Government of Canada Business Number Adoption: Web Validation Service v 2.0 - Privacy impact assessment summary

Business Returns Directorate
Assessment Benefit and Service Branch

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment Benefit and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Tax Services and Processing: We give taxpayers the accurate and timely information they need to comply with Canada’s tax laws and modernize our services, including expanding our digital services, making it easier for taxpayers to meet their tax obligations. In addition to the individual returns program, we register businesses for a business number and administer T2, T3, GST/HST, excise, and other levies programs. We help businesses and individuals to voluntarily comply with Canada’s tax laws by processing their information and payments as quickly and accurately as possible and telling them the results of their assessment or reassessment. We also encourage and process voluntary disclosures by taxpayers and their representatives who want to correct inaccurate or incomplete information and pay their fair share.

Description of the class of record and personal information bank

Standard or institution specific class of record:
CRA ABSB 227
Standard or institution specific personal information bank:
CRA PPU 223

Legal authority for program or activity

Personal information is collected under the authority of Section 221 of the Income Tax Act and Part IX of the Excise Tax Act.

Paragraphs 241(4) (l) of the Income Tax Act (ITA) and 295(5)(j) of the Excise Tax Act (ETA) enable the Canada Revenue Agency (CRA) to disclose the BN and the related business identification information to a government entity provided that:  

• The information is used solely for the administration or enforcement of an Act of Parliament or of a legislature of a province, or a by-law of a municipality in Canada or a law of an aboriginal government. 

The BN is used as an identifier in connection with a program, activity or service for which it was provided. 

Summary of the project / initiative / change

This PIA is an update to the 2017 Government of Canada Business Number Adoption: Web Validation Service PIA.

• New Departments that have signed the Terms of Use to access the BN Web Validation Service;
• The Retention and Disposal Standards: A new RDA was signed in 2017 and replaces the previous one;
• BN Messaging System’s Threat and Risk Assessment has been completed.

In Oct. 2013, Deputy Minister Service and Federating Identity (DMSFI) endorsed the mandatory adoption of the Business Number (BN) by making it the common identifier for business throughout the Government of Canada (GC). The purpose is to allow businesses to use a single number in their dealings with public sector programs and various levels of government within Canada. The aim is to allow businesses to register for BN-participating programs through a seamless service. As a common identifier, the BN will improve services to business, standardize data collection and sharing and eliminate redundant data collection. As the office of primary interest, Innovation, Science and Economic Development (ISED) tasked the CRA with providing the technical solution for this initiative. The CRA leveraged the existing BN system to provide a Web Validation Service which will provide federal government departments with the ability to adopt the BN as the common identifier. To date 95 federal departments (295 associated programs) have been identified to have potential use of the BN.

The above referenced endorsement was enunciated in Budget 2015. Subsequently, after the 2017 Public Service Management Accountability Committee (PSMAC) endorsement of the Terms of Use (ToU) for BN9 adoption by the GC, Treasury Board Secretariat incorporated BN adoption into the Management Accountability Framework (MAF) for all Deputy Heads. As a result, this now means that any OGD listed in the Financial Administration Act (FAA) must adopt and use the BN as the common identifier.

CRA’s role as service provider is to provide a conduit (Web Validation Service) for various levels of government departments to access the BN and related Business Identification Information (BII). Although the BII was collected for tax purposes, section 241(4) (l) of the ITA and section 295(5) (j) of the ETA state that an official of the CRA may provide to a representative of a government entity the BN and related BII. The information provided solely for the purposes of the administration or enforcement of an Act of Parliament or of a legislature of a province, or a by-law of a municipality in Canada or a law of an aboriginal government. The BN is used as an identifier in connection with a program, activity or service for which it was provided.

For the purposes of this project a common definition, based on common law for business was determined as sole-proprietors, partnerships and corporations. The BN system contains a variety of other information not related to BII of sole-proprietors, partnerships and corporations. In order to ensure that only the BII was being shared, all BNs within the system were segregated with a business “yes” or “no” indicator. This segregation of data enabled the CRA to share the BII for businesses only, without the need for legislative change.

The Web Validation Service process is quite simple. The government entity collects the BN and any other program delivery information which they require from the business representative. They then enter the BN in to their system which is linked to the Web Validation Service. The Web Validation Service would then return the BII data elements to the user for them to compare or validate with the information they collected from the business representative according to their internal procedures. This service is only available to government departments who have adopted the use of the BN under the Terms of Use (ToU) or in the case of Provincial users a Memorandum of Understanding (MoU). Additionally, ISED conducted an analysis of the information being shared through the Web Validation Service and determined that it is available to the public through online searches, telephone books, business cards, the Better Business Bureau among others public sources. This analysis was provided to the Office of the Privacy Commissioner and the information sharing was deemed as a low risk initiative by Office of the Privacy Commissioner. Each federal participant will be required to treat all BN information viewed in accordance with the Treasury Board Policy on Government Security (PGS) and other applicable policies. All BN information disclosed will be released, transmitted, handled, used, stored, destroyed and safeguarded in accordance with the PGS. In addition, each participant agrees that they are prohibited from further disclosing the BN information disclosed to them using the BN web validation service, unless such disclosure is specifically authorized under the ITA or ETA.

Each provincial/territorial participant will be required to treat all BN information viewed in accordance with the security clauses contained within their MoU.

Scope of the privacy impact assessment

In-scope

The scope of this privacy impact assessment (PIA) is to examine the privacy impacts relating to the activities associated with the Government of Canada Business Number Adoption.

Specifically, it will examine where BII is also personal information and disclosed to the adopting federal, provincial and territorial government departments as the BN common identifier for business via the Web Validation service. The CRA has the legislative authority to release the information provided solely for the purposes of the administration or enforcement of an Act of Parliament or of a legislature of a province, or a by-law of a municipality in Canada or a law of an aboriginal government. Upon disclosure, it is the responsibility of each OGD to complete a PIA to encompass the intended program usage of the OGD, to take into account the collection of this new information and its potential impact.

Out of scope

This PIA does not examine the initial collection, internal use and other disclosures of personal information by the CRA. These elements will be covered in a subsequent revision of the 2005 PIA, and will be worked on over the course of 2017/2018. However, it should be noted that this subsequent revision is a regular review of the PIA and is to validate and enhance the data in accordance with the current PIA requirements and are out of the scope of this iteration. 

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: The purpose is to allow businesses to use a single number in their dealings with public sector programs and various levels of government within Canada. The aim is to allow businesses to register for BN-participating programs through a seamless service. 

B) Type of personal information involved and context

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.

Level of risk to privacy: 1

Details: The BII elements shared through the Web Validation Service are isolated to business entities defined as sole-proprietors, partnerships and corporations.  BII elements include: BN, business type, legal name, operating name, business address, mailing address, language preference, business activity description, owner information, *event information and incorporation information if applicable.

• Note: Event information includes events that have occurred with the business. For example, the registration of the BN, a sole proprietor is deceased, a corporation is voluntary dissolved or a business is bankrupt or in proposal, creation date and bankruptcy incorporation information if applicable.

All of the information disclosed through the Web Validation Service has been determined - by ISED as the office of primary interest - to be “Protected A”. As per the Terms of Use (ToU), it is each department’s responsibility to assess and determine the sensitivity of the information for their purposes.

In the case of an incorporated company, most of the BN identification information is not considered personal information; however, the same is not true for partnerships and sole proprietors.

Data attributes such as Business Legal Name as well as Owner First and Last Names (8% of the BN identification data set) reveal information about an identifiable individual, which, as per the Privacy Act is considered personal information. While a small percentage of the BII data for the Web Validation Service is personal information related to an identifiable individual(s) associated to the business, this information would be known and readily shared on business cards or as part of conducting business for the enterprise in question.

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 3

Details: Federal institutions wishing to adopt the BN are required to agree to and sign the Terms of Use (ToU) for access to the BN Web Validation Service. In the ToU, each participant agrees to use the BN as the common identifier for businesses,  for the purposes of administering or enforcing an Act of Parliament as outlined in section 241(4)(l) and subsection 241(9.2) of the Income Tax Act (ITA), and section 295(5)(j) and subsection 295(5.01) of the Excise Tax Act (ETA), and that the associated business identity information will be used in accordance with the business and technical specifications outlined in the self-service on-boarding model.

Provincial institutions wishing to adopt the BN are required to agree and sign a BN Adoption MoU. In the MoU, each participant agrees to use the BN as the  common identifier for business for the purposes of administering or enforcing an Act of Parliament as outlined in section 241(4)(l) and subsection 241(9.2) of the Income Tax Act (ITA), and section 295(5)(j) and subsection 295(5.01) of the Excise Tax Act (ETA).

There are two criteria which allow the CRA to share the BII with OGD and provinces:

1. To use the BN as a common identifier; and
2. To administer or enforce an Act of Parliament, of a provincial legislature, of a municipal by-law or of an aboriginal government.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details: The BN has been designated by the GC as the common identifier for businesses throughout the GC and will also be utilised by provincial jurisdictions for the same purposes. This is a long-term program that has no clear sunset date. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details: The BII elements shared through the Web Validation Service involves personal information related to identifiable individuals associated to the business, however the use of the Web Validation Service is intended for business programs. These programs will affect the business, not the individuals. As a common identifier, the BN will improve services to business, standardize data collection and sharing and eliminate redundant data collection. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Details: N/A

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: Yes

Details: N/A

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: There are two criteria which allow the CRA to share the BII with OGD and provinces:

1. To use the BN as a common identifier; and
2. To administer or enforce of an Act of Parliament or of the legislature of a province.

Data matching will occur between the CRA and the OGD in that the OGD must provide the BN to the CRA in order for the CRA (Web Validation Service) to return (disclose) a response with the BII related to the BN in question.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system. 

Level of risk to privacy: 2

Details: The Web Validation Service will allow information to be transmitted to federal and provincial adopters. The CRA is responsible for the delivery of the technical solution which will allow each government department to interface with the Web Validation Service through a synchronous process via a web service Simple Object Access Protocol/ Extensible Markup Language (SOAP/XML). The Web Validation Service is an automated service that searches the CRA BN database for the business being queried and provides a response which includes the BN and related business identity information, thus allowing the BN adopting partners to validate BNs.

To ensure the secure transmission of information, the BII will be encrypted using GC Public Key Infrastructure Certificates. CRA’s IT will assign each BN adopter with a single username and password to access the Web Validation Service. The GC Public Key Infrastructure Certificates operates as a digital key that is recognized (BN adopter) by the CRA BN system and permits them in through the CRA BN system security (firewall). Individual employees do not have access to this key. As relating to audit capabilities, the CRA will audit access at the OGD level. Each OGD (BN adopter) is responsible for auditing access at an employee level, through the utilization of unique user IDs and passwords with associated access roles/rights per TBS policy so employee’s only have access on a need to know basis. As indicated in the Terms of Use, each Participant will treat all BN information viewed in accordance with the Treasury Board Policy on Government Security (PGS) and applicable policies. All BN information disclosed will be released, transmitted, handled, used, stored, destroyed and safeguarded in accordance with the PGS. In addition, each Participant agrees that they are prohibited from further disclosing the BN information disclosed to them using the BN web validation service, unless such disclosure is specifically authorized under the ITA or ETA. 

H) Risk impact to the individual or employee

Details: The BII elements shared through the Web Validation Service can involve personal information related to individuals associated to the business. The BII shared through the Web Validation Service is also publically available through a variety of other sources (e.g. the Better Business Bureau) this information sharing is deemed as a low risk initiative.

If this information is accidentally or deliberately disclosed or compromised, it could lead to embarrassment, negative impacts to reputation (bankruptcy information), financial impacts and disruption to business functions. 

I) Risk impact to the institution

Details: If this information is accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA to be embarrassed, loss of credibility and the public’s trust.