Goods and Services Tax Credit and Related Credits

Privacy Impact Assessment (PIA) summary – Benefit Programs Directorate, Assessment, and Benefit Services Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment and Benefit Services Branch

and

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Benefit Programs Administration

Description of the class of record and personal information bank

Standard or institution specific class of record:
Benefits Programs - Goods and Services Tax/Harmonized Sales Tax (GST/HST) Credit and other related Provincial and Territorial Credit Programs (CRA ABSB 648)

Standard or institution specific personal information bank:
Goods and Services Tax / Harmonized Sales Tax Credit (GST/HST credit) (CRA PPU 140)

Legal authority for program or activity

The Goods and Services / Harmonized Sales Tax Credits are administered under section 122.5 of the Income Tax Act (ITA).  

Section 220(1) of the Income Tax Act provides for the Minister’s duty to collect information for the purpose of the administration and enforcement of any program covered under the ITA. In this case, the Goods and Services Tax Credits are administered under section 122.5 of the ITA.

Section 61 of the Canada Revenue Agency Act allows CRA to implement agreements with other federal, provincial and territorial governments for the purpose of carrying out an activity or program administered by the CRA.

The authority to perform a set-off is granted under subsection 164(2) of the Income Tax Act (ITA) and subsection 155(1) of the Financial Administration Act (FAA).

The legal authority to collect the SIN is found under section 237 of the Income Tax Act and is used for identification purposes.

Summary of the project / initiative / change

Goods and services tax credit

In cooperation with federal, provincial, and territorial partners, CRA develops and coordinates a variety of national, provincial and territorial benefit and credit programs which contribute to the economic and social well-being of Canadians. One of these programs is the Goods and Services Tax/Harmonized Sales Tax (GST/HST) Credit.

The Goods and Services Tax/Harmonized Sales Tax Credit is a tax-free quarterly payment that helps individuals and families with low or modest incomes offset all or part of the Goods and Services Tax or Harmonized Sales Tax that they pay. 

Starting with the 2014 tax year, a separate application is no longer required for the Goods and Services Tax/Harmonized Sales Tax Credit. Eligibility is determined using information filed on the personal Income Tax and Benefit Return. A separate application form is available for newcomers to Canada to determine eligibility for the year they enter Canada.

The entitlement amount of the credit is based on the number of children and combined family net income.

Related programs

The CRA administers the following provincial and territorial child benefit and credit programs related to or integrated with Goods and Services Tax/Harmonized Sales Tax Credits:

There is no need to apply separately to qualify under these programs. If eligible, the amount of any payments is calculated automatically based on information from the Canada Child Benefits application and the Income Tax and Benefit Return of the individual receiving and his/her spouse or common-law partners’ file.

New residents of Canada who have not yet filed a Canadian income tax return can send in a separate application titled “RC151 GST/HST Credit Application for Individuals Who Become Residents of Canada”.

Application is made for the Ontario Senior’s Homeowners Property Tax Grant, and the Ontario Trillium Benefit component of the Ontario Sales Tax Credit through the Ontario provincial schedule of the Income Tax and Benefit Return.

Scope of the privacy impact assessment

This privacy impact assessment covers the administration of the GST/HST Credit and the related provincial and territorial benefits and credits, including the compliance activities for enforcement purposes such as detecting fraud or investigating possible abuses within the benefit and credit program.

Certain compliance activities such as audits and criminal investigations are separate programs and therefore are not included within the scope of this PIA. In addition, the calculation, enforcement, and administration of Canada Child Benefits and the federal and/or provincial T1 Income Tax and Benefit returns are not included in this PIA. 

Programs and initiatives that focus on economic benefits and credits are constantly changing. Therefore, when a new initiative or a change to an existing credit or benefit is identified, this PIA will be reviewed and updated accordingly. 

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement   

Level of risk to privacy: 3

Details: The personal information is used for the identification, determination, validation and payment of benefits and credits.

Information is also used to determine whether an individual knowingly participated in or made a false statement or omission. The consequences can include reviews which may result in termination and/or recoup of benefits, and possibly levying civil penalties under section 163(2) of the Income Tax Act.

Also in limited cases, information obtained during the course of an audit may be to referred to the Criminal Investigations Division of the CRA for further investigation against a particular individual. This may result in the laying of criminal charges under section 238 or section 239 of the ITA.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information collected includes details such as name, contact information, financial information, social insurance number (SIN) and signature, marital status and residency.
In addition, the personal information of minors and individuals incarcerated in a federal institution is collected for the administration of this program

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 4

Details: The program includes the administration of benefit and tax credit programs on behalf of federal, provincial, and territorial partners. Information is disclosed by the CRA to our partners for the purpose of accurate calculation of programs and/or program evaluation, and to Public Services and Procurement Canada for the issuance of payments.

CRA sends information including eligibility, entitlement, payment, and identification data to provincial/territorial Finance departments for policy and program evaluation. 

The information is also used internally within CRA for collection of outstanding balances, audit activities, appeals, statistical gathering, and call centre enquiry responses.

CRA receives information from Correctional Service Canada (CSC) to determine continued eligibility to the Goods and Services Tax/Harmonized Sales Tax Credits and benefits.

Paper copies containing personal information are stored by a third party in the private sector.

D) Duration of the program or activity

Long term program

Level of risk to privacy: 3

Details: Although some of the individual provincial/territorial credits may be short term, most are not and the Goods and Services Tax/Harmonized Sales Tax Credit itself is a long term program with no established end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects any individual who files an Income Tax and Benefit Return, his/her spouse or common-law partner, and his/herchildren under 18 years of age.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on individuals associated with the Goods and Services Tax/ Harmonized Sales Tax Credit.

However, as part of the CRA security program, CRA employees who have access to personal information are monitored by the use of the Online Audit Tracking System (OATS). OATS records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc.

The information is used to verify that only authorized users have accessed personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. 

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Benefit Data Mart is a subset of the Agency Data Warehouse (ADW). It collects data from the Individual Credit (ICD) and IDENT databases and an authorized employee can run queries against the data mart to identify trends, statistics or other required information. Reports are created from the Benefit Data Mart using a set identified parameters and filters that are then used for analysis.  A PIA for the ADW including the Benefit Data Mart was published in 2007; it provides a broader privacy risk analysis of the ADW and the related data marts.

Information provided on the income tax and benefit return is used to administer the Goods and Services Tax/Harmonized Sales Tax Credit and related credits in addition to information available on the Canada Child Benefit account. Therefore, information is also matched between the individual’s income tax account and benefits account.

In addition, information that was provided by the individual is verified with other sources including the Canada Child Benefit account and the personal Income Tax and Benefit Return. If they are benefit recipients, the Validations and Control workflow will further investigate to determine if these individuals are no longer eligible for benefits. Data matching techniques are also used to ensure the accuracy of the personal information.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: Personal information can be used in a system that has access to other systems and can be transferred to a secure portable device using CRA approved encryption technologies as required.

Online Services:

CRA uses specially configured computer Web servers for any online services (e.g. My Account); and uses corporate firewalls to protect our Web servers from unauthorized access. Personal information is not stored on these servers; the CRA securely stores personal information on separate computer systems that are not directly accessible from the Internet.

When transmitting personal information, access to our Web servers is limited to Web browsers that meet our security standards of encryption. The CRA ensures that personal and financial information is encrypted—or scrambled—when it is transmitted between an individual’s computer and our Web servers. This ensures that computer hackers and other Internet users cannot view or alter the data being transmitted. Our standard for encryption is the 128-bit Secure Sockets Layer Version 3.0 (SSLV3) protocol. This is one of the most secure forms of encryption available in North America and is a typical requirement for Web-based services—such as online banking or shopping—where securing personal information is a priority.

Portable Devices:

Some employees workstations are composed of CRA issued laptops in docking stations. Laptops comply to the Security for the Computing Environment Policy with Encryption and access control. Any telework done is through Secure Remote Access (SRA).

Any USB keys used must be Agency issued and formatted with encryption technology specific to the user.

Data Transfers and Exchanges:

Data files are encrypted and transferred electronically via File Transfer Protocol (FTP) or by bonded courier using compact disks (CD) or digital video disk (DVD). 

All electronic transactions are securely transferred using Entrust encryption software with Public Key Infrastructure (PKI), and a 128-bit Secure Sockets Layer connection. By using the Entrust public key, only the corresponding private key owned by the partner can decrypt the file. In addition, all internet based web applications require the use of a user ID and Password.

To register for a CRA PKI enabled program, participants must first become CRA PKI subscribers and approved by a CRA Local Registration Authority. CRA system administrator can control or limit access to specific directories on the server. In addition to restricting access to the server, the data for each partner is encrypted using the Entrust public key, only the corresponding private key owned by the partner can decrypt the file.

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual. The affected individual may also become a victim of identity theft, and his/her information may be used without this/her knowledge or consent.

I) Risk impact to the institution

Details: Should this information be accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and trust with the public.

Page details

Date modified: