Employer Compliance Audit

Privacy Impact Assessment (PIA) summary - Business Compliance Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner,
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Summary of the project / initiative / change:

The Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC) jointly administer the Canada Pension Plan and the Employment Insurance Act.
Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

•  whether or not an individual's employment is pensionable under the Canada Pension Plan and/or insurable under the Employment Insurance Act;
•  the amount of pensionable and/or insurable earnings;
•  whether or not Canada Pension Plan (CPP) contributions and/or employment insurance (EI) premiums are payable;
•  how many hours an insured person has in insurable employment;
•  how long an employment lasts, including the dates on which the employment began and ended;
•  the employer’s and employee’s portion of CPP contributions and EI premiums payable;
•  who is the employer;
•  whether or not employers are considered to be associated for the purposes of the Employment Insurance Act; and
•  the refund amount.

The CRA is also responsible for ensuring that CPP contributions and EI premiums are deducted, remitted, and reported as required by legislation.

The Employer Compliance (EC) audit is an in-depth examination of the books and records of employers to ensure the correct reporting of employment income and taxable benefits, the proper characterization of workers and the proper calculation, reporting and remittance of the related source deductions.

EC auditors may forward requests to CPP/EI rulings to determine workers’ status to properly characterize the workers as contract of service or as contract for service and ensure the appropriate remuneration and payments are correctly reported by the employer/payer. EC auditors also perform a goods and services tax (GST) or harmonized sales tax (HST) compliance review to ensure that GST or HST remittances are made, as required under the Excise Tax Act (ETA). EC auditors may also forward referrals to GST/HST enforcement programs as needed.

Scope of the of the Privacy Impact Assessment (PIA)

The scope of this PIA is the CRA’s auditing of employers' books and records to ensure the proper reporting of employment income and taxable benefits, and certain taxable benefits to shareholders, the withholding and remitting of payroll-source deductions, as well as the proper characterization of workers.

Description of the class of record and personal information bank

Standard or institution specific class of record:
Employer, GST/HST and Business Compliance (CRA CVB 188)

Standard or institution specific personal information bank:
Trust Accounts Compliance (CRA PPU 120)

Legal authority for program or activity

Section 231.1 of the Income Tax Act; section 288 of the Excise Tax Act; section 88 of the Employment Insurance Act; and section 25 of the Canada Pension Plan Act provide legal authority to review or examine the books and records of businesses, including payroll accounts.

Sections 152 and 227 of the Income Tax Act; section 296 of the Excise Tax Act; section 85 of the Employment Insurance Act; and section 22 of the Canada Pension Plan Act provide legal authority to assess deficiencies when applicable.

Authority to enter premises

• Paragraph 231.1(2) of the ITA provides legal authority to enter premises.
• Paragraph 231(1) of the ITA provides legal authority to inspect, audit, or examine taxpayer's books, records and documents.
• Paragraph 231.5(1) of the ITA provides legal authority to make copies of documents.
• Subsection 231.2(1) of the Income Tax Act authorized auditors to send a notice of requirement for information (RFI) to an employer as an extraordinary measure.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement    

Level of risk to privacy: 3

Details: Personal information is used to review the books and records of businesses to ensure that they are compliant with filing, reporting and withholding requirements, and to assess deficiencies when applicable. In addition, information is used to review payroll, GST/HST accounts with respect to taxable benefits, and the proper characterization of workers.

This program uses personal information to perform risk assessments to determine the level of non-compliance by employers who seemingly appear compliant.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information is used to review business books and documents including any relevant tax slips issued to employees. The review of these records means that the auditor would have access to social insurance numbers and other financial information. This is necessary to properly execute the program mandate.

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 3

Details: This program has a regional workload team who is responsible for developing regions’ workload and identifying selected audit cases. The team reviews other CRA systems such as PAYDAC, CORTAX, or GST/HST to assist with the development of the program’s workload. The program works with the Technology and Business Intelligence Directorate in Collections and Verification Branch to obtain additional system related data on selected cases.

Internal and external referrals for Employer Compliance Audit (ECA) are sent to the regional workload teams who assess the validity of the referral and if approved, the file is selected and entered in the Audit Information Management System (AIMS) as part of the programs workload.

The program may share personal information with other CRA programs for collection of outstanding balances, audit activities or to report suspected activities.

Paper copies containing personal information are stored by third party in the private sector.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The Employer Compliance Audit target population is inclusive of all employer establishments for example: corporations (T2 tax returns); partnerships; Municipalities, Utilities, Schools, Hospitals (MUSH); crown corporations (exempt from taxation under section 149 of the Income Tax Act, that may file a T3010 Registered Charity Information Return but historically do not file a T2 return based on this tax exemption); prescribed crown corporations; charities; unions; and other groups, associations, and individuals.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The programs do not involve the use of the surveillance on individuals associated with withholding, remitting, reporting, and filing obligations related to payroll.

However, to support the requirements specified in the acts and regulations, such as section 241 of the Income Tax Act, Access to Information and Privacy Acts, all accesses to identifiable taxpayer information (create, view, modify, delete), will be logged and monitored by the use of the National Audit Trail System (NATS) to prevent, detect, and deter unauthorized access to taxpayer information. This allows the Agency to proactively monitor accesses and identify irregular activity and/or system misuses.

The information is to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.  This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Compliance, Measurement, Profiling and Assessment System (COMPASS) is a licensed software tool used to facilitate risk analysis and develop workload for auditors. The system supports program managers in developing compliance strategies by allowing them to analyze revenue risks along a variety of statistical and demographic breakdowns, including industry sector and geographic lines. It enables improved targeting by workload staff at the Tax Services Office (TSO) level, and facilitates the discovery and estimation of non-compliance and their associated trends.

The COMPASS application now has 5 business lines: T1, T2, GST, International T1 and Employer / PAYDAC. Four of these business lines contain three analysis & workload selection options: Population Analysis, Direct Keying & Ad hoc Query. COMPASS allows auditors, workload development staff, team leaders and managers to analyse data according to a variety of criteria at different levels of detail while providing an aggregate analysis of risk. It also provides users with the ability to drill through to the detail behind the data figures. While COMPASS can at one level provide a quick risk analysis of a taxpayer, it also has the ability to carry out very sophisticated risk analysis identifying complicated situations by accessing a shared source of integrated data.

G) Personal information transmission

The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4

Details: Employer Compliance auditors use a laptop computer and possibly a Universal Serial Bus (USB) key when on-site at an employer’s location. The use of laptops complies with the Security for the Computing Environment Policy with Encryption and access control.

Access to the Agency network from remote locations must be done through the approved Information Technology Branch (ITB) solution – Secure Remote Access (SRA) – or a secure method supported by a Threat and Risk Assessment (TRA) approved by the Information Security Division, Security and Internal Affairs Directorate (SIAD), and the IT Security and Continuity Division, ITB.

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.

I) Risk impact to the institution

Details: Should this information be accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and trust with the public.