Corporation Returns and Payment Processing Program v4.0

Assessment, Benefit and Service Branch
Business Returns Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Adnan Khan
Director General
Business Returns Directorate
Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate
Public Affairs Branch

Name of program or activity of the government institution

Tax Services and Processing

Standard or institution specific class of record:

Corporation returns and payment processing
CRA ABSB 225

Standard or institution specific personal information bank:

Corporation returns and payment processing
CRA PPU 047
TBS Registration Number: 003942

Legal authority for program or activity

• Sections 150, 220, and 237 of the Income Tax Act
• Subsection 229(1) of the Income Tax Regulations under the authority of section 221 of the Income Tax Act
• Subsection 63(1) of the Canada Revenue Agency Act
• Section 7 of the Federal-Provincial Fiscal Arrangements Act
• Subsection 241(5) of the Income Tax Act authorizes the Canada Revenue Agency (CRA) to provide taxpayer information to other organizations, such as the National Research Council (NRC) and the Ontario Ministry of Finance, with the taxpayer’s consent.
• Subsection 127.421(2) of the Income Tax Act governs the administration of the new Canada Carbon Rebate for small businesses.

Disclosure to Department of Justice Canada

• Subparagraph 241(4)(e)(vii) of the Income Tax Act authorizes the CRA to provide taxpayer information to the Department of Justice only to administer the Family Orders and Agreements Enforcement Assistance Act
• Sections 18 and 19 of the Family Orders and Agreements Enforcement Assistance Act authorize the CRA to disclose personal information to the Department of Justice to administer and enforce the calculation of child support payments
• Section 5(1) d of the Release of Information for Family Orders and Agreements Enforcement Assistance Regulations specifically identifies the corporation income tax return as an approved document for release when the taxpayer has controlling interest in the corporation

Summary of the project, initiative or change

Overview of the Program or Activity

The Corporation Returns and Payment Processing Program (T2 program) ensures that T2 corporation income tax returns for resident and non-resident corporations, as well as special elections and returns, are assessed in an accurate and timely manner. The T2 program carries out the planning, controlling, monitoring and verifying of these returns and encompasses all systems, procedures and policies related to assessing and reassessing, issuing notices and checking the accuracy of T2 returns, as well as special elections and returns, to determine required adjustments.

Payment processing administers, develops, implements, monitors and maintains the systems that support and facilitate the remitting, processing and tracking of payments made to the Canada Revenue Agency (CRA). The T2 program is also responsible for assessing provincial corporate returns for taxes and credits that are harmonized with federal T2 returns. This applies to all provinces except for Quebec and Alberta, which administer their own provincial corporate tax returns. Information is shared with federal agencies and departments, as well as provincial and territorial governments, in accordance with established information-sharing agreements. Information specific to a treaty agreement may also be shared with foreign governments by the CRA’s Competent Authority Program under the authority of a tax treaty. A tax treaty or agreement is generally designed to prevent double taxation.

All resident corporations, including non-profit organizations, tax-exempt corporations and inactive corporations (except tax-exempt Crown corporations, Hutterite colonies and registered charities) have to file a T2 return every tax year, even if there is no tax owed. A non-resident corporation has to file a return if, at any time in the year, it did business in Canada and it had a taxable capital gain or it disposed of taxable Canadian property.

An election is a form voluntarily filed with the CRA by a taxpayer to qualify for special tax provisions under the Income Tax Act. In most cases, the provisions are used to eliminate or defer tax consequences resulting from a specific transaction. A special return is a tax return that a taxpayer has to file under the Act. In most cases, special returns are used to calculate various taxes. This includes, but is not limited to, tax for the disposition of certain properties, and tax on income from Canada of an approved non-resident insurer. Special elections and returns can be filed with or without a CRA tax form.

Overall, there are 3.3 million corporations registered in the federal business number system. The CRA processes more than 2.2 million T2 returns and 107,000 special elections and returns each year.

What’s New

This privacy impact assessment is being updated as part of the commitment of the Assessment, Benefit, and Service Branch to do an annual review based on new initiatives or changes that affect personal information. Some items have been added to the assessment to more accurately reflect activities of the Corporation Returns and Payment Processing Program.

National Research Council

After receiving consent from the owner or signing authority of the business entity, the National Research Council (NRC) will request the business number and financial information of the business entity from the CRA. The NRC will use this information in performance reporting for programs administered by the Industrial Research Assistance Program (IRAP). It will also use this information to evaluate the impact of the IRAP on small and medium Canadian businesses. It will share information on a quarterly basis through secure, Government of Canada-approved, encrypted electronic exchange.

Ontario Ministry of Finance

After receiving consent from the owner or signing authority of the business, the Ontario Ministry of Finance will request the name, business number, contact information, and financial information of the business from the CRA. The Ministry will use this information to validate applicants’ eligibility for the Ontario Small Business Support Grant.

The Ontario Ministry of Finance will tell the Ontario Ministry of Economic Development, Job Creation and Trade whether an applicant is eligible for the grant. The Ontario Ministry of Economic Development, Job Creation and Trade administers the grant program and is responsible for managing the payment of the grant. The ministries will share information through secure, Government of Canada-approved, encrypted electronic exchange.

Public Guardian and Trustee of Ontario

The CRA may provide taxpayer information about a person or trust that is under the responsibility of the Public Guardian and Trustee of Ontario with the public guardian solely for the purpose of administering the affairs of that person or trust. The CRA may also accept information from the Public Guardian and Trustee of Ontario as a legal representative of the individual or trust for tax purposes. The organizations exchange information through the secure Represent a Client online service and information sharing agreements.

Canada carbon rebate for small businesses

The Canada carbon rebate for small businesses is a new initiative planned for fall 2024 to help small and medium businesses combat climate change and build a sustainable economy. This new rebate will return a portion of federal fuel charge proceeds through an automatic refundable tax credit to eligible Canadian-controlled private corporations (CCPCs) that operate in provinces where the federal fuel charge applies.

The CRA will determine and automatically issue the rebate amounts to eligible CCPCs that had 499 or fewer employees who resided in PROVINCES throughout the calendar year in which the fuel charge year began. Businesses will not have to apply for the rebate.

To be eligible for a retroactive rebate payment for the 2019 to 2024 fuel charge years, the CCPC must file its corporate income tax return for the tax year ending in 2023 by July 15, 2024.

New disclosure to the Department of Justice for the administration and enforcement of the Family Orders and Agreements Enforcement Assistance Act.

Effective November 2024, the CRA will begin sharing information from the corporation tax return with the Department of Justice. This  may include personal information such as a corporation’s financial information, contact information, business number, and name. The Department of Justice can use this information only:

• to calculate and enforce child and spousal support payments, and
• when there has been a breakdown in a relationship and an individual has not given this information to the requesting court officials

How it will work:

1. The Department of Justice will send an individual’s business number (BN) to the CRA.
2. The CRA will use the BN to locate the individual’s corporation tax return.
3. The CRA will securely share the agreed-upon information from the corporation tax return containing the personal information with the Department of Justice.
4. The Department of Justice will share the return with the requesting provincial or territorial court official so the official can calculate child or spousal support.
5. The Court or courts may then choose to share the corporation tax return, including the personal information, with each individual involved in the request for child or spousal support. These individuals may include legal representatives, lawyers, and former spouses.  

Scope of the Privacy Impact Assessment

This privacy impact assessment identifies and assesses privacy risks to personal information related to the CRA’s T2 assessment program, including the processing of business returns (T2 returns and special elections and returns) and payments.

Certain compliance activities such as audits and investigations are under separate programs. So they are not included in this privacy impact assessment.

Risk identification and categorization

A) Type of program or activity

Administration of programs / Activity and services

Level of risk to privacy: 2

Details:

Personal information is used to administer the T2 program. For example, it is needed for identification, processing returns and elections, collecting revenue, issuing payments and providing support to taxpayers. The information is used to calculate the amount of tax owing or credit on an account, and to prevent unwarranted refunds.

The personal information collected by the T2 program is shared with compliance programs to detect fraud and investigate possible abuses. If fraud or abuses are found, audits can be carried out, which may result in more corporation income tax owing and possible penalties. All T2 returns can be selected for audit.

B) Type of personal information involved and context

Social insurance number, and medical, financial and other sensitive personal information, as well as the context surrounding the information. Also, the personal information of minors, incompetent individuals, and any representative acting for an individual. 

Level of risk to privacy: 3

Details:

Although most of the information collected through the program is related to a corporation, there is also some collection of personal information. Personal information includes name, contact information and financial information. It may also include information about associated individuals.

C) Program or activity partners and private sector involvement

Private-sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

The CRA discloses personal information to its provincial partners, various CRA programs and other federal agencies and departments. The shared information is analyzed to determine if more filing detail is needed. Data is cross-referenced between programs on a need-to-know basis for program administration and enforcement purposes. The aim is to encourage businesses to fully disclose business activity, comply with reporting and remitting requirements, and lessen aggressive tax planning and tax deferral.

Information specific to a treaty agreement may be shared with foreign governments by the CRA’s Competent Authority Program under the authority of a tax treaty. A tax treaty or agreement is generally designed to prevent double taxation.

Paper documents containing personal information are stored for a specified period of time by a third party in the private sector that the CRA contracts. The third party follows CRA security requirements related to storage, disposal, transmittal, and transportation of protected information.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The T2 program does not have a sunset date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The program applies to individuals affiliated with all corporations that have an establishment in Canada, as well as individuals, corporations, trusts and partnerships that are filing a special election or return.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

   Risk to privacy: Yes

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is sent using wireless technologies.

Level of risk to privacy: 4

Details:

The systems for the T2 program and special elections and returns connect with other systems located on CRA servers. They are secured. Access is only available to CRA employees and on a need-to-know basis. There is controlled access to the physical location where the computers are kept. There is an audit trail for all views and changes occurring on these systems. Each user is assigned a level of access based on organizational requirements (roles and profiles).

Data files are encrypted and transferred electronically through file transfer protocol or, in exceptional situations, by bonded courier using compact disks or digital video disks  that are encrypted using CRA-approved encryption software.

In addition, public key infrastructure (PKI) has been implemented to support several initiatives throughout the CRA, including secure remote access, secure email and other electronic transactions where security or digital signatures are required. PKI is a combination of policy and technology that establishes a secure electronic working environment, allowing CRA users to make secure electronic transactions. PKI uses digital certificates, which are critical tools for enabling secure and trusted use of our electronic networks. The digital certificates enable users to use the CRA’s electronic networks to send, receive and access protected information securely. Overall, privacy concerns and risks are low and are expected to remain low. Current mitigating practices are considered to be adequate and are rigidly enforced.

CRA employees use laptop computers with access controls. Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

Any universal serial bus keys used must be issued by the CRA and formatted with encryption technology specific to the user.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

Although most of the information collected through the program is related to a business or a corporation, there is also some collection of personal information. If the personal information were compromised, it has the potential to cause financial harm and embarrassment to the individual.