Business Number & Program Account Registration - Privacy impact assessment summary

Business Returns Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Tax Services and Processing

Description of the class of record and personal information bank

Standard or institution specific class of record:
Business Number and Program Account Registration CRA ABSB 227

Standard or institution specific personal information bank:
Business Number and Program Account Registration CRA PPU 223

Legal authority for program or activity

Personal information is collected under the authority of Section 221 of the Income Tax Act and Part IX of the Excise Tax Act, and under section 5 of the Canada Revenue Agency Act which allows us to administrate the Business Number (BN) on behalf of partners.

Paragraphs 241(4) (l) of the Income Tax Act and 295(5)(j) of the Excise Tax Act enable the CRA to disclose the BN and the related business identification information to a government entity provided that:

• The information provided solely for the purposes of the administration or enforcement of an Act of Parliament or of a legislature of a province, or a by-law of a municipality in Canada or a law of an aboriginal government; and
• The BN is used as an identifier in connection with a program, activity or service for which it was provided.

Summary of the project / initiative / change

Overview of the program or activity

The business number (BN) and program account registration program provides and administers business numbers for GST/HST and other levies, payroll accounts, corporate income tax accounts, import-export accounts, children’s special allowance, air travelers security charge, insurance premiums accounts, registered charities accounts, return and schedule information developer accounts, information returns accounts, excise and other levies accounts. Records created by the program include those required for the creation and administration of BNs and to maintain a uniform numbering system for businesses (and individuals involved in business programs) which enables the CRA to administer, under the approved authority, the Income Tax Act (ITA), Excise Act, Excise Act 2001, Excise Tax Act (ETA), Softwood Lumber Products Export Charge Act, Children's Special Allowance Act, Customs Act, Employment Insurance Act and Canada Pension Plan and Canada Revenue Agency Act.

The BN provides a single, simplified registration process for business clients, by providing each legal entity with a single registration number for participating programs.

The BN system stores information pertaining to businesses and is used by other CRA programs, as well as other federal and provincial government departments as a central source to retrieve that data.

The CRA gives taxpayers the accurate and timely information they need to comply with Canada's tax laws and modernize its services, including expanding its digital services, making it easier for taxpayers to meet their tax obligations.

The Assessment, Benefit & Services Branch is responsible for the management of the BN information collected by the CRA.

The BN was first introduced in 1994 by the CRA to identify its core business programs, including Corporation Tax, GST and HST, and Payroll.

Federal restrictions on the use of the BN limited its broader use as the common identifier for all businesses in Canada. Consequently, legislative changes to the ITA and ETA rules governing the BN was made with a view to facilitate expanded use of the BN by the provinces and other levels of government.

Since its initial implementation as a tax program identifier, the service has evolved to include five federal programs, six provinces, and one municipality who have adopted the BN to provide integrated registration, reduce administrative burden on businesses, and uniquely identify businesses within their regulatory environments.

What’s new

As of May 2019, the BN Program will begin collecting users internet protocol (IP) addresses.  Capturing the IP address will add another way in which relationships between clients and accounts can be tracked, and   we will be able to use the information for risk assessment purposes to better prevent registration fraud. There is no need for this information to be stored in such a way that BN field users will be able to view it, though it will still be available for searches and queries from CRA head quarters employees.

This information will need to be available to the Aggressive GST/HST Planning as well as being available to be queried by BN head quarters employees.  This information will also be retrievable by other applications and systems via Enterprise JavaBeans , mainframe server calls, and the Business Registration Decision Support query database.

Scope of the privacy impact assessment

In-scope: This privacy impact assessment (PIA) examines the initial collection, internal use and disclosures of personal information by the CRA with respect to the BN and other program accounts. The PIA will focus on mapping the business process and basic data flows in order to identify privacy issues arising from the CRA’s use, and the sharing of related personal information to the provinces and federal departments.

Out of scope: As part of broader efforts to improve service to business, Industry Canada was mandated to strengthen the use of the BN across the federal government.  The Government of Canada (GoC) BN Adoption initiative has been under the guidance of the interdepartmental Deputy Minister’s Service and Federating Identity Committee, the goal of which is to improve and provide greater digital self-service to citizens and businesses. The vision of the federal government is to make the BN the common business identifier throughout government, with the goals of improving services to business and standardization of data collection and sharing.

This PIA does not examine the privacy impacts relating to the activities associated with the GoC BN Adoption. A PIA (2017) was prepared to address privacy impacts relating to the disclosure of personal information to the adopting federal, provincial and territorial government departments as the BN common identifier for business via the Web Validation service.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: Personal information is used to provide and maintain a uniform numbering system for businesses.

Businesses that need to deal with federal, provincial, and municipal governments in Canada need to register for a BN and program accounts. Each sole proprietor, partnership, corporation, trust, or other ownership type, will be assigned one BN when they register for a program account. 

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details: Personal information related to the BN and program account registration and administration may include: name, contact information, social insurance number (only for sole proprietor business type), BN and other program account numbers, financial information, IP addresses and signature. 

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s) 

Level of risk to privacy: 3

Details: A BN allows the CRA to identify a specific business (or other organization such as a charity) for tax matters related to business in Canada. A BN also lets businesses and other organizations simplify their dealings with each other, and comply with Canada’s tax laws.

The BN provides a single, simplified registration process for business clients, simplify client transactions by providing each legal entity with a single registration number for participating programs and reduce government administrative costs by identifying each legal entity with a single registration number.

Information may be shared with other federal and provincial government institutions in accordance with income tax and excise legislation and the Canada Revenue Agency Act.

Both federal and provincial institutions wishing to use the BN are required to agree and sign a memorandum of understanding which describes all restrictions on the use of information.

Each federal and provincial/territorial partner is required to treat all BN information in accordance with the Treasury Board Policy on Government Security (PGS) and other applicable policies. All BN information disclosed is released, transmitted, handled, used, stored, destroyed and safeguarded in accordance with the PGS. In addition, each partner is prohibited from further disclosing the BN information disclosed to them, unless such disclosure is specifically authorized under the Income Tax Act or the Excise Tax Act.

Each provincial/territorial participant is required to treat all BN information viewed in accordance with the clauses contained within their memorandum of understanding (MOU).

At this time, five federal institutions have signed a MOU with the CRA:  

• Canada Border Services Agency
• Industry Canada
• Statistics Canada
• Employment and Social Development Canada
• Public Works and Government Services Canada

At this time, six provinces have signed a MOU with the CRA:

• British Columbia
• Saskatchewan
• Manitoba
• Ontario
• New Brunswick
• Nova Scotia

D) Duration of the program or activity: 

Long-term program

Level of risk to privacy: 3

Details: The use of the BN is a long-term program that has no clear sunset date.   

E) Program population

The program affects certain individuals for external administrative purposes.  

Level of risk to privacy: 3

Details: The BN involves personal information related to identifiable individuals associated to the business and is intended for business programs. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Details: N/A

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: No

Details: N/A

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The BN Application contains various validation processes designed to ensure data integrity. The BN and Client Other Party applications contain common operations to validate data before placing or updating the data on the database.   These validations include applications business rules, validations against the corporate code table repositories, internal partner validations (e.g.  city index, represent a client, program account information system) and third party validations such as data request for address integrity. All the data validation operations are documented in the application specifications approved by business.

Match/compare BN activities of personal information include:  

• CRA users can enter business tombstone information in BN in order to search for possible existing BN having that information; and
• CRA has also a similar process for external partners, where information is passed to the CRA for searching the data on systems to try and find a matching BN (business).

• Legal Name of the Business
• Operating Names of the Business
• Owner social insurance number (for internal use only)
• Owner Last and First Name
• Incorporation Certification Number of a corporation
• Business Ownership type (i.e. Sole Prop, Partnership, Corporation, etc.)
• Postal Code of the Business address

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details: At the center of the BN system is the mainframe application, used by the Client Services Representatives for client registration. Enterprise JavaBean (EJB) components enable web services and CRA web applications to communicate with the BN Mainframe. These EJB’s are also accessed by graphical user interface applications used by internal CRA partners such as other levies system and taxpayer services agent desktop - business window.

The client can create and update their BN information in CRA directly on the internet via Business Registration Online and My Business Account. GST/HST registry web application offers information on business allowed to charge GST.

The CRA is partnered with various federal and provincial departments for the exchange of client information. Therefore, a client’s BN information in CRA can also be updated when certain data in an external partner’s system is modified. The external partner can send the data to CRA’s BN mainframe using either a web, message queue or file transfer protocol service and as a results updates CRA’s BN mainframe in an automated fashion. An external partner employee can search BN information via CRA’s automated provision of information web application. Personal information is shared in accordance with the external partners’ legislation which allows CRA to obtain the information for its programs. 

H) Risk impact to the individual or employee

Details: The data being processed is considered to be particularly sensitive (taxpayer data) and is protected by Federal law.  Taxpayer data and user information is permanently stored on the BN mainframe.

The consequences of the data being disclosed to unauthorized individuals would be loss of trust, loss of integrity, legal implications, financial loss, misuse and potential fraud against both the taxpayer and CRA and potentially to external partners.

I) Risk impact to the institution

Details: If the information is accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA to be embarrassed, loss of credibility and the public’s trust.