FATCA Privacy Impact Assessment

I just found this FATCA Privacy Impact Assessment Summary on the CRA website.

I’m not sure if this Summary of the Privacy Assessment is from the Privacy Commissioner or if is CRA’s Summary,

It was not on their website when I checked a couple of weeks agp. I talked to someone in the Access to Information. Suddenly it appears. Coincidence? Maybe.

Or it may be because of Elizabeth Thompson’s articles.

Or it may be related to the Minister and Privacy Commissioner testifying at the Access to Information, Privacy and Ethics Committee Thursday April 14.


I don’t know what a Level 3 or 4 Risk to Level of Risk to Privacy means.

I plan to submit an Access to Information request for the full report.

6 thoughts on “FATCA Privacy Impact Assessment

  1. Lynne Swanson Post author

    Today I submitted an Access to Information request to both the Privacy Commissioner and to CRA.

    In my ATI Request to the Privacy Commissioner:

    Under the Access to Information Act, I request you provide:

    1. Full and Complete Recommendations made by the Office of the Privacy Commissioner to Canada Revenue Agency (CRA) on Foreign Account Tax Compliance Act (FATCA) and Enhanced Financial Account Information Reporting.

    2. Full and Complete Privacy Impact Assessment submitted by Canada Revenue on Enhanced Reporting for Foreign Account Tax Compliance Act (FATCA to the Office of the Privacy Commissioner.

    3. Any other reports, recommendations, communications or other information to and from Canada Revenue Agency related to FATCA.

    4. All other reports, submissions, recommendations related to FATCA made to or from the Office of the Privacy Commissioner and other government departments or agencies.

  2. Lynne Swanson Post author

    JC: Sorry I thought I made the link earlier, but I did not. I have now added the link.

    The Summary is pretty bureaucratic but it does not really say much. I really want to know what a Level 3 or 4 risk means. The general information about Privacy Impact Assessments does not provide that information.

    Yes, the U.S. says Green Card holders are U.S. persons subject to FATCA. But Canada says Green Card holders should not tell their banks. I don’t think banks are asking that question. I am aware of a couple who recently returned to Canada from the U.S. who told their bank they had been living in the U.S. There were no questions about a Green Card or FATCA.

    CRA actually gave the banks tons of wiggle room. Most pf them chose not to take it. That was the reason I left TD after 33 years.

    I also left my credit union after 14 years. My new credit union has made it clear they are doing Don’t ask. Don’t tell. Plus, I am getting absolutely superb customer service there.

    The teller always even asks me if I want a coffee or tea when I’m there (I don’t drink either, so I decline). Whenever I have a friend with me (none of them are members), the staff always offer coffee or tea to my friends.

    However, in reviewing the Fact Sheet, I now think this PIA was done by CRA and not by the Privacy Commissioner.

    There are still recommendations by the Office of the Privacy Commissioner that I will try to get directly from the Commissioner’s Office.

    1. badger

      Found this re PIA levels;
      Section II-Risk Area Identification and Categorization

      The core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.

      The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.

      The initial step of the analysis consists of evaluating each risk area independently. The second step consists of grouping the individual results to determine if a more in depth analysis is required. The greater the number of risk areas identified as level 3 or 4, the more likely it is that specific risk areas will need to be addressed in a more comprehensive manner.
      a) Type of program or activity Risk scale
      – Program or activity that does NOT involve a decision about an identifiable individual 1
      – Administration of program or activity and services 2
      – Compliance or regulatory investigations and enforcement 3
      – Criminal investigation and enforcement or national security 4
      b) Type of personal information involved and context Risk scale
      – Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. 1
      – Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. 2
      – Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. 3
      – Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. 4
      c) Program or activity partners and private sector involvement Risk scale
      – Within the institution (among one or more programs within the same institution) 1
      – With other government institutions 2
      – With other institutions or a combination of federal, provincial or territorial, and municipal governments 3
      – Private sector organizations, international organizations or foreign governments 4
      d) Duration of the program or activity Risk scale
      – One-time program or activity 1
      – Short-term program or activity 2
      – Long-term program or activity 3
      e) Program population Risk scale
      – The program’s use of personal information for internal administrative purposes affects certain employees. 1
      – The program’s use of personal information for internal administrative purposes affects all employees. 2
      – The program’s use of personal information for external administrative purposes affects certain individuals. 3
      – The program’s use of personal information for external administrative purposes affects all individuals. 4
      f) Technology and privacy
      – Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?
      – Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?
      Specific technological issues and privacy

      – Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:

      enhanced identification methods;
      surveillance; or
      automated personal information analysis, personal information matching and knowledge discovery techniques?

      A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.
      g) Personal information transmission Risk scale
      – The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). 1
      – The personal information is used in a system that has connections to at least one other system. 2
      – The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. 3
      – The personal information is transmitted using wireless technologies. 4

      h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

      i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.

      Note: For additional guidance on items h) and i), government institutions can refer to the Guidelines for Privacy Breaches.

      In the case of a multi-institutional PIA, each government institution involved is, at a minimum, responsible for completing items b), c), f), g), h) and i), whereas the lead government institution is responsible for completing items a), d) and e).

    2. Lynne Swanson Post author

      Thanks Badger.

      So based on that, the risk to privacy is high.  Most of the levels in CRA’s own PIA were 3 or 4.


      It does not get any higher than a 4.  Yet CRA and the Con Con and the Lib Cons are quite happy to send the hightest level of risk to a foreign government that admits to an “epidemic” of identity theft with far less information than they will get under FATCA.

      How do these people live with themselves?


  3. JC Double Taxed

    Can you post here. Link missing to Privacy Assessment.

    In Australia the CRA equivalent – The ATO – website is disingenuous in regards to: ‘all tax treaties prevent double taxation’ with no footnote in regards to the Australia-US tax treaty. And this deception in regards tax obligations for Australians required by the Australian-US Tax Treaty, is a wedge point I hope to drive in Australia. Such as why does the ATO mislead? The Australian Parliament may have been mislead in the adoption of the tax treaty as all good – all double tax prevented.

    I have not contemplated the CRA website except for just now. However, I see this reference to US Citizenship Based Taxation:

    See point 6 under: What the agreement means for individuals with financial accounts in Canada.

    So it appears that the CRA have been “fair dinkum” in regards to the tax obligations, yet in doing so pointing a finger at the US, and not at the tax treaty which, covering all matters taxation between Canada and the US, could have had plus beaucoup exemptions for Canadian residents.

    Also US persons mentioned:

    If you are a green card holder (that is, a lawful permanent resident of the U.S.), the U.S. considers you to be a U.S. resident.

    “However, if you are a resident of Canada for tax purposes and do not hold U.S. citizenship, you should not identify yourself as a U.S. person to your Canadian financial institution.” >> I thought that if you were a Green Card Holder then you should report yourself to your bank as a US person?

    I looked at the tax treaty page, and the CRA uses the more accurate “avoid” double taxation instead of the ATO “prevent” double taxation wording.


Leave a Reply

Your email address will not be published. Required fields are marked *

Optionally add an image (JPEG only)