Corporation Income Tax Return Assessment Program

Business Returns Directorate, Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution
Canada Revenue Agency

Government official responsible for the PIA
Frank Vermaeten
Assistant Commissioner, Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution
Tax - Tax Services and Processing

Description of the class of record and personal information bank
Standard or institution specific class of record:
Corporation returns and payment processing programs CRA ABSB 225

Standard or institution specific personal information bank:
Corporate Returns and Payment Processing CRA PPU 047

Legal authority for program or activity

• Sections 150, 220, and 237 of the Income Tax Act (ITA).
• Subsection 229(1) of the Income Tax Regulations under the authority of section 221 of the ITA.
• Subsection 63(1) of the Canada Revenue Agency Act.
• Section 7 of the Federal-Provincial Fiscal Arrangements Act.

Summary of the project / initiative / change

Overview of the program or activity
The T2 program ensures that T2 Corporation Income Tax Returns (T2), Special Elections and Returns (SERs), and Non-Resident T2 Returns (NR T2 returns) are assessed accurately and in a timely manner. The T2 program carries out activities related to the planning, controlling, monitoring, and verifying of these returns and encompasses all systems, procedures and policies relating to assessing and reassessing processes, issuing notices and checking the accuracy of T2 returns and SERs to determine adjustments required. Accounting and payment processing activities for corporations includes monitoring procedures and techniques, reviewing of Agency remittance voucher forms, and information on cash security. The T2 program is also responsible for assessing provincial corporate returns for taxes and credits that are harmonized with the federal T2 returns. This applies to all provinces except for Quebec and Alberta, which administer their own provincial corporate tax returns. Information is shared with federal departments and provincial and territorial governments in accordance with established information sharing agreements. In addition, information specific to a treaty agreement may be shared by the CRA’s Competent Authority program with foreign governments under the authority of a tax treaty. The tax treaty or agreement is generally designed to prevent double taxation.

All resident corporations, including non-profit organizations, tax-exempt corporations and inactive corporations (except tax-exempt crown corporations, Hutterite colonies and registered charities) have to file a T2 return for every tax year, even if there is no tax payable. A non-resident corporation has to file a return if, at any time in the year, it carried on business in Canada or if it had a taxable capital gain or it disposed of taxable Canadian property.

An election is a form that is filed by a taxpayer, on a voluntary basis, to qualify for special tax provisions allowed under the Income Tax Act (ITA). In most cases, these provisions are used to eliminate or defer certain tax consequences resulting from a specific transaction. A special return is a tax return that a taxpayer is required to file under the ITA and requires a notice of assessment.
 
T2 returns can be filed in several different formats. The most common filing method is over the internet, prepared through approved software. Barcoded returns are produced by certified tax software, then scanned into a processing system when received by a taxation centre. SERs and some T2 returns are filed in preprinted paper formats then keyed into the appropriate processing system. Corporations with annual gross revenues that exceed $1 million must file their T2 returns for 2002 and later years electronically. Electronic filing is optional for all other corporations. Overall, there are 3.3 million corporations registered in the Business Number system and in excess of 2.2 million T2 returns are processed each year. Approximately 107,000 SERs are processed in the same period.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to CRA’s T2 assessing program including the processing of business returns (T2, SER, NR T2), elections and payment processing. Certain compliance activities such as audits and investigation are separate programs and therefore are not included within the scope of this PIA.

Risk identification and categorization

A) Type of program or activity
Administration of Programs / Activity and Services 
Level of risk to privacy: 2
Details: The personal information collected is used mainly to administer the T2 program (for example, identification, processing returns and elections, collecting revenue, issuing payments and providing support to taxpayers). The information is needed to calculate the correct amount of taxes owing or credits on the account and to prevent unwarranted refunds.
The personal information collected by the T2 program is shared with compliance programs for enforcement purposes such as detecting fraud or investigating possible abuses. If fraud or abuses are found, audits can be carried out, which may result in additional corporation income tax owing and possible penalties. All T2 returns can be selected for audit.

B) Type of personal information involved and context
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: Personal information collected includes details such as name, contact information, financial information, and may include information about associated individuals.

C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details: The CRA discloses personal information to its provincial partners, to various CRA programs, and to other federal departments and agencies. The shared information is analyzed to determine if more filing detail is needed. Data is cross-referenced between programs, on a need-to-know basis, for program administration and enforcement purposes. The aim is to encourage businesses to fully disclose business activity, comply with reporting and remitting requirements, and lessen aggressive tax planning or tax deferral.
Paper documents containing personal information are stored for a specified period of time by a third party in the private sector that contracts with the CRA.

D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details: The Corporation Returns program does not have a sunset date.

E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The current program applies to individuals affiliated with all corporations that have an establishment in Canada.

F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details: Data matching: when a return is captured in the CORTAX system, the business number system verifies that the number is valid. If the business number is not valid, there’s an upfront validation that sets an error message. Manual intervention is required to get the correct information before any further verification of the filed information.

G) Personal information transmission
The personal information is transmitted using wireless technologies. 
Level of risk to privacy: 4
Details: The CORTAX system connects with different systems that are located on the CRA’s servers. They are secured. Access is only available to CRA employees and on a need-to-know basis. There is controlled access to the physical location where the computers are kept. There is an audit trail for all views and changes occurring on these systems. Each user is assigned a level of access based on organizational requirements (Roles and Profiles).

Data files are encrypted and transferred electronically via File Transfer Protocol (FTP) or by bonded courier using compact disks (CD) or digital video disk (DVD). 

In addition, Public Key Infrastructure (PKI) has been implemented to support several initiatives throughout the CRA, including secure remote access, secure emails, and other electronic transactions where security or digital signatures are required. PKI is a combination of policy and technology that establishes a secure electronic working environment, allowing CRA users to conduct secure electronic transactions. PKI uses digital certificates, critical tools for enabling secure and trusted use of our electronic networks. The digital certificates enable us to use our electronic networks to send, receive and access designated (protected) information securely. Overall privacy concerns and risks are low and are expected to remain low. Current mitigating practices are considered to be adequate and are rigidly enforced.

Some employees workstations are composed of CRA issued laptops in docking stations. Laptops comply to the Security for the Computing Environment Policy with Encryption and access control. Any telework done is through Secure Remote Access (SRA).

Any Universal Serial Bus (USB) keys used must be agency issued and formatted with encryption technology specific to the user.

H) Risk impact to the individual or employee
Details: If the personal information were compromised it has the potential to cause financial harm and embarrassment to the individual.