Canada Emergency Student Benefit - Privacy impact assessment summary
Horizontal Integration Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency
Overview & PIA Initiation
Government institution
Canada Revenue Agency / Employment and Social Development Canada
Government official responsible for the PIA
Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch
Canada Revenue Agency
Atiq Rahman
Assistant Deputy Minister
Learning Branch
Employment and Social Development Canada
Head of the government institution or Delegate for section 10 of the Privacy Act
Steven Morgan
Director General
Access to Information and Privacy Directorate
Canada Revenue Agency
Scott MacKay
Director
Privacy Management Division
Employment and Social Development Canada
Name of program or activity of the government institution
For CRA:
Benefit Program
For ESDC:
Benefits Program
Standard or institution specific class of record:
Canada Emergency Response Benefit (CERB), Canada Emergency Student Benefit (CESB), Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB) and Canada Recovery Caregiving Benefit (CRCB)
CRA ABSB 649
Standard or institution specific personal information bank:
Canada Emergency Student Benefit
CRA PPU 641
Legal authority for program or activity
The following represents the authorities for ESDC:
- Under the Canada Emergency Student Benefit Act, the Minister of ESD is responsible for the administration and enforcement of CESBA.
- Canada Emergency Student Benefit Act, sections 10, 11 for the collection and use of information and documents, including the SIN.
- Department of Employment and Social Development Act (DESDA), section 11: “The Minister may authorize the Minister of Labour, the Commission or any other person or body, or member of a class of persons or bodies, to exercise any power or perform any duty or function of the Minister”. Note: This gives the Minister of ESD authority to delegate persons or organizations to exercise Ministerial authorities and to make decisions that would otherwise be conferred to only the Minister. The authority to administer sections 4, 5, 6, 10-15 including making payments and handling personal information in relation to the administration and enforcement of the Act is issued to CRA officials by Delegation instrument (letter of authorization).
The following represents the authority for the CRA to administer these benefits on behalf of ESDC:
- Canada Revenue Agency Act (CRAA), section 61 authorizes the CRA to enter into contracts, agreements or other arrangements with governments, public or private organizations and agencies or any person in the name of Her Majesty in right of Canada or in its own name. Note: This gives the Minister of CRA authority to enter into agreements to administer programs on behalf of other government or private sector organizations.
- Delegation instrument [Letter of Authorization] issued pursuant to section 11 of the Department of Employment and Social Development Act to the Canada Revenue Agency in respect of the Canada Emergency Student Benefit Act, signed on May 12, 2020.
- Pursuant to section 10 of the CRAA, the CRA is authorized to accept delegation of authority to administer the CESBA on behalf of ESDC.
- Income Tax Act: Subsection 241(5): Authorizes an official of the CRA to provide taxpayer information with the consent of the taxpayer to an official solely for the purposes of the administration and enforcement of the Canada Emergency Student Benefit Act when they apply for the CESB.
Summary of the project / initiative / change
Overview of the Program or Activity
On May 1, 2020, the government passed legislation (Bill C-15 An Act respecting Canada emergency student benefits (coronavirus disease 2019). This enactment authorizes the payment of Canada Emergency Student Benefit (CESB) to students who lost work and income opportunities for reasons related to COVID-19 (coronavirus disease).
The CESB provided emergency financial relief to students and recent graduates who did not qualify for the Canada Emergency Response Benefit or Employment Insurance (EI) benefits and were unable to find work because of COVID-19. The CESB provided financial support for up to four (4) months, from May 2020 to August 2020. Students were able to apply retroactively for this benefit until September 30, 2020.
Eligible students received $1,250 per month, plus an additional $750 per month if they had at least one child under the age of 12 or other dependants, or they had a disability for a maximum of $2,000 per month.
The benefit was available to students who:
- were a Canadian citizen, a registered Indian, a permanent resident or a protected person
- one of the following applied to them:
- were enrolled in a post-secondary program
- had ended post secondary studies in December 2019 or later
- had completed high school or their high school equivalency between January 1, 2020 and June 6, 2020, and the following applied to them:
- high school completion date was prior to the first day of the four-week eligibility period for which they applied
- applied for a post-secondary program that began before February 1, 2021
- had completed or expect to complete high school or their high school equivalency between June 7, 2020 and December 31, 2020, and they had applied for a post-secondary program that began before February 1, 2021
- had not applied for, nor received, the Canada Emergency Response Benefit or Employment Insurance benefits for the same four-week eligibility period
- for reasons related to COVID-19, they were:
- unable to work
- seeking work but unable to find it or
- working but did not expect to earn more than $1,000 during the four-week period for which they applied.
Individuals began submitting CESB applications as of May 15, 2020 and the program required them to attest that they met the eligibility requirements. There was a requirement to re-attest every four weeks to reconfirm their eligibility.
Students could select one of three channels to apply for the benefit:
- The CRA My Account secure portal
- A toll-free number equipped with an automated application process or,
- The individual enquiries toll-free number for assistance if they were unable to use the other services.
The CRA administered this benefit on behalf of Employment and Social Development Canada (ESDC) and used existing taxpayer information for the administration and some pre-payment eligibility verification activities (Phase 1), and for post-payment compliance and enforcement (Phase 2) purposes. Data exchanges of personal information undertaken in Phase I are detailed below (See “Type of Personal Information Involved and Context” section). Phase 2 is out of scope and will be assessed under a separate PIA.
Scope of the Privacy Impact Assessment
Phase I concerns the administration of the benefit only and is considered in scope for this PIA. Post verification, compliance and enforcement activities will be undertaken in Phase 2 to ensure eligible applicants received the benefit and any overpayments are collected accordingly, as described in the MOU between ESDC and the CRA. A new PIA will address Phase 2 compliance and enforcement activities.
For the purpose of the administration of this benefit, the legal opinions, and MOU make the distinction between the collection, use, and disclosure of personal information collected under the authority of CESBA and the collection of taxpayer information under the ITA (i.e. information that was collected for the purposes of administration and enforcement of the ITA).
Risk identification and categorization
A) Type of program or activity
Administration of Programs / Activity and Services
Level of risk to privacy: 2
Details: Personal information was used by ESDC and the CRA to administer the CESB. Phase 1, the administration of the benefit is within scope of this PIA. Phase 2, compliance and enforcement activities are out of scope for this PIA.
B) Type of personal information involved and context
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: Personal information may include: name, contact information, Social Insurance Number or Temporary Tax Number (TTN), date of birth, date of death, income, the attestation for eligibility, direct deposit information, incarceration and mailing address. The TTN is an identifier used by CRA for taxpayers who reside in Canada and are required to file taxes but cannot obtain a SIN. Those with an Individual Tax Number (ITN) (i.e. non-residents, international students) are not eligible for CESB.
Applicants were required to attest that they are either a Canadian citizen, a registered Indian, permanent resident or a protected person, among other eligibility information, and to confirm if they have dependants or a disability, as well as to indicate the period for which they applied.
To further determine eligibility, the CRA T1 IDENT system was cross-referenced (for data matching) with the following information to determine eligibility:
- Date of Birth: To determine the application method, individuals 15 years of age and younger and 45 years of age or older were required to use the Individual Enquiries call centre application method to ensure benefit eligibility.
- Date of Death: This stopped the application from proceeding.
- Applicant’s incarceration status stopped the application from proceeding.
- Federal inmates: data received from Correctional Service Canada (CSC) for federal incarceration as per MOU between CRA and CSC
- Provincial inmates: a list of public addresses of provincial institutions for provincially incarcerated individuals. These individuals are not eligible and were informed that they may not apply for the CESB because of their incarceration status.
C) Program or activity partners and private sector involvement
With other federal institutions
Level of risk to privacy: 2
Details: The CRA administered and enforced the CESB on behalf of ESDC.
Shared Services Canada were supporting the data exchange mechanism (secure FTP) between ESDC and the CRA.
D) Duration of the program or activity
Short–term program
Level of risk to privacy: 2
Details: This was a short-term, emergency program to help students facing hardship as a result of the COVID-19 pandemic from May to August 2020. Students were able to apply retroactively for this benefit until September 30, 2020; however; the enforcement activities (to audit and/or recover erroneous or over payments) could last a few years. Note: For this PIA, Phase 2 enforcement and compliance activities were out of scope and will be assessed in a separate PIA.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The program affects students who applied for this benefit.
F) Technology & privacy
1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
3. Does the new or modified program or activity involves the implementation of one or more of the following technologies?
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.). It also involves easy pass technology in the form of "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
G) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy: 2
The personal information is transferred to a portable device or is printed.
Level of risk to privacy: 3
The personal information is transmitted using wireless technologies.
Level of risk to privacy: 4
Details: Individuals submitted their personal information in their CESB application to the CRA electronically using My Account via wireless or non-wireless technology. Alternatively, they may submit their personal information to the CRA via an automated telephone service using a land-based telephone line or cellular data. This Protected B information is then stored in various CRA systems and databases, which have access to other systems and in limited circumstances can be transferred to a departmentally-approved and secure portable device such as a secure USB key with higher level of encryption (for example, in the event of an authorized disclosure to law enforcement).
Applicant’s SIN, stream and period of payment information were pulled from the CRA’s mainframe system and sent to ESDC using an existing secure channel: file transfer protocol (FTP), secured with Entrust encryption software.
The data exchange mechanism (secure FTP) between ESDC and the CRA, which is supported by Shared Services Canada, has existed for over a decade and remained the same for this initiative.
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Details: If the personal information is compromised, it has the potential to cause financial harm and/or embarrassment to the affected individual.
In early August, the Government of Canada took action to stop credential stuffing attacks against the Government of Canada Branded Credential Service (“GCKey”) and the CRA’s My Account for individuals.
The CRA continues to monitor for suspicious activities resulting from the credential stuffing attacks. Safeguards have been placed on affected accounts. The CRA has also put measures in place to identify high-risk accounts in order to prevent potentially suspicious CESB applications from being made. All valid CESB payments will continue to be issued.
The My Service Canada Account uses GCKey as one of the options to sign in. Previously, individuals could access their CRA My Account via a link from their My Service Canada Account. This link was disabled in response.
The CRA is cooperating with the RCMP in their investigation into the credential stuffing attacks. The CRA also continues to work with government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the credential stuffing attacks.
The Office of the Privacy Commissioner was informed of the cyber incidents. The Privacy Commissioner has commenced investigations.
More details on mitigation measures can be found in the Authentication and Credential Management privacy impact assessment.
Page details
- Date modified: