Canada Emergency Student Benefit - Privacy impact assessment summary

Horizontal Integration Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency / Employment and Social Development Canada

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Atiq Rahman
Assistant Deputy Minister
Learning Branch
Employment and Social Development Canada

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate
Canada Revenue Agency

Scott MacKay
Director
Privacy Management Division
Employment and Social Development Canada

Name of program or activity of the government institution

For CRA:
Benefit Program

For ESDC:
Benefits Program

Standard or institution specific class of record:

Canada Emergency Response Benefit (CERB), Canada Emergency Student Benefit (CESB), Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB) and Canada Recovery Caregiving Benefit (CRCB)
CRA ABSB 649

Standard or institution specific personal information bank:

Canada Emergency Student Benefit
CRA PPU 641

Legal authority for program or activity

The following represents the authorities for ESDC:

The following represents the authority for the CRA to administer these benefits on behalf of ESDC:

Summary of the project / initiative / change

Overview of the Program or Activity

On May 1, 2020, the government passed legislation (Bill C-15 An Act respecting Canada emergency student benefits (coronavirus disease 2019). This enactment authorizes the payment of Canada Emergency Student Benefit (CESB) to students who lost work and income opportunities for reasons related to COVID-19 (coronavirus disease).

The CESB provided emergency financial relief to students and recent graduates who did not qualify for the Canada Emergency Response Benefit or Employment Insurance (EI) benefits and were unable to find work because of COVID-19. The CESB provided financial support for up to four (4) months, from May 2020 to August 2020. Students were able to apply retroactively for this benefit until September 30, 2020.

Eligible students received $1,250 per month, plus an additional $750 per month if they had at least one child under the age of 12 or other dependants, or they had a disability for a maximum of $2,000 per month.

The benefit was available to students who:

Individuals began submitting CESB applications as of May 15, 2020 and the program required them to attest that they met the eligibility requirements. There was a requirement to re-attest every four weeks to reconfirm their eligibility.

Students could select one of three channels to apply for the benefit:

  1. The CRA My Account secure portal
  2. A toll-free number equipped with an automated application process or,
  3. The individual enquiries toll-free number for assistance if they were unable  to use the other services.

The CRA administered this benefit on behalf of Employment and Social Development Canada (ESDC) and used existing taxpayer information for the administration and some pre-payment eligibility verification activities (Phase 1), and for post-payment compliance and enforcement (Phase 2) purposes. Data exchanges of personal information undertaken in Phase I are detailed below (See “Type of Personal Information Involved and Context” section). Phase 2 is out of scope and will be assessed under a separate PIA.

Scope of the Privacy Impact Assessment

Phase I concerns the administration of the benefit only and is considered in scope for this PIA. Post verification, compliance and enforcement activities will be undertaken in Phase 2 to ensure eligible applicants received the benefit and any overpayments are collected accordingly, as described in the MOU between ESDC and the CRA. A new PIA will address Phase 2 compliance and enforcement activities.

For the purpose of the administration of this benefit, the legal opinions, and MOU make the distinction between the collection, use, and disclosure of personal information collected under the authority of CESBA and the collection of taxpayer information under the ITA (i.e. information that was collected for the purposes of administration and enforcement of the ITA).

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: Personal information was used by ESDC and the CRA to administer the CESB. Phase 1, the administration of the benefit is within scope of this PIA. Phase 2, compliance and enforcement activities are out of scope for this PIA.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information may include: name, contact information, Social Insurance Number or Temporary Tax Number (TTN), date of birth, date of death, income, the attestation for eligibility, direct deposit information, incarceration and mailing address. The TTN is an identifier used by CRA for taxpayers who reside in Canada and are required to file taxes but cannot obtain a SIN. Those with an Individual Tax Number (ITN) (i.e. non-residents, international students) are not eligible for CESB.

Applicants were required to attest that they are either a Canadian citizen, a registered Indian, permanent resident or a protected person, among other eligibility information, and to confirm if they have dependants or a disability, as well as to indicate the period for which they applied.

To further determine eligibility, the CRA T1 IDENT system was cross-referenced (for data matching) with the following information to determine eligibility:

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: The CRA administered and enforced the CESB on behalf of ESDC.

Shared Services Canada were supporting the data exchange mechanism (secure FTP) between ESDC and the CRA.

D) Duration of the program or activity

Short–term program

Level of risk to privacy: 2

Details: This was a short-term, emergency program to help students facing hardship as a result of the COVID-19 pandemic from May to August 2020. Students were able to apply retroactively for this benefit until September 30, 2020; however; the enforcement activities (to audit and/or recover erroneous or over payments) could last a few years. Note: For this PIA, Phase 2 enforcement and compliance activities were out of scope and will be assessed in a separate PIA.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects students who applied for this benefit.

F) Technology & privacy

    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

    2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

    3. Does the new or modified program or activity involves the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.). It also involves easy pass technology in the form of "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.  

Level of risk to privacy: 2

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

 

Details: Individuals submitted their personal information in their CESB application to the CRA electronically using My Account via wireless or non-wireless technology. Alternatively, they may submit their personal information to the CRA via an automated telephone service using a land-based telephone line or cellular data. This Protected B information is then stored in various CRA systems and databases, which have access to other systems and in limited circumstances can be transferred to a departmentally-approved and secure portable device such as a secure USB key with higher level of encryption (for example, in the event of an authorized disclosure to law enforcement).

Applicant’s SIN, stream and period of payment information were pulled from the CRA’s mainframe system and sent to ESDC using an existing secure channel: file transfer protocol (FTP), secured with Entrust encryption software.

The data exchange mechanism (secure FTP) between ESDC and the CRA, which is supported by Shared Services Canada, has existed for over a decade and remained the same for this initiative.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and/or embarrassment to the affected individual.

In early August, the Government of Canada took action to stop credential stuffing attacks against the Government of Canada Branded Credential Service (“GCKey”) and the CRA’s My Account for individuals.

The CRA continues to monitor for suspicious activities resulting from the credential stuffing attacks. Safeguards have been placed on affected accounts. The CRA has also put measures in place to identify high-risk accounts in order to prevent potentially suspicious CESB applications from being made. All valid CESB payments will continue to be issued.

The My Service Canada Account uses GCKey as one of the options to sign in. Previously, individuals could access their CRA My Account via a link from their My Service Canada Account. This link was disabled in response.

The CRA is cooperating with the RCMP in their investigation into the credential stuffing attacks. The CRA also continues to work with government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the credential stuffing attacks.

The Office of the Privacy Commissioner was informed of the cyber incidents. The Privacy Commissioner has commenced investigations.

More details on mitigation measures can be found in the Authentication and Credential Management privacy impact assessment. 

Page details

Date modified: