Individual Returns Assessment Program v3.0

Assessment, Benefit, and Service Branch
Individual Returns Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Gillian Pranke
Assistant Commissioner
Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Acting Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Tax Services and Processing

Standard or institution specific class of record

Individual Returns and Payment Processing Program
CRA ABSB 217

Standard or institution specific personal information bank

Individual Returns and Payment Processing
CRA PPU 005
TBS Registration Number: 002014

Legal authority for program or activity

The legal authority for the collection of personal information for this program or activity is found in:

Income Tax Act, sections 150, 220 and 237

Canada Pension Plan, subsection 92(2)

Canada Revenue Agency Act, section 61

Employment Insurance Act, Parts I, IV and VII.1

Federal-Provincial Fiscal Arrangements Act, section 7

Authority for the collection of personal information has been delegated to the CRA for the purpose of establishing or maintaining an organ and tissue donor registry in a given province or territory under the Canada Revenue Agency Act, section 63.1

Authority for the collection of personal information has been delegated to the CRA for the purpose of updating the Register of Electors or Register of Future Electors under the Canada Election Act, section 46.1

Disclosure of taxpayer information is governed by section 241 of the Income Tax Act.

Summary of the project, initiative or change

Overview of the Program or Activity

Under the Income Tax Act and related provincial/territorial income tax legislation, individuals are required to complete and file annually with the Canada Revenue Agency (CRA) a return of income (return), including related federal and provincial/territorial forms and schedules, if they earned income and are required to pay income tax, want to claim a refund and/or receive federal and/or provincial/territorial benefits. Individuals report their income and claim any applicable deductions and tax credits on their return in accordance with the Income Tax Act.

Under the Canada Pension Plan and the Employment Insurance Act, self-employed individuals are also required to file a personal income tax and benefit return if subject to Canada Pension Plan contributions and/or Employment Insurance premiums on self-employed earnings.

The types of return of income that may be filed by an individual, depending on their circumstances, consist of the T1 income tax and benefit return including the “Let us help you get your benefits!” Credit and benefit short return.

The Individual Returns program is responsible for developing and coordinating national workloads to process income tax and benefit returns and related adjustments, and for issuing notices of assessment or reassessment to individuals. The CRA shared information with Employment and Social Development Canada for the administration of the COVID-19 One Time Disability Payment to Persons with a Disability.

What’s New

Similar to the consent collected for Elections Canada, effective the 2022 tax year, consent is now collected for the purpose of sharing an individual’s contact information so that they may receive information regarding their provincial or territorial organ and tissue registry, provided that they reside in a participating province or territory. Memorandums of understanding are in progress.

The Canadian dental care plan is an income tested Health Canada initiative to provide dental care services for Canadian residents without private dental insurance coverage. The application process to determine a qualified individual will be administered by Employment and Social Development Canada who will provide a third-party contractor, contracted to Health Canada, with the contact information on eligible individuals. Health Canada’s third-party contractor will then coordinate the issuance of the Canadian Dental Care Plan membership card to be used by the individual when paying for dental services in addition to processing service claims and issuing payments.

In the fall of 2023 CRA will support Employment and Social Development Canada in its initial eligibility determination for individuals 65 years of age and older by providing the social insurance number, name, contact information, and adjusted family net income threshold of individuals who meet the initiatives eligibility criteria based on residency, age, and income through a series of secure electronic transfers. Employment and Social Development Canada will subsequently contract out to a third-party service provider for mailing and printing services. This third-party service provider will mail the identified taxpayers a letter with details on how to apply for the dental care plan. Employment and Social Development Canada has asked that the CRA be prepared to assist with the issuance of letters in the event the third-party service provider cannot meet the required volumes and services standards and/or in the event that the costs are exorbitant. If the CRA fulfils this request, the privacy impact assessment will be amended to address this change.

The activities conducted by Employment and Social Development Canada and Health Canada are out of scope of this privacy impact assessment and will be assessed in their own institutions’ privacy assessments. CRA activities to support the Canadian dental care plan after April 2024 are under development and will be assessed in future privacy assessments.

The retention period of documents has been revised based on the new retention rules developed by the Service, Innovation and Integration Branch.

The simplified “Let us help you get your benefits!” Credit and benefit short return was made available to individuals with low taxable income for the 2021 tax year forward, and the T1S-D Credit and benefit return was eliminated effective the 2022 tax year.

Finally, the Individual Returns Assessment program has added the Digital Mailroom Project (a separate privacy protocol assessment was done for this project in 2021). Requests received in writing are sent to a third party, to be digitized prior to processing.

In 2017, the CRA and Employment and Social Development Canada entered into a Direct Deposit and Address Information Sharing Initiative known as DAISI. This initiative allowed individuals to streamline their government of Canada experience when updating direct deposit and contact information. This program has been suspended since 2020, until further notice.

Scope of the Privacy Impact Assessment

This privacy impact assessment identifies and assesses privacy risks to personal information related to the processing of individual taxpayer income tax returns, including initial assessments, payment processing, validations, accounting, and adjustments, for the federal government and for most provinces and territories, including determining eligibility for various refundable amounts.

Audit and/or verification and compliance activities initiated by other programs of the CRA, whether before or after taxpayers have been informed of the results of their assessments or reassessments, do not fall within activities of the Individual Returns program and are outside the scope of this privacy impact assessment.

Activities such as Tax-Free Saving Account, Income Verification Services and individual refund set off are assessed in different privacy impact assessments and are therefore not included within the scope of this privacy impact assessment.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

In filing the T1 income tax and benefit return for a year, an individual is required to provide certain personal information that is used to determine the individual’s tax, penalties, and/or interest payable, or refund, as well as Canada Pension Plan contributions and/or Employment Insurance premiums payable, or overpayment, where applicable, and is reflected on a notice of assessment or reassessment.

Personal information is also used for statistical analysis to enhance and improve services administered by the CRA.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Most of the personal information fits into category 3 since it relates to an individual’s information from the return such as social insurance number, date of birth, address, marital status, and financial information.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

The information is used by other CRA areas to determine entitlement to various federal and provincial/territorial individual and family benefits (e.g., Canada Child Benefit, Goods and Services Tax Credit/Harmonized Sales Tax Credit, Canada Pension Plan and Employment Insurance benefits, social assistance payments, etc.), and for compliance activities (e.g., verifications, audits, collection, etc.). The exchange of taxpayer personal information occurs between the CRA Individual Returns program and federal, provincial, and/or territorial government departments, the details of which are outlined in written collaborative agreements and would fall within a risk level of 3. However, since private sector parties are involved in the storage and management of some personal information collected, a risk level of 4 has been indicated.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The Individual Returns Assessment program is a long-term program. There is no “sunset”; however, individual agreements are terminated when partners’ programs change or end.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The Individual Returns Assessment program affects any individual who files a T1 income tax and benefit return with the CRA.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: Yes
  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
    Risk to privacy: Yes
  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?
  4. Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
    Risk to privacy: No
  5. Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
    Risk to privacy: No
  6. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
    Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Information can be submitted to the CRA for the purpose of assessing or reassessing taxpayers’ income tax returns electronically, by phone or by paper.

Direct Deposit and Identification Change requests received in writing are digitized and stored for later access by CRA employees on a need-to-know basis.

When the T1 income tax and benefit return is filed electronically (EFILE/NETFILE), the personal information is transmitted by the individual to the CRA using wireless or non-wireless technology. That information is then stored in various CRA systems and databases.

File my Return (FMR) is an automated phone service where invited taxpayers can submit their tax return by following prompts during the call.

If a paper return is printed from a tax preparation software, a 2D bar code may be included. In such cases, the keying is accomplished by scanning the 2D bar code. Additionally, tax returns received in paper format are physically stored.

An individual, or their authorized representative, can request a change to their return(s) in writing. Requests received in writing are sent to an approved third party and digitized for later access by CRA employees.

The personal information is sent to the partner organizations using secure transfers and encryption methods meeting government of Canada minimum standards. Limited amounts of personal information are also shared internally within the CRA by means of wireless devices, such as laptops and cell phones.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

A compromise of personal data has the potential to cause financial harm such as identify theft or fraud and/or embarrassment to the individual.

Page details

Date modified: