process, and should include a description of identi?ed privacy risks and corresponding mitigation measures. Recommendation: The CRA should update the PM to include a summary of the undertaken for its use of IDES. Any risk mitigation measures identified as part of that process should be addressed in an action plan, with speci?c dates for implementation. 30, rue Victoria, 1?3r ?tage I 30 Victoria Street, 1st Floor Gatineau (Quebec) K1A {1le Sans frais/Toll free 1?800-282-1376 Pi??l?cJ Fax: 819-994-5424 CONCLUSION We thank the CRA for this PIA submission and the consultations undertaken with our o?ce regarding this initiative. We ask that you provide a response to this letter by March 1, 2016. We-would appreciatereceiving an executive summary that clearly and indicates whether the agrees with our recommendations, and the actions that may be taken to implement them. If you have any questions or need further information with respect to this letter, please-do not hesitate to contact Lacey Batalov, Senior Privacy Analyst, at (819) 994-6168. Sincerely, Steven Morgan, P. Eng. Director General Audit Review Branch cc: Lia Jackson, Senior Planning Of?cer, CRA 30, rue Victoria, 1ear ?tage I 30 Victoria Street, 1?t Floor Gatineau '(Qu?bec) K1A 1H3 Sans frais/Toli free 1-800-282-1376 819?994?5444