Charities Program

Legislative Policy and Regulatory Affairs 
Charities Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Soren Halverson
Assistant Commissioner
Legislative Policy and Regulatory Affairs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
A/Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution


Standard or institution specific class of record:

Charities Program
Record Number: CRA LPRAB 290

Standard or institution specific personal information bank:

Charities Program
Bank Number: CRA PPU 200
TBS Registration Number: 005859

Legal authority for program or activity

The legal authority for the Charities program is the Income Tax Act. The following provisions of the Act relate to registered charities and other qualified donees:

Summary of the project, initiative or change

Overview of the Program or Activity

The Canadian Constitution grants jurisdictional authority to provinces to establish, maintain, and manage charities operating in and within a province. However, when it comes to tax benefits for registered charities and other qualified donees under the Income Tax Act, that falls under the authority of the federal government.

Through the Income Tax Act, the federal government supports the charitable sector by providing tax incentives for charitable donations as well as taxation privileges for registered charities and other qualified donees. The Canada Revenue Agency (CRA), and specifically the Charities program, is responsible for registering and monitoring qualified donees for income tax purposes.

Within this framework, the CRA collects, uses, stores, discloses, retains and disposes of the personal information of certain individuals connected to qualified donees and applicants for such status to:

The changes made to the Income Tax Act after Budget 2011 brought in new measures to enhance the transparency and accountability of certain qualified donees. These changes also equipped the CRA with additional tools, aiming for a more effective and robust regulatory regime. This resulted in changes to the existing program’s privacy practices. After reviewing these measures, and given a lack of an overarching program privacy impact assessment, the CRA decided to address all instances of collection, use, disclosure, storage and disposal of personal information.

Registering qualified donees

To be able to issue official donation receipts for income tax purposes, certain qualified donees, excluding charitable organizations and public and private foundations, must adhere to these requirements:

The requirements apply to these qualified donees:

Personal information of individuals connected to these qualified donees is collected and handled for administering the Income Tax Act. This includes general contact and representative information for registration and listing purposes, as well as any personal information found within the organization’s books and records during an audit.

Ineligible individuals

Before Budget 2011, the Income Tax Act did not specifically allow the CRA to consider the criminal history or other past misconduct of individuals who control or manage charities or Canadian amateur athletic associations (CAAA) when deciding whether to grant or revoke registered status. As further amendments were made to the Income Tax Act, the CRA is now allowed to reject applications for registration as a charity or Canadian amateur athletic association if an ineligible individual has filed the application, or is on the board of directors, or otherwise controls or manages the applicant. In a similar vein, the CRA is also allowed to suspend the receipting privilege of registered charities and RCAAAs and revoke their registration if an ineligible individual is on the board of directors, or otherwise controls or manages the registered charity or RCAAA.

For more information, go to

Registered journalism organizations

Budget 2019 amended the Income Tax Act to introduce registered journalism organizations as a new type of tax-exempt qualified donee. This change, which came into effect on January 1, 2020, helps Canadian journalism organizations that produce original news content. To become a qualified donee, an organization must apply through the CRA and meet the following requirements:

For transparency, the name of all registered journalism organizations are listed on the CRA’s website. Only the public portions of their information returns are available to the public.

Scope of the Privacy Impact Assessment

A previous privacy impact assessment (PIA) was completed in 2009 for the T3010B (09) Registered Charities information Return, and a preliminary PIA was prepared in 2008 for the T2050 charities registration application form. They have been replaced with this current submission, which will assess the entire Charities program.

The scope of this PIA is to identify privacy risks and recommend mitigation measures associated with the Charities program. It is limited to the registering and monitoring of qualified donees for income tax purposes.

However, it does not include the National Security Disclosure Program. Another PIA is being completed for this program.

Risk identification and categorization

A) Type of program or activity

Program or activity that does not involve a decision about an identifiable individual

Level of risk to privacy: 1


The Charities program collects the personal information of individuals who are in some way connected to an applicant or qualified donee. Generally, these individuals are the entity’s officials, representatives, employees and associates, and in some cases their beneficiaries and donors.

The personal information is collected to confirm the individuals’ identity and assess whether the client organization present any risk in registering and meeting their obligations under the Income Tax Act and the common law.

Decisions made for the client organizations (applicants or qualified donees) in the program do not directly affect an individual, as stated in the Privacy Act. Generally, these decisions pertain to the client organizations and do not result in direct services or benefits to an individual.  Thus, it may not be clear that the Charities program falls within the “administrative purpose” defined in the Privacy Act. Nevertheless, recognizing the extent and sensitivity of the personal information used to carry out its mandate, the Charities program is committed to following the rules and requirements of the Privacy Act.

B) Type of personal information involved and context

Detailed profiles, allegations or suspicions, bodily samples and the context surrounding personal information is particularly sensitive. 

Level of risk to privacy: 4


Personal information collected from client organizations is generally limited to the name, contact information, signature, official title, occupation, arm’s length relationship to other officials, and date of birth of the entity’s officials and representatives. However, using this personal information, the Charities program can then collect more personal information from other internal and external sources. This can include a person’s:

In some instances, when auditing the books and records of a qualified donee, Charities program employees may be exposed to, or require access to the qualified donee’s donor information. This may include contact information and the date and amount (or type) of donation to ensure the client organization is following the rules of registration, such as proper receipting practices.

Charities program employees may also be exposed to, or require access to a qualified donee’s beneficiary information to ensure compliance with registration rules, such as proper beneficiary selection practices to minimize the risk of undue benefits. This may include

The program can also collect and review an individual’s will or final testament when a qualified donee has been legally established through that document (for example a trust).

The program also collects personal information such as contact information from public enquirers, informants, and from individuals who are providing information relating to qualified donees and applicants for such status.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4


Partners include other CRA programs, federal institutions, provincial governments, and private sector organizations.

Personal information found in a qualified donee file is shared with other areas of the CRA, for administering the Income Tax Act.

For example, the program internally shares and access personal information during the screening, registration, client-service and compliance activities pertinent to the registrant’s situation.

The program also collects and shares personal information with other areas of the CRA when it:

Paper copies of documentation that form a charity file are stored on behalf of the Program by CRA’s contracted third party - for the duration of their retention period. This  follows our Storage, Disposal, Transmittal and Transport of Protected and Classified Information and Assets Directive.

The program discloses and collects personal information to or from other federal and provincial institutions such as: 

Open Data – Treasury Board Secretariat website

The charities dataset is permissible information listed under subsections 149.1(15) and 241(3.2) of the Income Tax Act. It can contain personal information and is available on the open data portal for the Government of Canada. The names and positions on the board of directors and like officials of qualified donees are disclosed to the public once they are registered. If an applicant has not qualified for registration, the information is not disclosed publicly.

Regarding the private sector, the program shares permissible information listed under subsections 149.1(15) and 241(3.2) of the Income Tax Act to various stakeholders in the charitable sector, academia, and the media. This includes organizations such as Imagine Canada and

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3


This is a long-term CRA program with no planned end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3


The program affects individuals who are in some way connected to an applicant or qualified donee. Generally, these individuals are the entity’s officials, representatives, employees and associates, and in some cases their beneficiaries and donors.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: Yes
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: No
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4


CRA employees can use a laptop computer with access controls. Access to the agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

Client organization can submit their applications to the CRA electronically using My Business Account, a secure online portal.

Information may be stored on encrypted USB keys for audit purposes. This method is subject to the Storage of Protected and Classified Information and Assets Standards.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee


As with all taxpayer information, if someone’s personal information is somehow compromised or disclosed without statutory authority, the individual may become a victim of identity theft. Their information may be used without their knowledge, causing financial or reputational harm.


Page details

Date modified: