Employer Accounts Program – Privacy impact assessment summary

Collections and Verification Branch
Business Compliance Directorate

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Employer Compliance
Record Number: CRA CVB 188

Standard or institution specific personal information bank:
Employer Compliance
Bank Number: CRA PPU 120

Legal authority for program or activity

The collection of personal information in the course of collecting employer remittances of income tax, Canada Pension Plan contributions and employment insurance premiums that are deducted from their employees’ salaries and wages and the reporting on these remittances are authorized by the following:

The legislative authorities used by CRA to apply penalties and interests for payroll compliance:
 
  • Where the failure was made knowingly or under circumstances amounting to gross negligence, 20% of that amount:
    • Income Tax Act: paragraph 227(9)(b)
    • Canada Pension Plan: paragraph 21(7)(b)
  • Interest: Payable at the prescribed rate
    • Income Tax Act: subsection 227(9.2)
    • Canada Pension Plan: subsection 21(6)
    • Employment Insurance Act: subsection 82(8)
  • The Social Insurance Number is collected and used for identification purposes pursuant to:
    • Section 237 of the Income Tax Act:;
    • Section 88 of the Canada Pension Plan Regulations; and
    • Section 89 of the Employment Insurance Regulations. 

Summary of the project / initiative / change

Brief overview of the program or activity

Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

The Employer Accounts program is responsible for ensuring that all employers deduct the required Canada Pension Plan contributions, employment insurance premiums and income tax from their employees' salary and wages, remit these deductions, along with their share of the Canada Pension Plan contributions and employment insurance premiums, and ensure that they are reported correctly on the appropriate information return.

This privacy impact assessment focuses on the Employer Accounts program. In cases where non-compliant accounts cannot be resolved by the Employer Accounts program, a referral can be sent to the Trust Accounts Examination program in order to conduct a face-to-face examination of the employer’s books and records. A referral can be sent to the Employer Compliance Audit from the Trust Accounts Examination program where non-compliant accounts require a more in depth review of employer records.

What's new

In November 2017, the Employer Accounts program started using a system called Correspondence Tracking Inventory System (an existing Assessment, Benefit, and Service Branch system) to better track correspondence received from employers in the National Verification and Collections Centres across Canada.

In the past, incoming correspondence in paper format was placed into shelves and stayed there until an officer was ready to review and action it. With the implementation of the Correspondence Tracking Inventory System, incoming correspondence is converted to an electronic format and uploaded to the system for officers to review and action regardless of where they work from.

A threat and risk assessment and Statement of Sensitivity is in place to ensure that the personal information stored in the system is properly protected.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Employer Accounts Program activities. The scope of this PIA is limited to the Employer Accounts Program activities. The Trust Accounts Examination, Employer Compliance Audit, and the Collections and Verification Business Intelligence program activities have been assessed in separate PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details:

Personal information is used to identify the taxpayer, perform account updates, and compliance activities such as:

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, biometrics, and/or the context surrounding the personal information is particularly sensitive

Level of risk to privacy: 4

Details:

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

Information gathered by the Employer Accounts program is entered into the PAYDAC system and can be accessed by various CRA areas to administer their related CRA programs. For example, information provided by employers regarding their deducted remittances can be cross-referenced against their employees’ T4s (as part of CRA’s Individual Returns and Payments programs) to ensure that both portions do match.

ESDC and CRA jointly administer CPP and EI; CRA has an enforcement role. The information that the Employer Accounts program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A Memorandum of Understanding (MOU) between CRA and ESDC signed in 2011 covers the provision of protected information in support of the Canada Pension Plan, Employment insurance and Old Age Security programs.

Information regarding payroll deductions may also be shared with Revenu Québec, in accordance with an MOU with Revenu Québec, in order to apply misapplied payments.

Information regarding payroll deductions may also be shared with the Nova Scotia Workers' Compensation Board (NSWCB) in accordance with an MOU with NSWCB in order to transfer remittances.

Paper copies containing personal information are stored by a third party service provider in the private sector.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The Employer Accounts program affects every employer who is required to deduct from the remuneration of its employees the prescribed amounts for the purposes of income tax, Canada Pension Plan and employment insurance.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

The new or modified program or activity involves the implementation of one or more of the following technologies:

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details:

Paper correspondence received from employers is scanned, then saved into a secure shared drive and uploaded into the Correspondence Tracking Inventory System.

Electronically filed remittances involve an internet connection and information is transferred to our mainframe (PAYDAC) via a secure connection. PAYDAC pulls information from other systems to populate its payroll fields.

H) Risk impact to the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employer. The affected individual or employer may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.

Page details

Date modified: