Employer Accounts Program – Privacy impact assessment summary

Collections and Verification Branch
Business Compliance Directorate

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Employer Compliance
Record Number: CRA CVB 188

Standard or institution specific personal information bank:
Employer Compliance
Bank Number: CRA PPU 120

Legal authority for program or activity

The collection of personal information in the course of collecting employer remittances of income tax, Canada Pension Plan contributions and employment insurance premiums that are deducted from their employees’ salaries and wages and the reporting on these remittances are authorized by the following:

• Sections 153 and 227 of the Income Tax Act and section 200 of the Income Tax Regulations for remittances of income tax.
• Sections 8, 9 and 21 of the Canada Pension Plan Act and section 10 of the Canada Pension Plan Regulations for remittances of Canada Pension Plan contributions.
• Section 82 of the Employment Insurance Act and section 11 of the Insurable Earnings and Collection of Premiums Regulations for remittances of employment insurance premiums.

• Every person who has failed to remit or pay is liable to a penalty of 10%:
  • Income Tax Act: paragraph 227(9)(a)
  • Canada Pension Plan: paragraph 21(7)(a)

Summary of the project / initiative / change

Brief overview of the program or activity

Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

• whether or not an individual's employment is pensionable under the Canada Pension Plan and/or insurable under the Employment Insurance Act;
• the amount of pensionable and/or insurable earnings;
• whether or not Canada Pension Plan contributions and employment insurance premiums are payable;
• how many hours an insured person has in insurable employment;
• how long an employment lasts, including the dates on which the employment began and ended;
• the amount of Canada Pension Plan contributions and/or employment insurance premiums payable;
• who is the employer;
• whether or not employers are considered to be associated for the purposes of the Employment Insurance Act; and
• the refund amount.

The Employer Accounts program is responsible for ensuring that all employers deduct the required Canada Pension Plan contributions, employment insurance premiums and income tax from their employees' salary and wages, remit these deductions, along with their share of the Canada Pension Plan contributions and employment insurance premiums, and ensure that they are reported correctly on the appropriate information return.

This privacy impact assessment focuses on the Employer Accounts program. In cases where non-compliant accounts cannot be resolved by the Employer Accounts program, a referral can be sent to the Trust Accounts Examination program in order to conduct a face-to-face examination of the employer’s books and records. A referral can be sent to the Employer Compliance Audit from the Trust Accounts Examination program where non-compliant accounts require a more in depth review of employer records.

What's new

In November 2017, the Employer Accounts program started using a system called Correspondence Tracking Inventory System (an existing Assessment, Benefit, and Service Branch system) to better track correspondence received from employers in the National Verification and Collections Centres across Canada.

In the past, incoming correspondence in paper format was placed into shelves and stayed there until an officer was ready to review and action it. With the implementation of the Correspondence Tracking Inventory System, incoming correspondence is converted to an electronic format and uploaded to the system for officers to review and action regardless of where they work from.

A threat and risk assessment and Statement of Sensitivity is in place to ensure that the personal information stored in the system is properly protected.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Employer Accounts Program activities. The scope of this PIA is limited to the Employer Accounts Program activities. The Trust Accounts Examination, Employer Compliance Audit, and the Collections and Verification Business Intelligence program activities have been assessed in separate PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details:

Personal information is used to identify the taxpayer, perform account updates, and compliance activities such as:

• update taxpayer’s file (e.g. address changes, authorized representative updates);
• review account transactions;
• send notices;
• assess or re-assess amounts owing (tax, penalty, and/or interest); and
• perform account adjustments

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, biometrics, and/or the context surrounding the personal information is particularly sensitive

Level of risk to privacy: 4

Details:

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

Information gathered by the Employer Accounts program is entered into the PAYDAC system and can be accessed by various CRA areas to administer their related CRA programs. For example, information provided by employers regarding their deducted remittances can be cross-referenced against their employees’ T4s (as part of CRA’s Individual Returns and Payments programs) to ensure that both portions do match.

ESDC and CRA jointly administer CPP and EI; CRA has an enforcement role. The information that the Employer Accounts program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A Memorandum of Understanding (MOU) between CRA and ESDC signed in 2011 covers the provision of protected information in support of the Canada Pension Plan, Employment insurance and Old Age Security programs.

Information regarding payroll deductions may also be shared with Revenu Québec, in accordance with an MOU with Revenu Québec, in order to apply misapplied payments.

Information regarding payroll deductions may also be shared with the Nova Scotia Workers' Compensation Board (NSWCB) in accordance with an MOU with NSWCB in order to transfer remittances.

Paper copies containing personal information are stored by a third party service provider in the private sector.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The Employer Accounts program affects every employer who is required to deduct from the remuneration of its employees the prescribed amounts for the purposes of income tax, Canada Pension Plan and employment insurance.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

• Risk to privacy: Yes
• Details: The Correspondence Tracking Inventory System was implemented within the Employer Accounts program in order to better track correspondence received from employers.

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

• Risk to privacy: Yes
• Details: A new shared drive had to be created in order to save scanned correspondence before being uploaded to the newly implemented Correspondence Tracking Inventory System, which links to the document location on the shared drive and allows users to view the pdf documents. Access is be granted only to those users who need it.

The new or modified program or activity involves the implementation of one or more of the following technologies:

• Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
  • Risk to privacy: No
  • Details: n/a

• Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
  • Risk to privacy: No
  • Details: n/a

• Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
  • Risk to privacy: Yes
  • Details: Requests are often sent to our branch’s Technology and Business Intelligence Directorate (TABI) to identify potential non-compliant accounts or to gather information. Data received from TABI comes most of the time from the Agency Data Warehouse (ADW). However, it can also come from virtual data marts that are searchable by various query tools. These business intelligence activities, which support the Employer Accounts Program (EAP), are fully described in the Collections and Verification Business Intelligence PIA. In addition, the EAP uses mainframe macro applications to cull or extract personal information elements for case file reviews.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details:

Paper correspondence received from employers is scanned, then saved into a secure shared drive and uploaded into the Correspondence Tracking Inventory System.

Electronically filed remittances involve an internet connection and information is transferred to our mainframe (PAYDAC) via a secure connection. PAYDAC pulls information from other systems to populate its payroll fields.

H) Risk impact to the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employer. The affected individual or employer may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.