Employer Accounts

Privacy Impact Assessment (PIA) - Business Compliance Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Employer, GST/HST and Business Compliance (CRA CVB 188)

Standard or institution specific personal information bank:
Trust Accounts Compliance (CRA PPU 120)

Legal authority for program or activity

• Sections 153 and 227 of the Income Tax Act (ITA) and section 200 of the Income Tax Regulations for remittances of income tax.
• Sections 8, 9 and 21 of the Canada Pension Plan Act and section 10 of the Canada Pension Plan Regulations for remittances of CPP contributions.
• Section 82 of the Employment Insurance Act and section 11 of the Insurable Earnings and Collection of Premiums Regulations for remittances of EI premiums.
• The legislative authorities used by CRA to apply penalties and interests for payroll compliance:
  • Every person who has failed to remit or pay is liable to a penalty of 10%:
    • ITA: Paragraph 227(9)(a)
    • CPP: Paragraph 21(7)(a)
    • EI: Paragraph 82(9)(a)
  • Where the failure was made knowingly or under circumstances amounting to gross negligence, 20% of that amount:
    • ITA: Paragraph 227(9)(b)
    • CPP: Paragraph 21(7)(b)
    • EI: Paragraph 82(9)(b)
  • Interest: Payable at the prescribed rate
    • ITA: Subsection 227(9.2)
    • CPP: Subsection 21(6)
    • EI: Subsection 82(8)
  • The Social Insurance Number is collected and used for identification purposes pursuant to:
    • Section 237 of the ITA;
    • Section 98 of the Canada Pension Plan Regulations; and
    • Section 89 of the Employment Insurance Regulations.

Summary of the project / initiative / change

The Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC) jointly administer the Canada Pension Plan (CPP) and the Employment Insurance Act (EIA). However, each organization has separate and distinct roles and responsibilities.

Under the CPP and the EIA, the CRA is responsible for determining:

• whether or not an individual's employment is pensionable under the CPP and/or insurable under the EIA;
• the amount of pensionable and/or insurable earnings;
• whether or not CPP contributions and employment insurance (EI) premiums are payable;
• how many hours an insured person has in insurable employment;
• how long an employment lasts, including the dates on which the employment began and ended;
• the amount of CPP contributions and/or EI premiums payable;
• who is the employer;
• whether or not employers are considered to be associated for the purposes of the EIA; and
• the refund amount.

The CRA is also responsible for ensuring that CPP contributions and EI premiums are deducted, remitted, and reported as required by legislation.

Employers who do not comply with the deducting or remitting requirements, may find themselves subject to an assessment for failure to deduct (FTD) or failure to remit (FTR) as applicable. Assessments may be raised for any combination of income tax deductions, CPP contributions, EI premiums, penalties and interest.

Scope of the privacy impact assessment

This privacy impact assessment identifies and assesses privacy risks to personal information relating to the Employer Accounts Program activities. The scope of this PIA is limited to the Employer Accounts Program activities. The Trust Accounts Examination (IC-077040), Employer Compliance Audit (IC-086866) and the Collections and Verification Business Intelligence (IC-076952) program activities have been assessed in separate PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: Personal information is used to identify the taxpayer, perform account updates, and compliance activities such as:

• update taxpayer’s file (e.g. address changes, authorized representative updates);
• review account transactions;
• send notices;
• assess or re-assess amounts owing (tax, penalty, and/or interest) and
• perform account adjustments.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information used to ensure that employers are compliant with filing, reporting and withholding requirements pertaining to the CPP, EI and income tax, may include:

• name;
• social insurance number;
• contact information;
• financial information;
• business number; and
• signature.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: Information gathered by the Employer Accounts program is entered into the PAYDAC system and can be accessed by various CRA areas to administer their related CRA programs. For example, information provided by employers regarding their deducted remittances can be cross-referenced against their employees’ T4s (as part of CRA’s Individual Returns and Payments programs) to ensure that both portions do match.

ESDC and CRA jointly administer CPP and EI (CRA has an enforcement role). The information that the Employer Accounts program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A Memorandum of Understanding (MOU) between CRA and ESDC signed in 2011 covers the provision of protected information in support of the Canada Pension Plan, Employment insurance and Old Age Security programs.

Information regarding payroll deductions may also be shared with Revenue Québec, in accordance with an MOU with Revenu Québec, in order to apply misapplied payments.

Information regarding payroll deductions may also be shared with the Nova Scotia Workers' Compensation Board (NSWCB) in accordance with an MOU with NSWCB, in order to transfer remittances.

Paper copies containing personal information are stored by a third party service provider in the private sector.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The Employer Accounts program affects every employer who is required to deduct from the remuneration of its employees the prescribed amounts for the purposes of income tax (IT), Canada Pension Plan (CPP) and employment insurance (EI).

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of the surveillance on individuals associated with withholding, remitting, reporting, and filing obligations related to payroll.

However, in order to support the requirements specified in acts and regulations, such as section 241 of the Income Tax Act, and the Privacy Act, all employee accesses to identifiable taxpayer information (create, view, modify, delete), will be logged and monitored by the use of the National Audit Trail System (NATS) to prevent, detect, and deter unauthorized access to taxpayer information. This allows the Agency to proactively monitor accesses and identify irregular activity and/or system misuses.

The NATS is used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. This activity is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: Requests are often sent to our branch’s Technology and Business Intelligence Directorate (TABI) to identify potential non-compliant accounts or to gather information. Data received from TABI comes most of the time from the Agency Data Warehouse (ADW). However, it can also come from virtual data marts that are searchable by various query tools. These business intelligence activities, which support the Employer Accounts Program (EAP), are fully described in the Collections and Verification Business Intelligence PIA.

In addition, the EAP uses mainframe macro applications to cull or extract personal information elements for case file reviews.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: Information received from employers via hard copies is keyed into our mainframe system. Electronically filed remittances involve an internet connection and information is transferred to our mainframe (PAYDAC) via a secure connection. PAYDAC pulls information from other systems to populate its payroll fields.

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employer may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.

I) Risk impact to the institution

Details: Should this information be accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and trust with the public.