Business Refund Set-off Program

Privacy Impact Assessment (PIA) summary – Business Returns Directorate, Assessment, Benefit, and Service Branch.

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Business Returns and Payment Processing

Description of the class of record and personal information bank

Standard or institution specific class of record:
Corporate returns and payment processing programs (CRA ABSB 225)
Specialty Business Returns (CRA ABSB 228)
Administration of GST/HST Returns and Rebates (CRA ABSB 246)

Standard or institution specific personal information bank:
Corporate Returns and Payment Processing (CRA PPU 047)
Specialty Business Returns (CRA PPU 224)
GST/HST Returns and Rebates Processing (CRA PPU 241)

Legal authority for program or activity

The authority to set-off an income tax refund is contained in subsection 164(2) of the Income Tax Act, and subsection 155(1) of the Financial Administration Act for GST/HST and other levies. Subsection 241(4) of the ITA and Subparagraph 295(5)(d)(vi) permits the set-off of refunds to other federal departments without compromising confidentiality legislation.

Summary of the project / initiative / change

The Business Refund Set-off (BRSO) Program allows the CRA to set-off corporation income tax refunds, goods and services tax/harmonized sales tax (GST/HST) refunds, and specialty business return refunds to other federal government departments (OFGDs), Crown Corporations (CCs), and provincial and territorial departments that participate in the Business Refund Set-off Program. In order to participate under the BRSO program OFGDs, CCs, provincial and territorial departments must enter into an official arrangement with the CRA. The official arrangement takes form of a Memorandum of Understanding (MOU) and sets out the conditions and procedures under which refunds from business tax accounts will be set-off and the exchange of information for the purposes of set-off. Once an MOU is signed the OFGDs, CCs, or provincial and territorial departments become a participant under the BRSO program and can request a business refund set-off.

Before setting off any refunds of a business against debts owed to a participant under the BRSO program, the CRA satisfies debts the business has incurred with the CRA and ensures that the business filing status is up to date with the various acts it administers.

In order to make a business refund set-off request, the participant must first have made a reasonable attempt to locate and communicate with the debtor to provide notice of the debt, in order to collect payment of the debt in full or to establish a repayment schedule, to ensure the debt is not under dispute or subject of an appeal, or any other dispute mechanism or statute-barred prior to making the request to CRA, as per the Treasury Board of Canada Secretariat’s Directive on Receivables Management, and the Guideline on Collection of Receivables.

To initiate a business refund set-off request, the participant is required to complete and submit the followings forms to the CRA:

• Business Accounting Programs Division Refund Set-off Application Form
• Business Accounting Programs Division Declaration Form

The participant submits the forms to CRA via the BRSO mail box. The information that is shared under these forms by the participant to the CRA is limited to sufficient information to identify the client and to process the set-off request. The Annex E of the MOU prescribed the information to be released to the CRA. The prescribed information to be release to CRA are the debtor`s name, the BN number if available, complete debtor address, the gross amount of crown debt, contact name and telephone number, debtor accounts/invoice number and if additional information is required to identify the debtor, the incorporation certificate number, alternate or previous addresses, other information that identifies the debtor, any additional information from public records can be provided. On reception of the forms, the CRA compares the name and address of the business provided by the participant with the information in the CRA mainframe to determine if there is a match. If the CRA is unable to identify the business, they will ask the participant for additional information as per Annex E that may allow the CRA to make a match. If no match is found, no amounts will be set off to that participant for that business and the participant will be informed. If a match is found, the CRA will hold any of the business’s refunds that may become available for set off.

When a match has been identified under the Business Number (BN) system, the CRA issues an initial notification letter to the business. The letter explains that the CRA may set off their corporation income tax refunds, goods and services tax/harmonized sales tax (GST/HST) refunds, and specialty business return refund, to pay their outstanding debt with the requestor of the set-off.

Participant under the program are also required to send a similar letter to their clients. Participant must advise the CRA immediately if the set off is fully satisfied, or if the debt has increased or decreased, or if other arrangements between the participant and the business have been made subsequent to the sending of its request for set off.

When a refund becomes available and if the business has filed all its returns and has no balance outstanding, the CRA will process the set off and issue a notification letter to advise the client of the amount that has been set off to the participant who request the set-off

Risk identification and categorization

A) Type of program or activity

Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.)

Level of risk to privacy: 2

Details: The set-off affects the administration of program payments but not the calculation of those payments; just the issuance of them. Whatever business refunds are available to be disbursed to the business from the CRA may be redirected to an OFGD or CC provincial and territorial departments.

B) Type of personal information involved and context

 Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The BRSO program relies on the BRSO Database to administer its program. In order to request a set-off, the OFGD, CC or provincial and territorial departments, has to submit to CRA a Refund Set-off Application Form and a Declaration form. The Refund Set-off Application provides the information in order to identify the debtor’s account(s) and to place an inhibit on the debtor’s account(s). The Declaration form is a type of affidavit confirming that the OFGD, CC or provincial and territorial departments, has complied with the requirements to request a set-off. The information provided in the Refund Set-off Application Form are the prescribed information as indicated in annexe E of the MOUs and are the following:

• Name of the debtor
• Complete debtor address
• Gross amount crown debt ($1,000 or more)
• Contact name and telephone number
• OFGD or CC client account invoice number (for Ontario accounts, the account invoice number is the same as the certificate number which enables CRA to determine an exact match)
• The BN if available
• Description of crown debt
• However, if the CRA is having difficulty finding a match in their system, CRA may request the following additional information:
• Incorporation certificate number
• Alternate or previous address
• Other information that identifies the debtors (For example, trading name, a business number or a social insurance number if available)
• Any additional information from public records such as the official bankruptcy records.

Whether or not a match is found, both form are saved in the refund-set-off folder under CRA’s G drive. The information used to update the BRSO Database are the debtor’s name, the amount of the set-off, the BN number, the name of the participant who requested the set-off and their disbursement instructions. The information collected is solely use for the purposes of setting off a debt against a business refund amount. The BRSO program does not collect SIN information.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: The CRA will only accept OFGDs, CCs or provincial and territorial departments as participants in its business refund set off program; provincial governments have expressed an interest. Currently no provincial governments are participating in the program.

The CRA is only collecting information to identify the business with outstanding debt to OFGDs or CCs and if applicable informing the OFGD or CC a match has been found and a Disbursement Inhibit was set on the debtor`s business account(s). When a refundable credit amount is identified, the funds are directed to OFGDs or CCs. The CRA is not sharing any other information for this program.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: This program will continue indefinitely.

E) Program population

 The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The Business Refund Set-off Program is an initiative of the Canada Revenue Agency (CRA) under which federal, provincial and territorial departments may request the set-off of a refund of a business against an amount owed by the business to Canada or a province. The BRSO program administers the set-off in respect of corporate income tax (T2), GST/HST (RT), and Other Levies which includes, excise taxes non GST/HST accounts (RE, RN), excise duty (RD), air travellers security charge (RG) and softwood lumber products export charge (SL).

A set-off involves redirecting a refund due to the business to another government department in accordance with legislation administered by the CRA. Legislation also permits disclosure of information for the purpose of setting off a debt due to Canada or a province. Any federal, provincial or territorial department, agency or Crown Corporation may participate in the program, subject to requirements and obligations stipulated in a written agreement.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The CRA will use the information provided by the OFGD or CC to determine the business debtor’s account(s) that may have refund available to be set off. CRA agents will search the CRA mainframe systems to identify the debtor’s business. They will compare the name of debtor, the debtor’s address, telephone number(s), and invoice number with the CRA mainframe records to identify the business account in question.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details: The correspondence received from the OFGDs and CCs is received by email. All of the information received from OFGD’s and CCs and the information sent back to them from the CRA is stored in a CRA database and on a CRA drive by Business Number (the G: drive). A file is opened for every account that a match is identified for. In this file, the pdfs of the application/declaration forms received from the OGD are saved. The emails are saved in the following Outlook mailbox: ABSB/DGSCP-BRD/DDE-BUSINESS SETOFF/COMPENSATION ENTREPRISE under the tracking number. The mailbox, database, and G: drive access is limited to the CRA employees with a work related need (certain agents in the Shawinigan Tax Centre and Headquarters).

H) Risk impact to the individual or employee

Details: Since we generally do not ask for and rarely receive the client’s BN or SIN the risk is somewhat reduced. However, if the business’s name, address, contact information, and the amount owing to another department is lost or stolen, the impact on the business could include identity theft and possibly embarrassment to the business if the amount owing was revealed.

I) Risk impact to the institution

Details: If the information is lost by the CRA or stolen from the CRA, it would create embarrassment for the CRA. It could result in loss of the public’s confidence in the CRA to protect their business’s personal information which could result in reduced compliance.