Employer Compliance Audit v 2.0 - Privacy impact assessment summary

Business Compliance Directorate, Collections and Verifications Branch 

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Returns Compliance
CRA CVB 188 

Standard or institution specific personal information bank:
Employer Compliance
CRA PPU 120

Legal authority for program or activity

Section 231.1 of the Income Tax Act (ITA), section 288 of the Excise Tax Act (ETA); section 88 of the Employment Insurance Act (EIA); and section 25 of the Canada Pension Plan Act (CPP) provide legal authority to review the books and records of businesses, including payroll accounts.

Sections 152 and 227 of the ITA; section 296 of the ETA; section 85 of the EIA; and section 22 of the CPP provide legal authority to assess deficiencies when applicable.

The legislative authorities used by CRA to apply penalties and interests for payroll compliance:

Every person who has failed to remit or pay is liable to a penalty of 10%:

• ITA: Paragraph 227 (9)(a)
• CPP: Paragraph 21 (7)(a)
• EIA: Paragraph 82 (9)(a)

Where the failure was made knowingly or under circumstances amounting to gross negligence, 20% of that amount:

• ITA: Paragraph 227 (9)(b)
• CPP: Paragraph 21 (7)(b)
• EIA: Paragraph 82 (9)(b)

Interest: Payable at the prescribed rate

• ITA: Subsection 227 (9.2)
• CPP: Subsection 21 (6)
• EIA: Subsection 82 (8)

Subsection 231.1 (2) of the Income Tax Act provides legal authority to enter premises.

Subsection 231.1 (1) of the Income Tax Act provides legal authority to inspect, audit or examine the taxpayer's books, records and documents.

Subsection 231.5 (1) of the Income Tax Act provides legal authority to make copies of any document.

Subsection 231.2 (1) of the Income Tax Act authorizes auditors to send a notice of requirement for information to an employer as an extraordinary measure.

Summary of the project / initiative / change

Overview of the program or activity

The Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC) jointly administer the Canada Pension Plan and the Employment Insurance Act.

Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

• whether or not an individual's employment is pensionable under the Canada Pension Plan and/or insurable under the Employment Insurance Act;
• the amount of pensionable and/or insurable earnings;
• whether or not Canada Pension Plan contributions and employment insurance premiums are payable;
• how many hours an insured person has in insurable employment;
• how long an employment lasts, including the dates on which the employment began and ended;
• the amount of Canada Pension Plan contributions and/or employment insurance premiums payable;
• who is the employer;
• whether or not employers are considered to be associated for the purposes of the Employment Insurance Act; and
• the refund amount

The CRA is also responsible for ensuring that Canada Pension Plan contributions, income tax and employment insurance premiums are deducted, remitted, and reported through payroll accounts, as required by legislation.

As a result, the Employer Compliance Audit Program mandate is to maintain the integrity of the tax system through a combination of taxpayer education and responsible enforcement with respect to:

• reporting of employment income and taxable benefits;
• withholding and remitting of payroll-related amounts; and
• characterization of workers

The program is designed to promote employer awareness and understanding of tax laws and obligations, as provided in the Income Tax Act (ITA), the Excise Tax Act (ETA), the Canada Pension Plan (CPP), the Employment Insurance Act (EIA), and their respective regulations, to increase and enhance voluntary compliance.

The employer compliance workload officer performs risk assessments to determine the potential of non-compliance of employers who may seemingly appear to be compliant with their employer reporting obligations. The employer compliance audit target population is inclusive of all employer establishments. For example: corporations (T2 tax returns); partnerships; municipalities, universities, schools, hospitals; crown corporations (exempt from taxation under section 149 of the Income Tax Act, that historically do not file a T2 return based on this tax exemption); prescribed crown corporations; utilities; charities; unions; and other groups, associations, and individuals.

The Employer Compliance Audit Program is responsible for:

• Identifying, through in-depth employer audits, instances of employer non-compliance related to employer reporting requirements;
• Ensuring that all employment related income and other forms of compensation such as employer provided taxable benefits, including certain shareholder taxable benefits, are properly calculated and reported by employers;
• Ensuring employers properly calculate, report and remit related payroll source deductions;
• Ensure employers properly characterize workers’ status (employee or self-employed) through CPP/EI rulings; and
• Address non-compliance related to reporting requirements.

Employer compliance auditors may forward requests to the CPP/EI rulings program to determine workers’ status in order to properly characterize the workers as contract of service or as contract for service, and ensure the appropriate remuneration and payments are correctly reported by the employer/payer. The auditors also perform a goods and services tax (GST) or harmonized sales tax (HST) compliance review to ensure that GST or HST remittances are made, as required under the Excise Tax Act. The auditors may also forward referrals to GST/HST enforcement programs as needed.

What’s new

In 2018, the Employer Compliance Audit program launched a pilot project using an existing system called Integrated Audit Management System (INTEGRAS) progressively in order to replace the use of the Audit Information Management System (AIMS), which is scheduled to be sunset by the program in 2019. A full implementation of the program’s use of INTEGRAS is planned for January 2019.  

INTEGRAS serves as an integrated compliance system that provides the ability to manage the employer compliance workload from beginning to end. It allows officers to add various documents to their cases electronically by attaching and synchronizing them. This ensures that the documents are stored in a centralized repository. It also enables subsequent edits to documents while retaining all prior electronic versions.

Additionally, INTEGRAS and My Business Account (MyBA) work together for the employer to provide the employer compliance auditor digital records and responses to audit questions and letters in a secure and efficient way. This saves time in conducting the employer compliance audit and provides a secure online method for employers or their representatives to submit documents and receipts to the CRA.

In April 2019, the Workload Development and Business Intelligence Section (WDBIS) will support the Employer Compliance Audit’s workload development through the coordination of analytics, research and trends analysis report requests for all business compliance program workloads.

WDBIS relies on risk-assessment systems and research to determine which employers are most likely to misunderstand their tax obligations. WDBIS also uses the results of the risk-assessment systems to select files for employer compliance audits. Business intelligence activities are assessed separately in the Collections and Verification Business Intelligence Privacy Impact Assessment.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Employer Compliance Audit program activities. The Employer Accounts program, Trust Accounts Examination program, and the Collections and Verification Business Intelligence program activities have been assessed under separate PIAs. The Business Intelligence PIA assesses the business intelligence related data solutions and services for the program. The results and outcomes from the reports and queries, and how that information is being used, is reflected in this program PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: Personal information is used to review the books and records, including in-depth employer audits, of businesses to ensure that they are compliant with filing, reporting and withholding requirements, and to assess deficiencies when applicable. In addition, information is used to review payroll and GST/HST accounts with respect to taxable benefits, and the proper characterization of workers.

This program also uses personal information to perform risk assessments to determine the level of non-compliance by employers who seemingly appear compliant.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information is used to review business books and documents including any relevant tax slips issued to employees. The review of these records means that the auditor would have access to social insurance numbers and other financial information. This is necessary to properly execute the program mandate.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details: This program has a regional workload team who is responsible for developing regions’ workload and identifying selected audit cases. The team reviews other CRA systems such as PAYDAC, CORTAX, or GST/HST to assist with the development of the program’s workload. The program works with the Technology and Business Intelligence Directorate in Collections and Verification Branch to obtain additional system related data on selected cases. This data may be retrieved from database storage (Agency Data Warehouse – ADW) using macros or reports. In April 2019, the Workload Development and Business Intelligence Section (WDBIS) will support the Employer Compliance Audit’s workload development through the coordination of analytics, research and trends analysis report requests. WDBIS relies on risk-assessment systems and research to determine which employers are most likely to misunderstand their tax obligations. At present, the principle way for researchers and analysts to obtain data is to request a view access to the Agency Data Warehouse (ADW) and various data marts.

Internal and external referrals for employer compliance audits are sent to the regional workload teams who assess the validity of the referral.

The program may share personal information with other CRA programs for collection of outstanding balances, audit activities or to report suspect activities.

Information regarding payroll deductions may be shared with Québec, in accordance with a Memorandum of Understanding with Revenu Québec, in order to process misapplied payments.

Paper records containing personal information are stored by a third-party private sector service provider.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details: This program does not have an end date. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details: The employer compliance audit target population consists of all employer establishments, including: corporations (T2 tax returns); partnerships; municipalities, utilities, schools, hospitals; crown corporations; prescribed crown corporations; charities; unions; and other groups, associations, and individuals. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Details: The Integrated Audit Management System (INTEGRAS) was implemented within the Employer Compliance Audit program to replace the use of the Audit Information Management System (AIMS) which is scheduled to be sunset in the fall of 2019.

INTEGRAS serves as an integrated compliance system that provides the ability to manage the employer compliance workload from beginning to end. It allows officers to add various documents to their cases electronically by attaching and synchronizing them. This ensures that the documents are stored in a centralized repository. It also enables subsequent edits to documents while retaining all prior electronic versions.

Additionally, INTEGRAS and My Business Account (MyBA) work together for the employer to provide the employer compliance auditor digital records and responses to audit questions and letters in a secure and efficient way. This saves time in conducting the employer compliance audit and provides a secure online method for employers or their representatives to submit documents and receipts to the CRA.

The Workload Development and Business Intelligence Section (WDBIS), in conjunction with the Business Intelligence, Research & Analytics Division (BIRAD) of the Technology and Business Intelligence Directorate, are developing a business-intelligence self-service solution, to enable the Employer Compliance Audit program to perform more trend analysis, using historical data and other variables, extracted directly from the Agency’s Data Warehouse.

WDBIS currently sends multiple queries to BIRAD who then retrieves the data and forwards it to WDBIS. The queries often need to be modified due to the complexity of activities being analyzed, or the type of research being conducted. By using Cognos based analytical software, data can be obtained directly from a predetermined list of elements, making it timelier and a more cost efficient use of resources for both the program and BIRAD teams. The data will be stored in the same manner as it is now on secured shared drives, with limited staff access. 

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Compliance, Measurement, Profiling and Assessment System (COMPASS) is a licensed software tool used to facilitate risk analysis and develop workload for auditors. The system supports program managers in developing compliance strategies by allowing them to analyze revenue risks along a variety of statistical and demographic breakdowns, including industry sector and geographic lines. It enables improved targeting by workload staff at the Tax Services Office (TSO) level, and facilitates the discovery and estimation of non-compliance and their associated trends.

The COMPASS application now has 5 business lines: T1, T2, GST, International T1 and Employer / PAYDAC. Four of these business lines contain three analysis and workload selection options: Population Analysis, Direct Keying, and Ad hoc Query. COMPASS allows auditors, workload development staff, team leaders and managers to analyse data according to a variety of criteria at different levels of detail while providing an aggregate analysis of risk. It also enables users to drill through to the detail behind the data figures. While COMPASS can at one level provide a quick risk analysis of a taxpayer, it also has the ability to carry out very sophisticated risk analysis identifying complicated situations by accessing a shared source of integrated data.

The Workload Development and Business Intelligence Section (WDBIS) supports workload development through the coordination of analytics, research and trends analysis report requests (obtained from the Business Intelligence, Research & Analytics Division) for all business compliance program workloads.

The data obtained from the Agency Data Warehouse (ADW) and various data marts is used to analyze and explain the current state of the Employer Compliance Audit program performance, predict client behaviours, measure the outcomes resulting from the implementation of past recommendations, and to make new recommendations for modifications to systems or changes to employer compliance strategies, workflows, or procedural changes. 

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system and may be transferred to a portable device or is printed.

Level of risk to privacy: 4

Details: Employer compliance auditors use a laptop computer with access control and may also use an encrypted Universal Serial Bus (USB) key when on-site at an employer’s location.

Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network. 

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and their information may be used without their knowledge or consent.