Corporation Returns and Payment Processing Program v3.0 - Privacy impact assessment summary

Business Returns Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency

Overview & PIA Initiation

Government institution
Canada Revenue Agency

Government official responsible for the PIA
Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch 

Head of the government institution or Delegate for section 10 of the Privacy Act
Lia Jackson
Director 
Access to Information and Privacy Directorate

Name of program or activity of the government institution
Tax – Tax Services and Processing

Standard or institution specific class of record:
Corporation Returns and Payment Processing programs 
CRA ABSB 225

Standard or institution specific personal information bank:
Corporation Returns and Payment Processing
CRA PPU 047

Legal authority for program or activity

• Sections 150, 220, and 237 of the Income Tax Act (ITA)
• Subsection 229(1) of the Income Tax Regulations under the authority of section 221 of the ITA
• Subsection 63(1) of the Canada Revenue Agency Act
• Section 7 of the Federal-Provincial Fiscal Arrangements Act

Summary of the project / initiative / change

Overview of the Program or Activity

The Corporation Returns and Payment Processing program ensures that Corporation Income Tax Returns (T2) for resident and non-resident corporations and Special Elections and Returns (SERs) are assessed in an accurate and timely manner. The T2 program carries out the planning, controlling, monitoring and verifying of these returns and encompasses all systems, procedures and policies related to assessing and reassessing, issuing notices and checking the accuracy of T2 returns and SERs to determine required adjustments.

Payment processing administers, develops, implements, monitors and maintains the systems that support and facilitate the remitting, processing and tracking of payments made to CRA. The T2 program is also responsible for assessing provincial corporate returns for taxes and credits that are harmonized with federal T2 returns. This applies to all provinces except for Quebec and Alberta, which administer their own provincial corporate tax returns. Information is shared with federal departments and provincial and territorial governments in accordance with established information sharing agreements. Information specific to a treaty agreement may also be shared with foreign governments by the CRA’s Competent Authority program under the authority of a tax treaty. A tax treaty or agreement is generally designed to prevent double taxation.

All resident corporations, including non-profit organizations, tax-exempt corporations and inactive corporations (except tax-exempt Crown corporations, Hutterite colonies and registered charities) have to file a T2 return every tax year, even if there is no tax owed. A non-resident corporation has to file a return if, at any time in the year, it conducted business in Canada, if it had a taxable capital gain or it disposed of taxable Canadian property.

An election is a form filed by a taxpayer on a voluntary basis to qualify for special tax provisions under the Income Tax Act (ITA). In most cases these provisions are used to eliminate or defer certain tax consequences resulting from a specific transaction. A special return is a tax return that a taxpayer is required to file under the ITA. A special return generates a notice of assessment and must be filed in addition to a T2 return. In most cases special returns are used to calculate various taxes including, but not limited to, tax for the disposition of certain properties, and tax on income from Canada of an approved non-resident insurer.

Overall, there are 3.3 million corporations registered in the Business Number system and over of 2.2 million T2 returns and 107,000 SERs are processed each year.

What's new

1. The information released to Employment and Social Development Canada under the Memorandum of Understanding for the provision of protected information in support of the Canada Pension Plan, Employment Insurance and Old Age Security has been updated to include:
   • Income, expenses, deductions and schedule 11 information
2. Some items have been added to more accurately reflect the existing Corporation Returns and Payment Processing program activities.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to CRA’s T2 assessment program, including processing business returns (T2 and SERs) and payment processing. 

Certain compliance activities such as audits and investigations are separate programs and therefore are not included in this PIA.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services 

Level of risk to privacy: 2

Details:

Personal information is used to administer the T2 program. For example, it is needed for  identification, processing returns and elections, collecting revenue, issuing payments and providing support to taxpayers. The information is used to calculate the correct amount of taxes owing or credits on the account, and to prevent unwarranted refunds.

The personal information collected by the T2 program is also shared with compliance programs to detect fraud or investigate possible abuses. If fraud or abuses are found, audits can be carried out, which may result in additional corporation income tax owing and possible penalties. All T2 returns can be selected for audit.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.   

Level of risk to privacy: 3

Details:

Personal information includes name, contact information and financial information. It may also include information about associated individuals. 

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details:

The CRA discloses personal information to its provincial partners, various CRA programs and other federal departments and agencies. The shared information is analyzed to determine if more filing detail is needed. Data is cross-referenced between programs on a need-to-know basis for program administration and enforcement purposes. The aim is to encourage businesses to fully disclose business activity, comply with reporting and remitting requirements and lessen aggressive tax planning or tax deferral.

Paper documents containing personal information are stored for a specified period of time by a third-party in the private sector that contracts with the CRA.   

D) Duration of the program or activity:

Long-term program 

Level of risk to privacy: 3

Details:

The Corporation Returns and Payment Processing program does not have a sunset date. 

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The current program applies to individuals affiliated with all corporations that have an establishment in Canada. 

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

3. Does the new or modified program or activity involves the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc. 

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

The CORTAX and SER systems connect with other systems located on CRA servers. They are secured. Access is only available to CRA employees and on a need-to-know basis. There is controlled access to the physical location where the computers are kept. There is an audit trail for all views and changes occurring on these systems. Each user is assigned a level of access based on organizational requirements (roles and profiles). 

Data files are encrypted and transferred electronically via file transfer protocol (FTP) or by bonded courier using compact disks (CD) or digital video disk (DVD). 

In addition, public key infrastructure (PKI) has been implemented to support several initiatives throughout the CRA, including secure remote access, secure emails and other electronic transactions where security or digital signatures are required. PKI is a combination of policy and technology that establishes a secure electronic working environment, allowing CRA users to conduct secure electronic transactions. PKI uses digital certificates, critical tools for enabling secure and trusted use of our electronic networks. The digital certificates enable users to use the CRA’s electronic networks to send, receive and access  protected information securely. Overall, privacy concerns and risks are low and are expected to remain low. Current mitigating practices are considered to be adequate and are rigidly enforced.

Some employee workstations include CRA issued laptops and docking stations. Any telework is done through secure remote access (SRA).

Any universal serial bus (USB) keys used must be issued by the CRA and formatted with encryption technology specific to the user.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information were compromised, it has the potential to cause financial harm and embarrassment to the individual.