Canada Recovery Benefits

Horizontal Integration Directorate
Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Benefits

Standard or institution specific class of record:

Benefit Programs – Canada Emergency Response Benefit (CERB), Canada Emergency Student Benefit (CESB), Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB) and Canada Recovery Caregiving Benefit (CRCB)
CRA ABSB 649

Standard or institution specific personal information bank:

Recovery Benefits: Canada Recovery Benefit (CRB), Canada Recovery Sickness Benefit (CRSB), and Canada Recovery Caregiving Benefit (CRCB)
CRA PPU 642

Legal authority for program or activity

• Canada Revenue Agency Act (CRAA), section 61 authorizes the Canada Revenue Agency (CRA) to enter into contracts, agreements or other arrangements with governments, public or private organizations and agencies or any person in the name of Her Majesty in right of Canada or in its own name. Note: This gives the Minister of CRA authority to enter into agreements to administer programs on behalf of other government or private sector organizations.
• Delegation instrument [Letter of Authorization] issued pursuant to section 11 of the Department of Employment and Social Development Act (DESDA) to the CRA in respect of subsection 4(1), section 6 and 7, subsection 8(2), subsection 11(1), sections 13 and 14, subsection 18(1), section 20, 21, and 25, subsections 26(1) and (2), section 28, subsections 29(1), (2), and (3), sections 30, 31, and 32, subsections 35(2) and (3), sections 37 and 38 of the Canada Recovery Benefits Act (CRBA), signed on October 2, 2020, authorizes CRA to collect personal information and administer CRBA on behalf of of Employment and Social Development Canada (ESDC).
• Pursuant to section 10 of the CRAA, the CRA is authorized to accept delegation of authority to administer the CRBA on behalf of Employment and Social Development Canada (ESDC).
• Income Tax Act: Subparagraph 241(4)(d)(vii.7) to an official solely for the purposes of the administration and enforcement of the Canada Recovery Benefits Act or the evaluation or formulation of policy for that Act.

Summary of the project, initiative or change

Overview of the Program or Activity

On October 2, 2020 the government passed legislation (Bill C-4“An Act relating to certain measures in response to
COVID-19”) to support Canadians and established the Canada Recovery Benefit (CRB), the Canada Recovery Sickness Benefit (CRSB), and the Canada Recovery Caregiving Benefit (CRCB). The three benefits will be known collectively as the Recovery Benefits throughout this document.

The CRA is administering these benefits on behalf of ESDC and using existing taxpayer information.

Applications for the Canada Recovery Caregiving Benefit and Canada Recovery Sickness Benefit began October 5, 2020. Applications for the Canada Recovery Benefit began October 12, 2020. The programs require Canadians to attest that they meet the eligibility requirements prior to submitting their application for each period of payment requested. Applicants have up to 60 days to apply for each period (this applies to all benefits).

Canadians have the option of three channels to apply for the Recovery Benefits: 

1. by accessing it through their CRA My Account secure portal; 
2. by calling a toll free number equipped with an automated application process; or,
3. by calling the individual enquiries toll free number for assistance if they are not able to use the other services.

The CRB provides income support to employed and self-employed individuals who are directly affected by COVID-19 and are not entitled to Employment Insurance (EI) benefits. If eligible, they can receive $1,000 ($900 after taxes withheld) for a 2-week period. As of March 15, 2021, they may apply up to a total of 19 eligibility periods (38 weeks) between September 27, 2020 and September 25, 2021.

To be eligible for the CRB, applicants must meet all the following conditions for the 2-week period they are applying for:

• they are resident and present in Canada.
• they are at least 15 years of age on the first day of the period.
• they have a valid Social Insurance Number (SIN).
• they had a total income of at least $5,000 for 2019, 2020, or in the 12-month period preceding the day on which they make their first application for this benefit, from one or more of the following sources:
  • employment income;
  • self-employment income; or
  • Employment Insurance (EI) maternity or parental benefits or Quebec Parental Insurance Plan (QPIP) benefits.
• they meet one of the following conditions for the period for which they are applying:
  • they are not employed or self-employed for reason related to COVID-19; or
  • they have a reduction of at least 50% in their employment income and self-employment income for reasons related to COVID-19.
• they are seeking work during the period for which they are applying.
• they did not place undue restrictions on their availability for work, on or after September 27, 2020, unless reasonable to do so.
• they have not quit their employment or voluntarily ceased to work on or after September 27, 2020.
• they have not:
  • failed to return to employment when it was reasonable to do so if their employer have made a request;
  • failed to resume self-employment when it was reasonable to do so; or
  • declined a reasonable offer to work that would have started during the two-week period.
• they are ineligible to apply for Employment Insurance (EI) benefits.
• they are not in receipt of the Canada Recovery Caregiving Benefit (CRCB), the Canada Recovery Sickness Benefit (CRSB), short-term disability benefits, any Employment Insurance (EI) benefits, or Quebec Parental Insurance Plan (QPIP) benefits.
• they are not self-isolating or in quarantine due to international travel.

The CRSB provides income support to employed and self-employed individuals who are unable to work because they are sick or need to self-isolate due to COVID-19, or have an underlying health condition that puts them at greater risk of getting COVID-19. If eligible, they can receive $500 ($450 after taxes withheld) for a 1-week period. As of March 15, 2021, they may apply up to a total of 4 weeks between September 27, 2020 and September 25, 2021.

To be eligible for the CRSB, they must meet all the following conditions for the 1-week period they are applying for:

• they are resident and present in Canada.
• they are at least 15 years of age on the first day of the period.
• they have a valid Social Insurance Number (SIN).
• they had a total income of at least $5,000 for 2019, 2020, or in the 12-month period preceding the day on which they make their first application for this benefit, from one or more of the following sources:
  • employment income;
  • self-employment income; or
  • Employment Insurance (EI) maternity or parental benefits or Quebec Parental Insurance Plan (QPIP) benefits.
• they are unable to work for at least 50% of the time they would have otherwise worked or devoted to their work because:
  • they had or might have had COVID-19;
  • they self-isolated on the advice of their employer, a medical practitioner, nurse practitioner, person in authority, government, or public health authority for any reason related to COVID-19; or
  • they have an underlying condition that in the opinion of a medical practitioner, nurse practitioner, person in authority, government or public health authority would make them more susceptible to COVID-19.
• they are not in receipt of paid leave from an employer.
• they are not in receipt of the Canada Recovery Benefit (CRB), the Canada Recovery Caregiving Benefit (CRCB), short-term disability benefits, any Employment Insurance (EI) benefits, or Quebec Parental Insurance Plan (QPIP) benefits.
• they are not self-isolating or in quarantine due to international travel.

The CRCB gives income support to employed and self-employed individuals who are unable to work because they must care for their child under 12 years old or a family member who needs supervised care. This applies if their school, regular program or facility if closed or unavailable to them due to COVID-19, or because they are sick, self-isolating, or at risk of serious health complications due to COVID-19. If eligible, their household can receive $500 ($450 after taxes withheld) for each 1-week period. As of March 15, 2021, they may apply up to a total of 38 weeks between September 27, 2020 and September 25, 2021.

To be eligible for the CRCB, they must meet all the following conditions for the 1-week period they are applying for:

• they are resident and present in Canada.
• they are at least 15 years of age on the first day of the period.
• they have a valid Social Insurance Number (SIN).
• they had a total income of at least $5,000 for 2019, 2020, or in the 12-month period preceding the day on which they make their first application for this benefit, from one or more of the following sources:
  • employment income;
  • self-employment income; or
  • Employment Insurance (EI) maternity or parental benefits or Quebec Parental Insurance Plan (QPIP) benefits.
• they are unable to work for at least 50% of the time they would have otherwise worked or devoted to their work because of one of the following reasons:
  • they had to take care of a child who was under 12 years of age on the first day of the period for which they are applying because:
    • their school or other facility that they normally attended was closed, open only certain times, or open only for certain children for reasons related to COVID-19;
    • they could not attend school or other facility that they normally attend under the advice of a medical professional due to being at high risk of having serious health complications if they contract COVID-19;
    • they were in isolation on the advice of a medical practitioner, nurse practitioner, person in authority, government or public health authority for reasons related to COVID-19;
    • they contracted or might have contracted COVID-19; or
    • the individual who usually provided care of their child was not available for reasons related to COVID-19.
  • they had to provide care to a family member who requires supervised care because:
    • their day program or facility that they normally attended was closed, open only certain times, or open only for a certain persons for reasons related to COVID-19;
    • they could not attend the day program or other facility that they normally attend under the advice of a medical practitioner or nurse practitioner who is of the opinion that the family member would be at high risk of having serious health complications if they contract COVID-19;
    • they were in isolation on the advice of a medical practitioner, nurse practitioner, person in authority, government or public health authority for reasons related to COVID-19;
    • they contracted or might have contracted COVID-19; or
    • the care services that are normally provided to the family member at their normal place of residence are not available for reasons related to COVID-19.
• they are the only individual from their household claiming the Canada Recovery Caregiving Benefit.
• they are not applying for a week that would exceed the 38-week maximum per household.
• they are not in receipt of paid leave from an employer.
• they are not in receipt of the Canada Recovery Benefit (CRB) the Canada Recovery Sickness Benefit (CRSB), short-term disability benefits, any Employment Insurance (EI) benefits, or Quebec Parental Insurance Plan (QPIP) benefits.
• they are not self-isolating or in quarantine due to international travel.

Scope of the Privacy Impact Assessment

Phase 1 concerns the administration of the benefit only and is considered in scope for this PIA. Post payment verification, compliance and enforcement activities will be undertaken in Phase 2 to ensure eligible applicants received the benefit and any overpayments are collected accordingly, as described in the MOU (currently in draft) between the ESDC and CRA. A new PIA will address Phase 2.

This PIA captures information and any related program changes related to the Recovery Benefits until the end of February 2021. All other changes will be captured in a future update to this PIA. Note the following major changes for the Recovery Benefits since program launch:

• Application process for the benefits were modified (November 30, 2020) to include data collection within the application, where applicants would be asked to provide free-form text to provide further context to validate their eligibility.
• Text added with respect to international travelers attestation (January 11, 2021) for the Recovery Benefits retroactive to applications starting January 3, 2021.
  • An amendment was made March 17, 2021 to remove the mention of the retroactive date as the legislative change is retroactive to program commencement.

Risk identification and categorization

A) Type of program or activity

Administration of Programs/Activity and Services

Level of risk to privacy: 2

Details:

Personal information will be used by CRA to administer the Recovery Benefits on behalf of the ESDC. Phase 1, the administration of the benefit is within scope. Phase 2, post payment verification, compliance and enforcement activities are out of scope for this PIA.

B) Type of personal information involved and context

SIN, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.     

Level of risk to privacy: 3

Details:

Personal information may include: name, contact information, SIN, date of birth, date of death, incarceration status, mailing address, income, the attestation for eligibility, and direct deposit information. To further determine eligibility, the CRA T1 IDENT system will also be cross-referenced (data matching) with the date of birth, date of death and incarceration status. 

C) Program or activity partners and private sector involvement

With other federal institutions  

Level of risk to privacy: 2

Details:

Under Phase 1, the CRA is administering the Recovery Benefits on behalf of ESDC. Post payment verification, compliance, and enforcement activities of the program are out of scope for this PIA.  

D) Duration of the program or activity

Short–term program 

Level of risk to privacy: 2

Details:

This is a short term program to help Canadians facing hardship as a result of the COVID-19 outbreak. At this time, no application is permitted to be made on any day that is more than 60 days after the end of the week to which the benefit relates, however; the enforcement activities (to audit and/or recover erroneous or over payments) could last a few years. Note: For this PIA, Phase 2 post payment verification, compliance and enforcement activities are out of scope and will be assessed in a separate PIA. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details:

The program affects workers who apply for any of the Recovery Benefits.  

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.  

Level of risk to privacy: 4

Details:

Individuals submit their personal information in their Recovery Benefit applications to the CRA electronically using My Account via wireless or non-wireless technology. Alternatively, they may submit their personal information to the CRA via an automated telephone service using a land-based telephone line or cellular. This Protected B information is then stored in various CRA systems and databases, which have access to other systems and in limited circumstances can be transferred to a departmentally-approved and secure portable device such as a secure USB key with higher level of encryption. 

ESDC’s data exchange mechanism (secure FTP) which is supported by Shared Services Canada, has existed for over a decade.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual.

In August 2020, the Government of Canada took action to stop credential stuffing attacks against the Government of Canada Branded Credential Service (“GCKey”) and the CRA’s My Account for individuals. 

The CRA continues to monitor for suspicious activities resulting from the credential stuffing attacks. Safeguards have been placed on affected accounts. The CRA has also put measures in place to identify high-risk accounts in order to prevent potentially suspicious applications from being made.

The My Service Canada Account uses GCKey as one of the options to sign in. Previously, individuals could access their CRA My Account via a link from their My Service Canada Account. This link was disabled in response. 

The CRA is cooperating with the Royal Canadian Mounted Police in their investigation into the credential stuffing attacks. The CRA also continues to work with government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the credential stuffing attacks. 

The Office of the Privacy Commissioner of Canada was informed of the cyber incidents. The Privacy Commissioner has commenced investigations. 

More details on mitigation measures can be found in the Authentication and Credential Management PIA.