Corporations and GST/HST Compliance Programs – Privacy impact assessment summary

Collections and Verification Branch
Business Compliance Directorate
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Institution specific class of record:
Corporations and GST/HST Compliance
Record Number: CRA CVB 186

Institution specific personal information bank:
Corporations and GST/HST Compliance
Bank Number: CRA PPU 185

Legal authority for program or activity

The administrative delegation instruments for corporations and GST/HST compliance activities are performed under the following Acts:

This provides officials with the authority to exercise powers or perform duties and functions of the Minister of National Revenue through administrative delegation instruments signed either by the Minister or by the Commissioner. 

Summary of the project / initiative / change

Overview of the program or activity

The Corporations and GST/HST Compliance Division within the Business Compliance Directorate of the Collections and Verification Branch is responsible for promoting compliance with Canada's tax laws for registering, withholding, remitting and reporting obligations. This includes GST/HST and T2 post assessing reviews, business number and GST/HST registration reviews, delinquent filers for GST/HST and other levies, and GST/HST non-registrants. To support its mandate the Corporations and GST/HST Compliance Division relies on various programs to achieve its objective:

1. GST/HST returns and rebates post assessing (PAR): This program reviews various elements of the GST/HST returns and rebate claims and encourages future voluntary compliance, as outlined in the Excise Tax Act (ETA). This includes the review of the revenue, tax collected, and input tax credits on a registrant's GST/HST return, as well as rebate claims, against source data and other revenue lines.

2. Corporation Assessing Review (CAR): This program reviews various elements of the T2 tax returns for small and medium sized businesses and encourages future voluntary compliance, as outlined in the Income Tax Act (ITA). This includes various focused projects and referrals from provinces for Revenue Quebec, Ontario and British Columbia T2 tax returns (on a cost-recovery basis).

3. Corporation Registration Review (CRR): This program reviews new corporate accounts to identify chronic non‑compliant behaviours, to conduct a risk assessment to identify potential unauthorized use of taxpayer information by third parties (UUTP), to assist in the identification of T1 non-compliance and to aid in maintaining the integrity of business identification information.

4. GST/HST Enhanced Registration Review (GERR): This program reviews newly-registered GST/HST program accounts (except for the province of Quebec) to conduct a risk assessment to identify potential unauthorized use of taxpayer information by third parties (UUTP) and to prevent revenue leakage. This program also assists in the identification of T1 non‑compliance and aids in maintaining the integrity of business identification information.

5. GST/HST Delinquent Filer: This program obtains outstanding GST/HST returns from non-compliant registrants, and encourages future voluntary compliance.

6. Other Levies Delinquent Filer: This program obtains outstanding returns from non-compliant taxpayers, and encourages future voluntary compliance.

7. GST/HST Non-registrant: This program promotes compliance with the registration requirements of businesses and individuals as outlined in the ETA, thereby contributing to a high level of registration compliance.

8. GST/HST Business Compliance Examination (BCE): This program examines GST/HST registrants' books and records to make sure they are compliant with their GST/HST collecting and filing requirements, as outlined in the ETA.

9. Air Travellers Security Charge (ATSC) BCE: This program involves examination of ATSC accounts to ensure proper collection and reporting of the ATSC, as required by the provisions and regulations of the ETA.

This privacy impact assessment focuses on the Corporations and GST/HST Compliance Programs. In cases where non‑compliant accounts cannot be resolved by the Corporations and GST/HST Compliance Programs, a referral can be sent to other compliance programs. For example, audit referrals can be sent to the Domestic Compliance Programs Branch (DCPB) for:

What's new

The Delinquent Filer Other Levies program was expanded to include the following outstanding returns to their workload inventories:

Scope of the privacy impact assessment

This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information relating to the Corporations and GST/HST Compliance programs. The Collections and Verification Business Intelligence Program PIA assesses the business intelligence related data solutions and services for the program. The results and outcomes from the reports and queries, and how that information is being used, is reflected in this program PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Personal information is used to identify the taxpayer, perform account updates, and compliance activities such as:

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.   

Levels of risk to privacy: 3

Details:

The personal information is used to administer the Corporations and GST/HST Compliance program activities related to registering, withholding, remitting and reporting obligations. This may include:

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details:

Information may be shared with other federal government institutions and with provincial and territorial governments. Paper records containing personal information are stored by a third-party private sector service provider.   

D) Duration of the program or activity:

Long-term program

Level of risk to privacy: 3

Details:

Corporations and GST/HST Compliance activities are existing long-term programs with no anticipated sunset date.

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details:

The target population for the following programs consist of:

1. GST/HST returns and rebates post assessing (PAR): GST/HST registrants, who filed a GST/HST return or an election

2. Corporation Assessing Review (CAR): Corporations that have filed T2 returns

3. Corporation Registration Review (CRR): Businesses and individuals who have registered for a new corporation account

4. GST/HST Enhanced Registration Review (GERR): New GST/HST registrants

5. GST/HST Delinquent Filer: Businesses and individuals who have not filed (but may be required to) a GST/HST return

6. Other Levies: Businesses and individuals who have not filed (but may be required to) for the following programs: Excise Duty (RD), Excise Tax (RE), Air Travelers Security Charge (RG), Tax on Insurance Premiums (RN), Softwood Lumber Products Export Charge (SL), Cannabis (RD) and the Greenhouse Gas Pollution Pricing Act (GGPPA) (CT)

7. GST/HST Non-registrant: Businesses and individuals who may be required to register for a GST/HST account

8. GST/HST Business Compliance Examination (BCE): GST/HST registrants in all provinces (except Québec)

9. Air Travellers Security Charge (ATSC) BCE: Air carriers required to charge the ATSC

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc. 

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: 

The Technology and Business Intelligence Directorate (TABI) of the Collections and Verification Branch is responsible for providing analytical support services to the corporations and GST/HST programs, including the acquisition and maintenance of high quality data, business intelligence, business analytics, and risk assessment services. As a result, the Collections and Verification Business Intelligence PIA (file IC-076952) covers most of the automated personal information analysis, personal information matching, knowledge discovery techniques and predictive models as it pertains to business intelligence related to the programs. The corporations and GST/HST programs use the data analysis to conduct further compliance risk and gap analysis for file selection purposes to identify the highest risk files for enforcement action. For example, by using predictive models, accounts that would "self-resolve" are identified allowing the focus on enforcement efforts to point to higher risk accounts.

The Workload Development and Business Intelligence Section (WDBIS) supports workload development through the coordination of analytics, research and trends analysis report requests (obtained from the Business Intelligence, Research & Analytics Division) for all business compliance program workloads.

The data obtained from the Agency Data Warehouse (ADW) and various data marts is used to analyze and explain the current state of the Corporation and GST/HST Compliance programs performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to GST/HST registrants and corporations compliance strategies, workflows, or procedural changes. 

G) Personal information transmission

The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4

Details:  

The information is entered into various CRA computer systems used by the Agency which are secured. The internet access is controlled and monitored on CRA policies.

Paper correspondence received from taxpayers is scanned, then saved to a secure shared-drive, and uploaded into the CRA systems (for example, FileNet).

Laptop computers may be used and possibly a Universal Serial Bus (USB) key when on-site at a taxpayer’s location. The uses of laptop complies with the Security for the Computing Environment Policy and Encryption and access control.

Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access top the network.

H) Risk impact to the individual or employee

Details:

If the personal information is compromised, it has a potential to cause financial harm and embarrassment to the affected individual or business. In the event of a privacy breach, loss or misuse of taxpayers’ information, there may be opportunity for fraudulent activities or identity theft occurrences.

Page details

Date modified: