Business Intelligence & Compliance Risk Assessment

Privacy Impact Assessment (PIA) summary - Business Intelligence and Corporate Management Directorate, International, Large Business and Investigations Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Ted Gallivan
Assistant Commissioner, International, Large Business and Investigations Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Reporting Compliance – Goods and Services Tax/Harmonized Sales Tax, International and Large Business, and Small and Medium Enterprises, Scientific Research and Experimental Development

Description of the class of record and personal information bank

Standard or institution specific class of record:

Standard or institution specific personal information bank:

Legal authority for program or activity

Summary of the project / initiative / change

The evolving international economy, increased business integration across borders, electronic commerce and changing demographics are examples of the many factors that present compliance challenges to the Canada Revenue Agency (CRA). The International, Large Business and Investigations Branch (ILBIB) and the Domestic Compliance Programs Branch (DCPB) has defined as one of their priorities the strengthening of research, risk assessment, and workload development activities by identifying, addressing, and deterring non-compliance in priority areas. The CRA’s risk assessment systems and procedures enable the Agency to target compliance and enforcement activities toward the areas of highest risk and to shift resources to these areas.

This privacy impact assessment (PIA) will support ongoing privacy awareness and compliance for the Business Intelligence and Compliance Risk Assessment activities of the ILBIB and DCPB and should be read along with other completed PIAs related to the Reporting Compliance function of the Agency.

In line with the laws administered by the Agency, the Agency’s Business Intelligence and Compliance Risk Assessment approach consists in a balanced approach to verification and enforcement activities including associated client assistance and service aimed at ensuring compliance with revenue laws.

This approach serves to identify the most serious cases of non-compliance, take appropriate corrective measures, and generally deter non-compliance. It also seeks to reinforce compliant behavior through risk assessment, service and education. It is designed to increase compliance, address tax evasion, ensure fairness in the self-assessment systems, maintain the integrity of the tax system, ensure a level playing field for our client base, and promote the exchange of information among treaty partners as well as avoid double taxation of foreign-earned income.

The Program achieves this by gleaning knowledge and insight from the data available to the Agency. This approach, referred to as Business Intelligence (BI), is an integrated, highly strategic tool for Management that supports every day decisions on how to operate the business and to better achieve corporate objectives.

Specifically, Business Intelligence refers to processes, technologies, tools and analytical methods needed to turn data into information, information into knowledge, and knowledge into plans that drive program activities and actions. BI encompasses data warehousing, analytics tools, content management and the statistical techniques and methods to extract and synthesize this newly created intelligence. This intelligence is used to detect patterns and trends, and to support forecasting, provide program areas with better insight into complex questions and support better informed strategic responses and decisions.

To support this approach, the Agency has established an electronic data environment specifically designed to support Business Intelligence activities. This environment includes the data in the source systems, the Agency Data Warehouse (ADW), numerous data marts, external data sources and the related software/ hardware infrastructure.

This PIA focuses on the business intelligence and compliance risk assessment activities carried out on behalf of the reporting compliance programs in order to achieve higher value compliance outcomes.
Excluded from the scope of this PIA are the established ILBIB and DCPB programs and their dedicated activities such as audit, non-filers and investigations that conduct the detailed review of approved leads and non-compliant cases. These ILBIB and DCPB programs are the object of individual PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details: Personal information provided to the CRA in the context of business intelligence and compliance risk assessment activities is used to identify and assess risks of non-compliance. To do so, risk assessment models are developed and applied using a variety of different personal data elements. Models are created using techniques such as analytical algorithms and statistical models that generate risk scores that predict the risk of non-compliance. The cases resulting from this activity, if any, are turned over to ILBIB and DCPB’s program areas for processing. All cases go through a further screening process to determine if a taxpayer requires compliance action.

The cases handled by ILBIB and DCPB’s programs may result in administrative consequences that lead to a compliance action (audit, letters, monitoring, etc.). This may result in additional excise taxes, other levies, GST/HST, or air travelers’ security charges owing, and possibly civil penalties. Compliance actions can also result in leads being generated for other taxpayers and registrants which in turn could result in those taxpayers and registrants facing compliance action.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details: Most of the personal information used in the context of compliance risk assessment would fit into category 3 since it is sensitive information relating to an individual’s tombstone data (i.e., SIN, date of birth, address, etc.), assets, financial transactions, property, etc.

Some of this personal information, however, could qualify as a category 4 on the basis that it is as a conclusion from the analysis of the individual’s personal information which could be qualified as a suspicion about the individual’s non-compliance.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: The personal information used to assess compliance risk originates primarily from the taxpayers themselves through the returns they file with the Agency while some of it may originate from the taxpayer’s representatives, or from informants (i.e., all informant (external) lead information is contained in the national Leads system).

Personal information may also be collected from other participating federal institutions, provincial / territorial entities, international organizations and foreign governments, and private service providers.

This exchange of personal information may be the result of national programs (federal / provincial / territorial), international agreements, Memoranda of Understanding (MOUs), Working Collaborative Arrangements (WCAs), investigations, and contractual arrangements.

To note that, in the context of this PIA, the focus being the BIRM Division’s activities, no sharing of personal information takes place between the BIRMD and these sources. This is the responsibility of each ILBIB and DCPB program as part of their audit practices.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The Business Intelligence and Compliance Risk Assessment activities play an important role in achieving the Agency`s mandate. It is not foreseen that they will be discontinued in the near future.

E) Program population

The program affects certain individuals for external administrative purposes

Level of risk to privacy: 3

Details: In order to assess compliance risk and ultimately identify non-compliant individuals, the process requires that, at the onset, all available taxpayer personal information be run through the predictive models built into an IT application.

Consequently, at the onset, all taxpayers are part of this population. However, the results of this process will identify only a fraction of this population as possibly non-compliant. The results will be made available to the ILBIB and DCPB programs though the COMPASS, Risk Profilng Database and CPB QR applications. Following this screening process, a more limited group of taxpayers will be selected by these ILBIB and DCPB programs under which this non-compliance falls.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Is the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on taxpayers.

However, as part of the CRA security program, CRA employees that will have access to personal information will be monitored by the use of the Online Audit Tracking System (OATS). OATS records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc.

The information is used to verify that only authorized users have accessed personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. 

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to the CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: To conduct the business intelligence and compliance risk assessment activities, personal information undergoes automated matching processes where certain characteristics of the data are matched against the information obtained from income tax filing activities and other sources. The results are given a score and passed on to the specialized ILBIB and DCPB programs for workload selection and processing.

ILBIB and DCPB has also developed and maintains statistical predictive models of risk that are applied to all accounts to give an additional risk score that will be referenced when accounts are screened for potential processing action.

Finally, the Agency makes use of automated personal information analysis, personal information matching and knowledge discovery techniques during the identification of Internet businesses by the Xenon web crawling application and its supporting tools.  This usage has been fully documented in the Privacy Impact Assessment titled “Xenon Web Crawling Initiative”. This PIA was completed in 2009 and fully reviewed by the Office of the Privacy Commissioner of Canada.

G) Personal information transmission

The personal information is transferred to a portable device or is printed. 

Level of risk to privacy: 3

Details: The compliance risk assessment process uses applications that are interconnected. The risks are mitigated through the application of protocols specific to each application thus minimising human intervention. 

As a rule, the personal information can be viewed by staff members with the proper access rights according to the Agency`s Role Based Access Guide (RBAG). This role, assigned to each position, limits the access rights of the position`s incumbent to the least possible amount and nature of personal information required to perform the assigned duties.

All standard Government of Canada and Canada Revenue Agency security measures are also enforced in the matter of physical security. For instance, in the case of laptops and USB memory keys, their use is defined and applied accordingly with sections 7 and 8 of the Agency’s Finance and Administration Manual.  CRA security policies require the encryption of all computer systems including laptops, desktops and removable media.

H) Risk impact to the individual or employee

Details: In the event of a privacy breach, an individual may become a victim of identity theft, and this information may be used without this person’s knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of credit card information, debts being incurred on his/her behalf, etc.

I) Risk impact to the institution

Details: Protecting privacy and confidentiality are paramount to the CRA.

At a minimum, publicity about a failure by the Agency to manage sensitive personal information that had been provided voluntarily would likely cause embarrassment to the CRA and have an impact on the overall credibility of the Agency, the Minister and its senior officials.

A breach of tax filers’ personal information could negatively affect the Agency’s strategic outcome to ensure taxpayers meet their obligations and that Canada’s revenue base is protected. Negative media attention and decreased public confidence can influence compliance behaviour.

Page details

Date modified: