Canada Recovery Benefits

Horizontal Integration Directorate
Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Benefits

Standard or institution specific class of record:

Benefit Programs – Canada Emergency Response Benefit (CERB), Canada Emergency Student Benefit (CESB), Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB) and Canada Recovery Caregiving Benefit (CRCB)
CRA ABSB 649

Standard or institution specific personal information bank:

Recovery Benefits: Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB), and Canada Recovery Caregiving Benefit (CRCB)
CRA PPU 642

Legal authority for program or activity

Summary of the project, initiative or change

Overview of the Program or Activity

On October 2, 2020 the government passed legislation (Bill C-4“An Act relating to certain measures in response to
COVID-19”) to support Canadians and established the Canada Recovery Benefit (CRB), the Canada Recovery Sickness Benefit (CRSB), and the Canada Recovery Caregiving Benefit (CRCB). The three benefits will be known collectively as the Recovery Benefits throughout this document.

The CRA is administering these benefits on behalf of ESDC and using existing taxpayer information.

Applications for the Canada Recovery Caregiving Benefit and Canada Recovery Sickness Benefit began October 5, 2020. Applications for the Canada Recovery Benefit began October 12, 2020. The programs require Canadians to attest that they meet the eligibility requirements prior to submitting their application for each period of payment requested. Applicants have up to 60 days to apply for each period (this applies to all benefits).

Canadians have the option of three channels to apply for the Recovery Benefits: 

  1. by accessing it through their CRA My Account secure portal; 
  2. by calling a toll free number equipped with an automated application process; or,
  3. by calling the individual enquiries toll free number for assistance if they are not able to use the other services.

The CRB provides income support to employed and self-employed individuals who are directly affected by COVID-19 and are not entitled to Employment Insurance (EI) benefits. If eligible, they can receive $1,000 ($900 after taxes withheld) for a 2-week period. As of March 15, 2021, they may apply up to a total of 19 eligibility periods (38 weeks) between September 27, 2020 and September 25, 2021.

To be eligible for the CRB, applicants must meet all the following conditions for the 2-week period they are applying for:

The CRSB provides income support to employed and self-employed individuals who are unable to work because they are sick or need to self-isolate due to COVID-19, or have an underlying health condition that puts them at greater risk of getting COVID-19. If eligible, they can receive $500 ($450 after taxes withheld) for a 1-week period. As of March 15, 2021, they may apply up to a total of 4 weeks between September 27, 2020 and September 25, 2021.

To be eligible for the CRSB, they must meet all the following conditions for the 1-week period they are applying for:

The CRCB gives income support to employed and self-employed individuals who are unable to work because they must care for their child under 12 years old or a family member who needs supervised care. This applies if their school, regular program or facility if closed or unavailable to them due to COVID-19, or because they are sick, self-isolating, or at risk of serious health complications due to COVID-19. If eligible, their household can receive $500 ($450 after taxes withheld) for each 1-week period. As of March 15, 2021, they may apply up to a total of 38 weeks between September 27, 2020 and September 25, 2021.

To be eligible for the CRCB, they must meet all the following conditions for the 1-week period they are applying for:

Scope of the Privacy Impact Assessment

Phase 1 concerns the administration of the benefit only and is considered in scope for this PIA. Post payment verification, compliance and enforcement activities will be undertaken in Phase 2 to ensure eligible applicants received the benefit and any overpayments are collected accordingly, as described in the MOU (currently in draft) between the ESDC and CRA. A new PIA will address Phase 2.

This PIA captures information and any related program changes related to the Recovery Benefits until the end of February 2021. All other changes will be captured in a future update to this PIA. Note the following major changes for the Recovery Benefits since program launch:

Risk identification and categorization

A) Type of program or activity

Administration of Programs/Activity and Services

Level of risk to privacy: 2

Details:

Personal information will be used by CRA to administer the Recovery Benefits on behalf of the ESDC. Phase 1, the administration of the benefit is within scope. Phase 2, post payment verification, compliance and enforcement activities are out of scope for this PIA.

B) Type of personal information involved and context

SIN, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.     

Level of risk to privacy: 3

Details:

Personal information may include: name, contact information, SIN, date of birth, date of death, incarceration status, mailing address, income, the attestation for eligibility, and direct deposit information. To further determine eligibility, the CRA T1 IDENT system will also be cross-referenced (data matching) with the date of birth, date of death and incarceration status. 

C) Program or activity partners and private sector involvement

With other federal institutions  

Level of risk to privacy: 2

Details:

Under Phase 1, the CRA is administering the Recovery Benefits on behalf of ESDC. Post payment verification, compliance, and enforcement activities of the program are out of scope for this PIA.  

D) Duration of the program or activity

Short–term program 

Level of risk to privacy: 2

Details:

This is a short term program to help Canadians facing hardship as a result of the COVID-19 outbreak. At this time, no application is permitted to be made on any day that is more than 60 days after the end of the week to which the benefit relates, however; the enforcement activities (to audit and/or recover erroneous or over payments) could last a few years. Note: For this PIA, Phase 2 post payment verification, compliance and enforcement activities are out of scope and will be assessed in a separate PIA. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details:

The program affects workers who apply for any of the Recovery Benefits.  

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
  2. Risk to privacy: No

  3. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
  4. Risk to privacy: Yes

  5. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.  

Level of risk to privacy: 4

Details:

Individuals submit their personal information in their Recovery Benefit applications to the CRA electronically using My Account via wireless or non-wireless technology. Alternatively, they may submit their personal information to the CRA via an automated telephone service using a land-based telephone line or cellular. This Protected B information is then stored in various CRA systems and databases, which have access to other systems and in limited circumstances can be transferred to a departmentally-approved and secure portable device such as a secure USB key with higher level of encryption. 

ESDC’s data exchange mechanism (secure FTP) which is supported by Shared Services Canada, has existed for over a decade.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual.

In August 2020, the Government of Canada took action to stop credential stuffing attacks against the Government of Canada Branded Credential Service (“GCKey”) and the CRA’s My Account for individuals. 

The CRA continues to monitor for suspicious activities resulting from the credential stuffing attacks. Safeguards have been placed on affected accounts. The CRA has also put measures in place to identify high-risk accounts in order to prevent potentially suspicious applications from being made.

The My Service Canada Account uses GCKey as one of the options to sign in. Previously, individuals could access their CRA My Account via a link from their My Service Canada Account. This link was disabled in response. 

The CRA is cooperating with the Royal Canadian Mounted Police in their investigation into the credential stuffing attacks. The CRA also continues to work with government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the credential stuffing attacks. 

The Office of the Privacy Commissioner of Canada was informed of the cyber incidents. The Privacy Commissioner has commenced investigations. 

More details on mitigation measures can be found in the Authentication and Credential Management PIA. 

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: