Individual returns assessment program v 2.0

Individual Returns Directorate
Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch (ABSB)

Head of the government institution or Delegate for section 10 of the Privacy Act

Steven Morgan
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Tax Services and Processing

Standard or institution specific class of record: 

Individual Returns and Payment Processing Program
CRA ABSB 217

Standard or institution specific personal information bank:
Individual Returns and Payment Processing
CRA PPU 005

Legal authority for program or activity

Income Tax Act, sections 150, 220 and 237
Canada Pension Plan, subsection 92(2)
Canada Revenue Agency Act, section 61
Canada Elections Act, section 46.1
Employment Insurance Act, Parts I, IV and VII.1
Federal-Provincial Fiscal Arrangements Act, section 7

Summary of the project, initiative or change

Overview of the Program or Activity

Under the Income Tax Act and related provincial/territorial income tax legislation, individuals are required to complete and file annually with the Canada Revenue Agency (CRA) a return of income (return), including related federal and provincial/territorial forms and schedules, if they earned income and are required to pay income tax, want to claim a refund and/or receive federal and/or provincial/territorial benefits. Individuals report their income and claim any applicable deductions and tax credits on their return in accordance with the Income Tax Act.

Under the Canada Pension Plan and the Employment Insurance Act, self-employed individuals are also required to file a return if subject to Canada Pension Plan contributions and/or Employment Insurance premiums on self-employed earnings.

The types of return of income that may be filed by an individual, depending on their circumstances, consist of the following:

• T1 income tax and benefit return
• T1S-D, Credit and benefit return
• Let us help you get your benefits, Credit and benefit short return  

The Individual Returns program is responsible for developing and coordinating national workloads to process income tax and benefit returns, related adjustments and for issuing notices of assessment or reassessment to individuals.

What's new

The Let us help you get your benefits return was made available for all provinces and territories starting in 2020 to eligible Indigenous people. It is a simplified way to file a paper return where no new personal information elements are collected. They are designed to encourage Indigenous people to file a return even if they do not owe income tax so that they can access their credit and benefit. Eligibility is based on having a simple tax situation that can be properly assessed when using the simplified returns.

Reference to the exchange of information with the Disability Tax Credit Program has been added in response to the Privacy Compliance Evaluation for the COVID-19 One Time Disability Payment.

Finally, the Individual Returns Assessment program now uses the Digital Mailroom Project (a separate privacy protocol assessment was done for this project in 2021). All T1 adjustment requests received by mail are sent to a third party, to be digitized into the Document Management Portal prior to processing.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information related to the processing of individual taxpayer income tax returns, including initial assessments, payment processing, validations, accounting, and adjustments, for the federal government and for most provinces and territories, including determining eligibility for various refundable amounts.

Audit and/or compliance activities initiated by other programs of the CRA, whether before or after taxpayers have been informed of the results of their assessments or reassessments, do not fall within activities of the Individual Returns program and are outside the scope of this PIA.

Activities such as Tax Free Saving Account, Income Verification and individual refund set off are assessed in a different PIA and therefore are not included within the scope of this PIA.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details

In filing the T1 Income tax and benefit return for a year, an individual is required to provide certain personal information which is used to determine the individual’s tax, penalties, and/or interest payable, or refund, as well as Canada Pension Plan contributions and/or Employment Insurance premiums payable, or overpayment, where applicable, and is reflected on a notice of assessment or reassessment.

Personal information is also used for statistical analysis to enhance and improve services administered by the CRA. 

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. PI of minors or incompetent individuals or involving a representative acting on behalf of the individual.     

Level of risk to privacy: 3

Details

Most of the personal information fits into category 3 since it relates to an individual’s information from the return such as social insurance number, date of birth, address, marital status, and financial information 

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details

The information is used by other CRA areas to determine entitlement to various federal and provincial/territorial individual and family benefits (e.g. Canada Child Benefit, Goods and Services Tax Credit/Harmonized Sales Tax Credit, Canada Pension Plan and Employment Insurance benefits, social assistance payments, etc.), and for compliance activities (e.g. verifications, audits, collection, etc.). The exchange of taxpayer personal information occurs between the CRA Individual Returns program and federal, provincial, and/or territorial government departments, the details of which are outlined in written collaborative agreements and would fall within a risk level of 3. However, since private sector parties are involved in the storage and management of some personal information collected, a risk level of 4 has been indicated.  

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The Individual returns program is a long-term program. There is no “sunset,” however individual agreements are terminated when partners’ programs change or end unless amended.

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details

The Individual Returns program affects any individual who files a T1 income tax and benefit return with the CRA. 

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

3. Does the new or modified program or activity involves the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).  

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details

Information can be submitted to the CRA for the purpose of assessing or reassessing taxpayers’ income tax returns electronically, by phone or by paper.

When the T1 income tax and benefit return is filed electronically (EFILE/NETFILE), the personal information is transmitted by the individual to the CRA using wireless or non-wireless technology. That information is then stored in various CRA systems and databases.

File my Return (FMR) is an automated phone service where invited taxpayers can submit their tax return by following prompts during the call. Invitations are sent by mail and can be viewed in My Account. Once the caller confirms and accepts the information provided during the call, the information is transmitted then stored in various CRA systems and databases.

The personal information from paper-filed returns (mailed or faxed) is keyed and stored into various CRA systems and databases. The T1S-D return (available since 1993 for certain provinces) and the Let us help you get your benefits return (available since 2020 for all provinces and territories) are simplified paper returns available to eligible Indigenous people. If a paper return is printed from a tax preparation software, a 2D bar code may be included. In such cases, the keying is accomplished by scanning the 2D bar code. Additionally, tax returns received in paper format are physically stored.

An individual, or their authorized representative, can request a change to their return(s) in writing by sending a letter or a completed Form T1-ADJ, T1 Adjustment Request, or electronically via Change my Return or REFILE which may result in a reassessment. Requests received in writing are digitized and stored in the Document Management Portal for later access by CRA employees.

The personal information is pulled from the CRA’s mainframe system and sent to the partner organizations or other Agency areas using file transfer protocol, often by means of Entrust encryption software. Limited amounts of personal information are also shared internally within CRA by means of wireless devices, such as laptops. 

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details

A compromise of personal data has the potential to cause financial harm such as identify theft and/or embarrassment to the individual.