GST/HST Returns and Rebates Program v 2

Business Returns Directorate,
Assessment, Benefit, and Service Branch and
Business Compliance Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution
Canada Revenue Agency

Government official responsible for the Privacy impact assessment (PIA)
Frank Vermaeten, Assistant Commissioner
Assessment, Benefit, and Service Branch
and
Michael Snaauw, Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution
Tax - Tax Services and Processing, and
Tax - Returns Compliance

Description of the class of record and personal information bank
Standard or institution specific class of record:
Administration of GST/HST Returns and Rebates, CRA ABSB 246

Standard or institution specific personal information bank:
GST/HST Returns and Rebates Processing, CRA PPU 241

Legal authority for program or activity

• Part IX of the Excise Tax Act (ETA)
• Title I of the Act Respecting the Québec Sales Tax, chapter t-0.1 (ARQST)
• Tax Administration Act (Québec)
• Subsection 63(1) of the Canada Revenue Agency Act
• Section 7 of the Federal-Provincial Fiscal Arrangements Act

Summary of the project / initiative / change

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Goods and Services Tax / Harmonized Sales Tax Returns and Rebates Program (GST/HST program) activities. The following activities are administered by the Business Returns Directorate of the Assessment, Benefit, and Service Branch (ABSB) and by the Business Compliance Directorate of the Collections and Verification Branch (CVB):

• GST/HST account registration
• Processing of GST/HST returns, rebate applications and various elections that are filed by businesses, organizations, third parties and individuals in regards to GST/HST collected and submitted by businesses and third parties and GST/HST paid by individuals and businesses where a rebate is applicable
• The administration of the GST and the Québec Sales Tax (QST) for selected listed financial institutions (SLFI) that have a permanent establishment in Québec as well as those that have a permanent establishment outside Québec, but do business in Québec. 
• Verification and compliance activities, including  obtaining and reviewing returns from compliant and non-compliant registrants
• Encouraging future voluntary compliance.

This PIA does not cover activities pertaining to the GST/HST credit program that is available to individuals based on income thresholds and is issued every three months; those activities are administered by the Benefit Programs Directorate and are reflected in a separate PIA entitled GST/HST Credit and Related Benefits and Credits (file IC-080311). In addition, enhanced compliance activities pertaining to GST/HST examinations and audits are reflected in a separate PIA entitled GST/HST Audit and Examination Program (file IC-063126).

Risk identification and categorization

A) Type of program or activity
Compliance / Regulatory investigations and enforcement   

Level of risk to privacy: 3

Details: The personal information collected is used mainly for the administration of the GST/HST program (e.g. identification purposes, processing returns, rebates, and elections, collecting revenue, issuing payments, and providing support to clients) in order to determine the correct amount of GST/HST owing on the account and to prevent the issuance of unwarranted refunds and rebates.
During our select processes we link information from other revenue lines and/or programs to the information on a registrant’s GST/HST return. For example, when looking at a sole proprietor’s account, we gather the SIN and/or names to match from the T1 data, in order to compare them to the individual’s GST/HST account. In addition, the GST/HST program conducts limited reviews, and verifications/validations, and reassesses files (returns, rebate claims).

B) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The GST/HST program relies on information collected to assess files (returns, rebate claims, and elections). Personal information collected from taxpayers includes details such as name, contact information, financial information and signature, in order to validate a person’s identity. Information is also collected verbally with questions in order to ensure the confidentiality test is passed, before discussing individual tax matters.
The SIN is used for identification purposes. For example, to properly identify a claimant in order to ensure eligibility for rebates such as:

• Form GST191, New Housing Rebate Application for Owner-Built Houses
• Form GST524, New Residential Rental Rebate and
• Form GST189, General Rebate Application for GST/HST

The GST/HST program also collects financial information to complete requests for direct deposit of approved refund/rebate amounts. Direct deposit of credits owed is a service offered to clients.

C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: Information may be collected from and shared with participating provincial partners and other federal institutions. For example, Global Affairs Canada (GAC) provides monthly arrival/departure reports which lists the name, diplomat number, date of entry/exit, and country. We need this information to determine eligibility of GST/HST Rebate Applications for Foreign Representatives, Diplomatic Missions, Consular Posts, International Organizations, or Visiting Forces Units. For example, we need the date of entry/exit in the event the applicant submits a claim outside the eligibility period. We also require the applicant's country of origin as the reciprocal agreement varies, depending on the country. GAC also validates/verifies addresses and spouse/dependants. If a client has a problem with their assessment, they often contact GAC as an intermediary between themselves and CRA.
Information and procedures are also shared with Revenu Québec as they are responsible for administering the GST within the province of Quebec.
Private sector involvement includes external third parties that may be used to identify or clarify missing information on GST/HST rebate applications. For example, a builder who credits a rebate amount to the home purchaser (claimant) at the time of purchase may be contacted to clarify details on the application that is subsequently submitted.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3
Details: GST was established in 1991. The GST/HST program is an existing long-term program with no anticipated sunset date. Although certain return, rebate, or election types processed by CRA may be transitional in nature with an established sunset date, the program as a whole is long-term.

E) Program population
The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The GST/HST program affects businesses and individuals, both registrants and non-registrants, who have filed or not filed (but may be required to) a return, rebate, or election related to the GST/HST program.

F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: GST/HST rebates processing activities involve an automated matching process via the rebate Claimant Selection List. This list is maintained in the mainframe rebates system to identify possible discrepancies or abuses within the program by matching Business Number, SIN, name, or postal code information.
Systems with algorithms are in place to identify accounts and perform matching exercises for the non-registrant workload.
The GST/HST program works with the Technology and Business Intelligence Directorate to complete the data matching selects in order to create work inventory.
This includes matching the sales amount reported on the registrant's GST/HST return to specified income reported on a person’s T1, T2, or T5018 slips. For example, match a sole proprietor’s GST/HST sales and other revenue information to the professional, commission, and/or business income reported on that individual’s T1 return.

G) Personal information transmission
The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4

Details: Information received from taxpayers via hard copies is keyed directly into our mainframe system. Electronically filed returns, rebates and elections involve an Internet connection and information is transferred to our mainframe via a secure connection. Within the mainframe, there is an exchange of information between systems (e.g. Business Number, Standardized Accounting, and Audit systems). Headquarters staff have access to the mainframe on laptops encrypted with Secure Remote Access (SRA).

H) Risk impact to the individual or employee
Details: There could be a significant risk of financial harm to the individual should there be a breach of personal information