Charities Program

Legislative Policy and Regulatory Affairs 
Charities Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Soren Halverson
Assistant Commissioner
Legislative Policy and Regulatory Affairs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
A/Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Charities

Standard or institution specific class of record:

Charities Program
Record Number: CRA LPRAB 290

Standard or institution specific personal information bank:

Charities Program
Bank Number: CRA PPU 200
TBS Registration Number: 005859

Legal authority for program or activity

The legal authority for the Charities program is the Income Tax Act. The following provisions of the Act relate to registered charities and other qualified donees:

• Paragraph 110.1 (1), Division C, Deduction for charitable gifts made by a corporation
• Paragraph 118.1 (1), Division E, Total charitable gifts made by an individual
• Section 149, Division H – Exemptions
• ss. 149.1 Qualified donees (all subsections)
• Section 150, Division I – Returns, Assessments, Payments and Appeals – all pertinent subsections
• Section 169, Division J – Appeals to the Tax Court of Canada and the Federal Court of Appeal
• Part V – Tax and Penalties in Respect of Qualified Donees
• Section 220, Part XV, Administration and Enforcement – all pertinent subsections
• Part XVII, Interpretation
• Disclosure provisions for qualified donees:
  ss. 149.1(15)
  ss. 241(3.2)

Summary of the project, initiative or change

Overview of the Program or Activity

The Canadian Constitution grants jurisdictional authority to provinces to establish, maintain, and manage charities operating in and within a province. However, when it comes to tax benefits for registered charities and other qualified donees under the Income Tax Act, that falls under the authority of the federal government.

Through the Income Tax Act, the federal government supports the charitable sector by providing tax incentives for charitable donations as well as taxation privileges for registered charities and other qualified donees. The Canada Revenue Agency (CRA), and specifically the Charities program, is responsible for registering and monitoring qualified donees for income tax purposes.

Within this framework, the CRA collects, uses, stores, discloses, retains and disposes of the personal information of certain individuals connected to qualified donees and applicants for such status to:

• determine the eligibility of applicants for registration under the Income Tax Act and common law
• verify the compliance of registered charities and other qualified donees with the provisions of the Income Tax Act and common law
• provide information to the public as permitted under the Income Tax Act

The changes made to the Income Tax Act after Budget 2011 brought in new measures to enhance the transparency and accountability of certain qualified donees. These changes also equipped the CRA with additional tools, aiming for a more effective and robust regulatory regime. This resulted in changes to the existing program’s privacy practices. After reviewing these measures, and given a lack of an overarching program privacy impact assessment, the CRA decided to address all instances of collection, use, disclosure, storage and disposal of personal information.

Registering qualified donees

To be able to issue official donation receipts for income tax purposes, certain qualified donees, excluding charitable organizations and public and private foundations, must adhere to these requirements:

• be on the list of charities and certain other qualified donees, which is maintained by the CRA
• maintain books and records and provide them to the CRA upon request
• issue official donation receipts according to the requirements of the Income Tax Act

The requirements apply to these qualified donees:

• registered Canadian amateur athletic association (RCAAA)
• registered municipalities
• registered universities outside Canada
• registered foreign charities that have received a gift from His Majesty in right of Canada
• registered municipal or public bodies performing a function of government in Canada
• registered low-cost housing corporations for the aged
• registered journalism organizations

Personal information of individuals connected to these qualified donees is collected and handled for administering the Income Tax Act. This includes general contact and representative information for registration and listing purposes, as well as any personal information found within the organization’s books and records during an audit.

Ineligible individuals

Before Budget 2011, the Income Tax Act did not specifically allow the CRA to consider the criminal history or other past misconduct of individuals who control or manage charities or Canadian amateur athletic associations (CAAA) when deciding whether to grant or revoke registered status. As further amendments were made to the Income Tax Act, the CRA is now allowed to reject applications for registration as a charity or Canadian amateur athletic association if an ineligible individual has filed the application, or is on the board of directors, or otherwise controls or manages the applicant. In a similar vein, the CRA is also allowed to suspend the receipting privilege of registered charities and RCAAAs and revoke their registration if an ineligible individual is on the board of directors, or otherwise controls or manages the registered charity or RCAAA.

For more information, go to canada.ca/en/services/taxes/charities.

Registered journalism organizations

Budget 2019 amended the Income Tax Act to introduce registered journalism organizations as a new type of tax-exempt qualified donee. This change, which came into effect on January 1, 2020, helps Canadian journalism organizations that produce original news content. To become a qualified donee, an organization must apply through the CRA and meet the following requirements:

• It must be a corporation or trust that has been designated as a qualified Canadian journalism organization.
• It must be constituted and operated for purposes exclusively related to journalism.
• Any business activities it carries on must be related to its purposes.
• It must have a board of directors or trustees, each of whom deals with each other at arm’s length.
• It cannot be controlled, directly or indirectly in any manner whatsoever, by a person or group of persons that do not deal with each other at arm’s length.
• It cannot make any part of its income payable to, or otherwise available for the personal benefit of, any proprietor, member, shareholder, director, trustee, settlor or like individual.
• It must generally not, in any given year, receive gifts from any one source that represent more than 20% of its total revenues, including donations.
• It must be primarily engaged in the production of original news content.

For transparency, the name of all registered journalism organizations are listed on the CRA’s website. Only the public portions of their information returns are available to the public.

Scope of the Privacy Impact Assessment

A previous privacy impact assessment (PIA) was completed in 2009 for the T3010B (09) Registered Charities information Return, and a preliminary PIA was prepared in 2008 for the T2050 charities registration application form. They have been replaced with this current submission, which will assess the entire Charities program.

The scope of this PIA is to identify privacy risks and recommend mitigation measures associated with the Charities program. It is limited to the registering and monitoring of qualified donees for income tax purposes.

However, it does not include the National Security Disclosure Program. Another PIA is being completed for this program.

Risk identification and categorization

A) Type of program or activity

Program or activity that does not involve a decision about an identifiable individual

Level of risk to privacy: 1

Details:

The Charities program collects the personal information of individuals who are in some way connected to an applicant or qualified donee. Generally, these individuals are the entity’s officials, representatives, employees and associates, and in some cases their beneficiaries and donors.

The personal information is collected to confirm the individuals’ identity and assess whether the client organization present any risk in registering and meeting their obligations under the Income Tax Act and the common law.

Decisions made for the client organizations (applicants or qualified donees) in the program do not directly affect an individual, as stated in the Privacy Act. Generally, these decisions pertain to the client organizations and do not result in direct services or benefits to an individual.  Thus, it may not be clear that the Charities program falls within the “administrative purpose” defined in the Privacy Act. Nevertheless, recognizing the extent and sensitivity of the personal information used to carry out its mandate, the Charities program is committed to following the rules and requirements of the Privacy Act.

B) Type of personal information involved and context

Detailed profiles, allegations or suspicions, bodily samples and the context surrounding personal information is particularly sensitive. 

Level of risk to privacy: 4

Details:

Personal information collected from client organizations is generally limited to the name, contact information, signature, official title, occupation, arm’s length relationship to other officials, and date of birth of the entity’s officials and representatives. However, using this personal information, the Charities program can then collect more personal information from other internal and external sources. This can include a person’s:

• social insurance number
• gender
• language
• marital status
• citizenship
• personal tax information
• finances
• bankruptcy information
• consumer insolvency information
• credit history
• biography
• criminal checks and history
• opinions on individuals
• suspected non-compliance and CRA investigations or audits

In some instances, when auditing the books and records of a qualified donee, Charities program employees may be exposed to, or require access to the qualified donee’s donor information. This may include contact information and the date and amount (or type) of donation to ensure the client organization is following the rules of registration, such as proper receipting practices.

Charities program employees may also be exposed to, or require access to a qualified donee’s beneficiary information to ensure compliance with registration rules, such as proper beneficiary selection practices to minimize the risk of undue benefits. This may include

• contact information
• age
• gender
• race
• education information and history
• medical information and history
• religious affiliation
• other biographical elements

The program can also collect and review an individual’s will or final testament when a qualified donee has been legally established through that document (for example a trust).

The program also collects personal information such as contact information from public enquirers, informants, and from individuals who are providing information relating to qualified donees and applicants for such status.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Partners include other CRA programs, federal institutions, provincial governments, and private sector organizations.

Personal information found in a qualified donee file is shared with other areas of the CRA, for administering the Income Tax Act.

For example, the program internally shares and access personal information during the screening, registration, client-service and compliance activities pertinent to the registrant’s situation.

The program also collects and shares personal information with other areas of the CRA when it:

• transfers file folders to field auditors in local tax services offices (TSO) for onsite charity audit reviews
• transfers file folders to the Appeals Branch when an organization objects to a CRA decision
• is aware, through an audit, about a qualified donee’s non-compliance with the Income Tax Act in other CRA programs (e.g., payroll, GST, abusive tax shelters). In this case, the program will refer that information to the Compliance Programs Branch.
• determines that tax evasion has occurred. In this case, the program refers this information to the Criminal Investigations Directorate of the Compliance Programs Branch.
• determines that a charity’s assets are unduly appropriated by an official, or when a charity gifts its assets to an ineligible recipient upon revocation. In this case, the program may refer this information to the Compliance Programs Branch and the Collections and Verification Branch to assess personal liability for tax owing on the misappropriated funds.
• determines that a journalism organization has submitted conflicting information during their application to becoming a qualified Canadian journalism organization (QCJO) and registered journalism organization (RJO). To be eligible for registration as an RJO, a journalism organization must first apply for and receive designation as a QCJO by the Legislative Policy and Regulatory Affairs Branch’s Legislative Policy Directorate. Once designated, the application, including personal information, is sent to the Charities program for registration as an RJO. If the information received during the registration process differs from information related to the QCJO designation, personal information of the organization’s officials can be shared with the Legislative Policy Directorate in relation to that determination.
• collects and accesses personal information previously collected by other areas of the agency when determining eligibility for qualified donee status.

Paper copies of documentation that form a charity file are stored on behalf of the Program by CRA’s contracted third party - for the duration of their retention period. This  follows our Storage, Disposal, Transmittal and Transport of Protected and Classified Information and Assets Directive.

The program discloses and collects personal information to or from other federal and provincial institutions such as: 

• The Department of Justice, in rare instances where an organization is trying to stop a proposed revocation through a court order. Under the rules of evidence and to support the decision on a file, the program must disclose the entire content of the qualified donee’s file
• The Department of Canadian Heritage and the Canadian Cultural Property Export Review Board, as necessary to administer the donation incentives for cultural property
• The Department of Finance Canada for the formulation or evaluation of fiscal policy. The Minister of Finance is also part of the process for determining eligibility of foreign charitable organizations pursuant to ss.149.1(26) as “qualified donees.”
• Statistics Canada for statistical purposes as authorized under subparagraph 241(4)(e)(x) of the Income Tax Act, which allows disclosure in accordance with section 24 of the Statistics Act
• Provincial institutions, as they may access the charities dataset, which is permissible information listed under subsections 149.1(15) and 241(3.2) of the Income Tax Act. This dataset can contain personal information and is available on the open data portal for the Government of Canada.

Open Data – Treasury Board Secretariat website

The charities dataset is permissible information listed under subsections 149.1(15) and 241(3.2) of the Income Tax Act. It can contain personal information and is available on the open data portal for the Government of Canada. The names and positions on the board of directors and like officials of qualified donees are disclosed to the public once they are registered. If an applicant has not qualified for registration, the information is not disclosed publicly.

Regarding the private sector, the program shares permissible information listed under subsections 149.1(15) and 241(3.2) of the Income Tax Act to various stakeholders in the charitable sector, academia, and the media. This includes organizations such as Imagine Canada and Canadiancharitylaw.ca.

• Moreover, to ensure administrative fairness, if the program plans to deny registration, suspend receipting privileges, or revoke the registered status of registered charities or other qualified donees and applicants for such status, it must share the reasons for doing so. This allows them a chance to respond. If the program’s rationale includes information about an ineligible individual, it’s allowed and necessary to share that personal information with the applicant or qualified donee. This is in line with sections 149.1(15) and/or 241(3.2) of the Income Tax Act.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: 

This is a long-term CRA program with no planned end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The program affects individuals who are in some way connected to an applicant or qualified donee. Generally, these individuals are the entity’s officials, representatives, employees and associates, and in some cases their beneficiaries and donors.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

CRA employees can use a laptop computer with access controls. Access to the agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

Client organization can submit their applications to the CRA electronically using My Business Account, a secure online portal.

Information may be stored on encrypted USB keys for audit purposes. This method is subject to the Storage of Protected and Classified Information and Assets Standards.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

As with all taxpayer information, if someone’s personal information is somehow compromised or disclosed without statutory authority, the individual may become a victim of identity theft. Their information may be used without their knowledge, causing financial or reputational harm.