GST/HST Returns and Rebates Processing Program

Privacy Impact Assessment (PIA) summary – Business Returns Directorate, Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Business Returns and Payment Processing

Goods and Services Tax Administration in Quebec

Description of the class of record and personal information bank

Standard or institution specific class of record:
Administration of GST/HST Returns and Rebates Class of Record (CRA ABSB 246) - previously (CRA ABSB 101, CRA ABSB 133, CRA ABSB 134, CRA ABSB 129, CRA ABSB 087)

Standard or institution specific personal information bank:
GST/HST Returns and Rebates Processing - Personal Information Bank (CRA PPU 241)

Legal authority for program or activity

Summary of the project / initiative / change

The scope of this privacy impact assessment covers the workload within the Business Returns Directorate for GST/HST tax returns, rebate applications and various elections that are filed by businesses, third parties and individuals.  It pertains to the GST/HST collected and submitted by businesses and third parties as well as GST/HST paid by individuals and businesses where a rebate is applicable.  It also covers various elections that can be made by businesses to amend certain aspects of their GST/HST account; for example, the change of a filing frequency.  This privacy impact assessment does not include the GST/HST credit program which is available to individuals based on income thresholds and is issued every three months; this program is administered by the Benefit Programs Directorate. 

The GST/HST Returns and Rebates Process Division (GRRPD) provides the central management framework  for planning, processing, monitoring and reporting on the annual program activities in six tax centres (TCs). This functional support role includes, but is not limited to, providing operational procedures, field communications, financial and budget oversight, quality assurance and program monitoring.  The division is also involved in the analysis, design, development, and delivery of projects, and technological innovations including new and/or improved electronic services for GST/HST Returns and Rebates.

GRRPD works regularly with Revenu Québec, other areas of the CRA to ensure consistent GST/HST returns and rebates program delivery for all Canadians, including applicable GST/HST elections.

GRRPD is responsible for providing policy development; program enhancements; system specifications; and functional direction, monitoring, and guidance to the field in relation to the processing and validation of all GST/HST returns, rebates and elections.

Recent changes to the program include:

  1. The administration of the Prince Edward Island harmonized sales tax.  As with several other provinces, PEI reached an agreement with the Government of Canada to harmonize its provincial sales tax with the GST effective April 1st, 2013.  The CRA administers all aspects of the PEI HST which includes the processing of HST returns, rebates and elections.
  2. The administration of the GST and the Québec Sales Tax (QST) for selected listed financial institutions that have a permanent establishment in Québec as well as those that have a permanent establishment outside Québec, but do business in Québec.  CRA began to administer the GST and QST effective January 1st, 2013.
  3. Effective April 13, 2015, a change to the program will include the collection and storage of the Internet Protocol (IP) address for use in the Compliance Programs Branch.

When a GST return is filed via the CRA’s GST/HST internet filing services the IP Address is currently not being captured as part of the returns data being sent to the mainframe GST/HST Returns Processing System. We are modifying our processing systems to capture and store the IP address used to file an electronic GST/HST return. The IP address will be used to support:

Automated processes in the detection of suspicious internet-based returns by determining the country and province from where the return was net filed. Businesses who file returns from an IP address originating in an area not synchronous with their business address may be subject to further risk assessment processes.

Manual look up and storing of the IP address by an auditor to determine whether a taxpayer selected for audit is operating more than one business on the identified IP Address.  Additional businesses using the same IP address will be reviewed in conjunction with other information available internally to identify possible non-compliance with the ETA and other acts administered by the CRA. Audits may be conducted if warranted. Where the IP address is reviewed by the auditor this information will become a part of the audit file. 

Risk identification and categorization

A) Type of program or activity

Administration of Programs, Activities and Services 

Level of risk to privacy: 2

Details: The personal information collected is used mainly for the administration of the GST/HST program (e.g. identification purposes, processing returns, rebates, and elections, collecting revenue, issuing payments, and providing support to clients) in order to determine the correct amount of GST/HST owing on the account and to prevent the issuance of unwarranted refunds and rebates.

However, the personal information is also used by the Compliance Branch under its Reporting Compliance Program for enforcement purposes such as detecting fraud or investigating possible abuses within the program. The consequences can include audits which may result in additional GST/HST owing by a registrant, and possibly civil penalties.  All GST/HST returns and rebates may be subject to Audit selection criteria.

In addition, some cases may ultimately be referred to the Criminal Investigations Division for criminal prosecution. BRD will refer fraud cases on an exceptional basis.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The GST/HST program relies on information collected under the authority of the ETA to assess files (returns, rebate claims, and elections). Personal information collected from taxpayers includes details such as name, contact information, financial information and signature.

The GST/HST program does not collect SIN information on any returns or elections and most rebate forms, with the exception of two. For the following two rebate claims, the SIN is used to properly identify the claimant to ensure eligibility for the rebate:

The GST/HST program also collects financial information to complete requests for direct deposit of approved refund/rebate amounts. Direct deposit of credits owed is a service offered to clients.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations of foreign governments

Level of risk to privacy: 4

Details: In accordance with the ETA, information may be collected from and shared with participating provincial partners and other federal institutions. For example, the Department of Foreign Affairs, Trade and Development Canada (DFATD) provides monthly arrival/departure reports which lists the name, diplomat number, date of entry/exit, and country.  We need this information to determine eligibility of GST/HST Rebate Applications for Foreign Representatives, Diplomatic Missions, Consular Posts, International Organizations, or Visiting Forces Units.  For example, we need the date of entry/exit in the event the applicant submits a claim outside the eligibility period.  We also require the country as the reciprocal agreement varies, depending on the country. They also validate/verify addresses and spouse/dependants.  If a client has a problem with their assessment, they often contact DFATD as an intermediary between themselves and CRA.

Private sector involvement includes external third parties that may be used to identify or clarify missing information on GST/HST rebate applications. For example, a builder who credits a rebate amount to the home purchaser (claimant) at the time of purchase may be contacted to clarify details on the application that is subsequently submitted.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: GST was established in 1991. The GST/HST program is an existing long-term program with no anticipated sunset date. Although certain return, rebate, or election types processed by CRA may be transitional in nature with an established sunset date, the program as a whole is long-term.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The GST/HST program affects businesses and individuals, both registrants and non-registrants, who have filed a return, rebate, or election related to the GST/HST program.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to a legacy IT legacy systems and/or services?

Risk to privacy: Yes

Details: The GST/HST filing system will be modified to allow the collection and storage of the IP address when a tax return is filed via the CRA’s GST/HST internet filing services.

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: The GST/HST Returns and Rebates Processing Program will not use enhanced identification methods.   However, the GST/HST Audit and Examination program may use such methods.  The IP address will be collected when GST/HST returns are filed electronically.  This will be used by the GST/HST Audit and Examination program to determine the geolocation of the computer, with varying degrees of accuracy. Depending on the lookup tool used, this could include country, region/state, city, latitude/longitude, telephone area code and a location-specific map.

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on individuals associated with filing a return, rebate, or election related to the GST/HST program.

However, as part of CRA’s security program CRA employees that will have access to personal taxpayer information will be monitored by the use of the Online Audit Tracking System (OATS). OATS records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc.

The information is used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.  The information is retained for a period of two years.

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: GST/HST rebates processing does undergo an automated matching process via the rebate Claimant Selection List. This list is maintained in the mainframe rebates system to identify possible discrepancies or abuses within the program by matching BN, SIN, name, or postal code information.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: Information received from taxpayers via hard copies is keyed directly into our mainframe system. Electronically filed returns, rebates and elections involve an Internet connection and information is transferred to our mainframe via a secure connection. Within the mainframe, there is an exchange of information between systems (e.g. BN, SA, Audit). Headquarters staff have access to the mainframe on laptops encrypted with Secure Remote Access (SRA), as well as more limited access to information on smart phones with SRA.

H) Risk impact to the individual or employee

Financial harm

Level of risk to privacy: 3

Details: There could be a significant risk of financial harm to the individual should there be a breach of personal information.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility

Level of risk to privacy: 4

Details: Protecting privacy and confidentiality are paramount to the CRA administration of the GST/HST programs. A breach on either side - either the tax filers’ personal information or certain aspects of the program’s business rules and operating procedure - could negatively affect the Agency’s strategic outcome to ensure taxpayers meet their obligations and Canada’s revenue base is protected.  Negative media attention and decreased public confidence can influence compliance behaviour.

Page details

Date modified: