Business Intelligence & Compliance Risk Assessment v2.0

Compliance Programs Branch
Compliance Services Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Kevin Stackhouse
Director General, Compliance Services Directorate
Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Reporting Compliance

Standard or institution specific class of record:

International and Large Business and Offshore and Aggressive Tax Planning Income Tax Audits and Examination Class of record (CRA CPB 415)

Small and Medium Enterprises Income Tax Audit Class of Record (CRA CPB 452)

Scientific Research and Experimental Development Class of Record (CRA CPB 155)

Goods and Services Tax/Harmonized Sales Tax (GST/HST) Audit Class of Record (CRA CPB 476)

Standard or institution specific personal information bank:

International and Large Business Income Tax Audit and Examination
Bank Number: CRA PPU 035
TBS Registration: 002016

Small and Medium Enterprises
Bank Number: CRA PPU 421
TBS Registration: 20140083

Scientific Research and Experimental Development
Bank Number: CRA PPU 441
TBS Registration: 20140076

GST / HST Audit and Examination
Bank Number: CRA PPU 430
TBS Registration: 20160020

Legal authority for program or activity

Canada Revenue Agency Act
Income Tax Act
Excise Tax Act
Excise Act 2001

Summary of the project, initiative or change

Overview of the Program or Activity

The evolving international economy, increased business integration across borders, electronic commerce and changing demographics are examples of the many factors that present compliance challenges to the Canada Revenue Agency (CRA). The Compliance Programs Branch has defined as one of its priorities the strengthening of research, risk assessment, and workload development activities by identifying, addressing, and deterring non-compliance in priority areas. The CRA’s risk assessment systems and procedures enable the Agency to target compliance and enforcement activities toward the areas of highest risk and to shift resources to these areas.

This privacy impact assessment will support ongoing privacy awareness and compliance for the Business Intelligence and Compliance Risk Assessment activities of the Compliance Programs Branch and should be read along with the CPB PIAs related to the Core Responsibility – Reporting Compliance function of the Agency.

In line with the laws administered by the CRA, the Agency’s Business Intelligence and Compliance Risk Assessment approach uses a balanced approach to verification and enforcement activities including associated client assistance and service aimed at ensuring compliance with revenue laws.

This approach serves to identify the most serious cases of non-compliance, take appropriate corrective measures, and generally deter non-compliance. It also seeks to reinforce compliant behavior through risk assessment, service and education. It is designed to increase compliance, address tax evasion, ensure fairness in the self-assessment systems, maintain the integrity of the tax system, ensure a level playing field for our client base, and promote the exchange of information among treaty partners as well as avoid double taxation of foreign-earned income.

The program achieves this by gleaning knowledge and insight from the data available to the Agency. This approach, referred to as Business Intelligence, is an integrated, highly strategic tool for management that supports every day decisions on how to operate the business and to better achieve corporate objectives.

Specifically, Business Intelligence refers to processes, technologies, tools and analytical methods needed to turn data into information, information into knowledge, and knowledge into plans that drive program activities and actions. Business Intelligence encompasses data warehousing, analytics tools, content management and the statistical techniques and methods to extract and synthesize this newly created intelligence. This intelligence is used to detect patterns and trends, and to support forecasting, provide program areas with better insight into complex questions and support better informed strategic responses and decisions.

To support this approach, the Agency has established an electronic data environment specifically designed to support Business Intelligence activities. This environment includes the data in the source systems, numerous data marts, external data sources and the related software/hardware infrastructure.

This Privacy Impact Assessment focuses on the Business Intelligence and Data Division business intelligence and compliance risk assessment systems that support the reporting compliance programs in order to achieve higher value compliance outcomes.

Excluded from the scope of this Privacy Impact Assessment are the established Compliance Programs Branch programs and their dedicated risk assessment compliance activities such as audit, non-filers and investigations that conduct the detailed review of approved leads and non-compliant cases. The consequences of these administrative decisions are the object of Compliance Programs Branch programs’ individual Privacy Impact Assessments. 

What’s New

No new substantive changes, only minor housekeeping changes and system improvements.

Next 15 project

The Next 15 project will modernize the Compliance Programs Branch risk assessment infrastructure and enhance third-party data horizontal risk assessment capabilities and develop a feedback loop to facilitate data-driven decision-making . This project will be replacing two legacy risk assessment systems, which will improve the speed to develop and implement algorithms; These systems will enhance third party data integration and optimization for risk assessment.

Map of Taxpayer Historical Entity Relationships (MOTHER) project

The MOTHER project involves the development of IT services needed to support audit operations in the resolution, risk profiling, workload selection and work management functions for Economic Entities. Economic Entities are the identifiable groups resolved from an analysis of the Small and Medium Enterprises Directorate audit population. This population includes all Canadian business taxpayers and related individuals, trusts and partnerships. The project will onboard with existing workload selection tools for the development of risk issues and identification of audits. Current work management tools will be enhanced to support the group case audit process.  

Scope of the Privacy Impact Assessment

The scope of this Privacy Impact Assessment is limited to the systems under the administration and use of Business Intelligence and Data Division. The Economic Entity workload is excluded from the scope of this Privacy Impact Assessment and is covered under the Small and Medium Enterprises Directorate Privacy Impact Assessment.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Personal information provided to the CRA in the context of business intelligence and compliance risk assessment activities is used to identify and assess risks of non-compliance. To do so, risk assessment models are developed and applied using a variety of different personal data elements. Models are created using techniques such as analytical algorithms and statistical models that generate risk scores that predict the risk of non-compliance. The cases resulting from this activity, if any, are turned over to the Compliance Program Branch’s program areas for processing. All cases go through a further screening process to determine if a taxpayer requires compliance action.

The cases handled by the Compliance Programs Branch’s programs may result in administrative consequences that lead to a compliance action (audit, letters, monitoring, etc.). This may result in additional excise taxes, other levies, GST/HST, or air travelers’ security charges owing, and possibly civil penalties. Compliance actions can also result in leads being generated for other taxpayers and registrants which in turn could result in those taxpayers and registrants facing compliance action.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details:

Most of the personal information used in the context of compliance risk assessment would fit into category 3 since it is sensitive information relating to an individual’s tombstone data (i.e., social insurance number, date of birth, address, etc.), assets, financial transactions, property, etc.

Some of this personal information, however, could fall under category 4 on the basis that it could qualify as a suspicion about the individual’s non-compliance.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details:

The personal information used to assess compliance risk originates primarily from the taxpayers themselves through the returns they file with the Agency.  Other information may originate from the taxpayer’s representatives, or from informants (that is, all external informant lead information is contained in the national Leads system).

Personal information may also be collected from other participating federal institutions, provincial / territorial entities, international organizations and foreign governments, and private service providers.

This exchange of personal information may be the result of national programs (federal / provincial / territorial), international agreements, Memorandum of Understanding, Written Collaborative Arrangements , investigations, and contractual arrangements.

To note that, in the context of this Privacy Impact Assessment, the focus being the Business Intelligence and Data Division’s activities, no sharing of personal information takes place between the Business Intelligence and Data Division and these sources. This is the responsibility of each Compliance Programs Branch program as part of their audit practices.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

The Business Intelligence and Compliance Risk Assessment activities play an important role in achieving the Agency`s mandate. It is not foreseen that they will be discontinued in the near future.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

In order to assess compliance risk and ultimately identify non-compliant individuals, the process requires that, at the onset, all available taxpayer personal information be run through the predictive models built into an IT application.

Consequently, at the onset, all taxpayers are part of this population. However, the results of this process will identify only a fraction of this population as possibly non-compliant. The results will be made available to the Compliance Programs Branch programs through CRA applications. Following this screening process, a more limited group of taxpayers will be selected by these Compliance Programs Branch programs under which this non-compliance falls.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

   Risk to privacy: Yes

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

   Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

   Risk to privacy: No

   Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

   Risk to privacy: No

   Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

   Risk to privacy: Yes

G) Personal information transmission

The personal information is transferred to a portable device or is printed. 

Level of risk to privacy: 3

Details:

The compliance risk assessment process uses applications that are interconnected. The risks are mitigated through the application of protocols specific to each application thus minimising human intervention. 

As a rule, the personal information can be viewed by staff members with the proper access rights. This role, assigned to each position, limits the access rights of the position`s incumbent to the least possible amount and nature of personal information required to perform the assigned duties.

All standard Government of Canada and Canada Revenue Agency security measures are also enforced in the matter of physical security. Which includes, the secure transport, transmission, storage and destruction of information such as, computing devices and removeable media.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

In the event of a privacy breach, an individual may become a victim of identity theft, and this information may be used without this person’s knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of credit card information, debts being incurred on his/her behalf, etc.