Canada Emergency Response Benefit - Privacy Impact Assessment Summary

Horizontal Integration Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency / Employment and Social Development Canada

Government officials responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assistant Commissioner
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Cliff Groen
Senior Assistant Deputy Minister
Benefits and Integrated Services Branch
Employment and Social Development Canada

Heads of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate
Canada Revenue Agency

Scott MacKay
Director
Privacy Management Division, Corporate Services Branch
Employment and Social Development Canada

Name of program or activity of the government institution

For CRA:
Benefits Program
For ESDC:
Benefits Program

Standard or institution specific class of record:

CRA: Canada Emergency Response Benefit (CERB), CRA ABSB 649
ESDC: A new Class of Record has not been drafted.

Standard or institution specific personal information bank:

CRA: Canada Emergency Response Benefit (CERB), CRA PPU 640
ESDC: The relevant PIB, Employment Insurance Claim Files, ESDC PPU 151 has not been updated.

Legal authority for program or activity

The following represents the authorities for Employment and Social Development Canada (ESDC):

• The Minister of Employment and Social Development is responsible and accountable for the administration and enforcement of the Canada Emergency Response Benefit Act.

• Department of Employment and Social Development Act (DESDA), section 11: “The Minister may authorize the Minister of Labour, the Commission or any other person or body, or member of a class of persons or bodies, to exercise any power or perform any duty or function of the Minister”. Note: This gives the Minister of ESDC authority to delegate persons or organizations to exercise Ministerial authorities and to make decisions that would otherwise be conferred to only the Minister. The authority to administer sections 4, 5, 9, 10, 12 and 13 including making payments and handling personal information is issued to CRA by Delegation instrument [Letter of Authorization].

The following represents the authority for the Canada Revenue Agency (CRA) to administer these benefits on behalf of Employment and Social Development Canada (ESDC):

• Canada Revenue Agency Act, section 61 authorizes the Canada Revenue Agency (CRA) to enter into contracts, agreements or other arrangements with governments, public or private organizations and agencies or any person in the name of Her Majesty in right of Canada or in its own name. Note: This gives the Minister of CRA authority to enter into agreements to administer programs on behalf of other government or private sector organizations.
  
• Delegation instrument [Letter of Authorization] issued pursuant to section 11 of the Department of Employment and Social Development Act to the Canada Revenue Agency in respect of section 4, 5, 9, 10, 12 and 13 of the Canada Emergency Response Benefit Act, signed on April 3, 2020, authorizes CRA to collect personal information and administer CERBA on behalf of ESDC.

• Income Tax Act: Subparagraph 241(4)(d)(vii.6): Authorizes an official of the CRA to provide taxpayer information to an official solely for the purposes of the administration and enforcement of the Canada Emergency Response Benefit Act or the evaluation or formulation of policy for that Act.

Summary of the project / initiative / change

Overview of the Program or Activity

On March 25, 2020, the government passed legislation (Bill C-13 An Act respecting certain measures in response to COVID-19) to support workers and established the Canada Emergency Response Benefit (CERB). This benefit provides $2,000 every four weeks, for up to 16 weeks, for workers whose income was affected as a result of the COVID-19 pandemic. (Note: At the time of writing the privacy impact assessment, the benefit was extended by 12 weeks for a total of 28 weeks).

The benefit is available to workers who:

• reside in Canada and are at least 15 years old
• have had their work affected because of reasons related to COVID-19
• are eligible for Employment Insurance, regular or sickness benefits or have exhausted their Employment Insurance regular benefits or Employment Insurance fishing benefits between December 29, 2019 and October 3, 2020
• had employment and/or self-employment income of at least $5,000 in 2019 or in the 12 months prior to the date of their application
• have not quit their job voluntarily.

Workers are ineligible if they: earned more than $1,000 in employment and/or self-employment income:

• for 14 or more consecutive days
• within the first four-week benefit period claimed or
• for the entire four-week benefit period of subsequent claims.

Application for the CERB began April 6, 2020 and the program required Canadians to attest that they meet the eligibility requirements. There is a requirement to re-attest for every four week period to reconfirm their eligibility. Canadians can select one of three channels to apply for the benefit:

1. The CRA MyAccount secure portal
2. A toll-free number equipped with an automated application process or,
3. The individual enquiries toll-free number if they are unable to use the other services.

The CRA is administering this benefit on behalf of Employment and Social Development Canada (ESDC) and is using existing taxpayer information for verification of eligibility and compliance and enforcement purposes.

Scope of the Privacy Impact Assessment

Phase I concerns the administration of the CERB only and is considered in scope for this PIA. Under Phase I, ESDC has delegated its powers described under CERBA, sections 4, 5, 9 and 10, to the CRA.

Post verification, compliance and enforcement activities will be undertaken in Phase 2 to ensure eligible applicants received the appropriate benefits and any overpayments are collected accordingly, as anticipated in the MOU between ESDC and the CRA. Under Phase 2, ESDC has delegated its powers described under CERBA sections 12 and 13 to the CRA and are out of scope for this PIA. An update to, or future PIAs will address Phase 2 compliance and enforcement activities.

Risk identification and categorization

A) Type of program or activity

Administration of Program / Activity and Services

Level of risk to privacy: 2

Details: Personal information will be used by ESDC and the CRA to administer the Canada Emergency Response Benefit. Phase 1, the administration of the benefit (CERBA, sections 4, 5, 9, and 10), is within scope. Phase 2, compliance and enforcement activities (CERBA, sections 12 and 13), are out of scope for this PIA.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information, and/or the context surrounding the personal information, is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information may include: name, contact information, Social Insurance Number, tax identification number (i.e., Temporary Tax Number (TTN), Individual Tax Number (ITN), date of birth, date of death, incarceration status, mailing address, income, the attestation for eligibility, and direct deposit information.

The TTN and ITN are identifiers used by CRA to permit tax filings by individuals that are residents but do not have a SIN, for example:

• TTN: Is provided to taxpayers who reside in Canada and are required to file taxes but cannot obtain a SIN. Some individuals with TTNs may be eligible for CERB

• ITN: Is provided to taxpayers who are non-residents or international students and are required to file taxes but cannot obtain a SIN. Some individuals with ITNs may be eligible for CERB.

To further determine eligibility, the CRA T1 IDENT system will also be cross-referenced (for data matching) with the following information to determine eligibility:

• Date of Birth: This will prevent applications for individuals under 15 years of age from being processed

• Date of Death: This will stop the application from proceeding

• Applicant’s incarceration status will stop the application from proceeding.
  • Federal inmates: data received from Correctional Service Canada (CSC) for federal incarceration as per MOU between CRA and CSC and
  • Provincial inmates: a list of public addresses of provincial institutions for provincially incarcerated individuals.
  • Both federal and provincial inmates are not eligible for CERB and will be informed that they may not apply for the CERB because of their incarceration status.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: Under Phase I, (CERBA sections 4, 5, 9, and 10), the CRA is administering the CERB benefit on behalf of ESDC.

D) Duration of the program or activity

Short–term program

Level of risk to privacy: 2

Details: This is a short-term, emergency program to help Canadians facing hardship as a result of the COVID-19 pandemic. At this time, no worker is permitted to file an application after December 2, 2020, however, enforcement activities associated with the benefit (including audits and/or recovery of erroneous or overpayments) could last a few years.

Note: enforcement activity will be subject to its own PIA or an update to this PIA. For this PIA, Phase 2 activities of enforcement and compliance (CERBA, sections 12 and 13) are out of scope.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects workers who apply for the CERB.

F) Technology & privacy

    1.  Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

    2.  Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

    3. The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.). It also involves easy pass technology in the form of "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: As this benefit is available to Canadian residents only, taxpayers are required to provide the 9 digits of their Social Insurance Number (SIN), or where the individual does not have a SIN their Temporary Tax Number (TTN), or Individual Tax Number (ITN) which will be matched to the information the CRA has on file in the T1 Identification system. The system will also verify incarceration status and age (minimum eligibility is 15 years) to restrict these applicants from being eligible for the benefit.

Note: ESDC EI ERB can only process emergency benefits for individuals who have a SIN. In the data exchange between CRA and ESDC, ESDC does not receive the ITN or TTN. These identifiers are unique to the CRA T1 IDENT system. ESDC receives only the SIN data of applicants that have applied for emergency benefits through CRA.

Incarcerated Status: The system contains the status of federal incarcerated individuals. This information is provided to CRA by CSC via an established MOU on a monthly basis. The system also contains public addresses of provincial institutions. Applications submitted by incarcerated individuals are flagged by the system. Flagged incarcerated individuals are not eligible for benefits and therefore the application is rejected.

Individuals using the CRA My Account service, will also be able to update other identification information including mailing address and direct deposit information as per normal processes (nothing has changed in those processes).

ESDC will provide a daily file containing only the Social Insurance Numbers (SIN) of EI clients (maternity, parental) and EI ERB clients (regular, sickness) to the CRA for the purpose of validating that CRA CERB clients have not already registered for EI maternity/parental benefits with ESDC or for the ESDC EI ERB payment. CRA will then provide a weekly file containing CERB client information including the SIN, the type of benefit (stream), and the applicable 4-week payment period(s) to ESDC. ESDC will determine whether to issue an advance payment of $2,000 to EI ERB clients.

Out-of-scope: Post-assessment activities under Phase 2 of this program will include verification and enforcement activities (out of scope for this PIA) which will see the CRA use other personal information such as income to verify program eligibility.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: Personal information related to the CERB application is submitted electronically using My Account by the individual to the CRA using wireless or non-wireless technology. Personal information is also submitted via an automated telephone service by the individual to the CRA using a land based phone line or cellular data. This Protected B information is then stored in various CRA systems and databases, which have access to other systems and in limited circumstances can be transferred to a departmentally-approved and secure portable device such as a secure USB key with higher level of encryption (for example authorized disclosure to law enforcement).

Applicant’s SIN information is pulled from the CRA’s mainframe system and sent to ESDC using existing secure channel: file transfer protocol (FTP), secured with Entrust encryption software.

The data exchange mechanism (secure FTP) between ESDC and the CRA and supported by Shared Services Canada, has existed for over a decade and remains the same for this initiative.

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual.

In early August, the Government of Canada took action to stop credential stuffing attacks against the Government of Canada Branded Credential Service (“GCKey”) and the CRA’s My Account for individuals.

The CRA continues to monitor for suspicious activities resulting from the credential stuffing attacks. Safeguards have been placed on affected accounts. The CRA has also put measures in place to identify high risk accounts in order to prevent potentially suspicious CERB applications from being made. All valid CERB payments will continue to be issued.

The My Service Canada Account uses GCKey as one of the options to sign in. Previously, individuals could access their CRA My Account via a link from their My Service Canada Account. This link was disabled in response.

The CRA is cooperating with the RCMP in their investigation into the credential stuffing attacks. The CRA also continues to work with government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the credential stuffing attacks.

The Office of the Privacy Commissioner was informed of the cyber incidents. The Privacy Commissioner has commenced investigations.

More details on mitigation measures can be found in the Authentication and Credential Management privacy impact assessment.