Individual returns assessment program - Privacy impact assessment summary
Individual Returns Directorate
Assessment, Benefit, and Service Branch
Canada Revenue Agency
Overview & PIA initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
Director
Access to Information and Privacy Directorate
Name of program or activity of the government institution
Tax Services and Processing
Description of the class of record and personal information bank
Standard or institution specific class of record:
CRA ABSB 217
Standard or institution specific personal information bank:
CRA PPU 005
Legal authority for program or activity
Income Tax Act, sections 150, 220, and 237
Canada Pension Plan, subsection 92(2)
Canada Revenue Agency Act, section 61
Canada Elections Act, section 46.1
Employment Insurance Act, Parts I, IV and VII.1
Federal-Provincial Fiscal Arrangements Act, section 7
Summary of the project / initiative / change
Overview of the program or activity
Under the Income Tax Act and related provincial/territorial income tax legislation, individuals are required to complete and file annually with the Canada Revenue Agency (CRA) a T1 income tax and benefit return, including related federal and provincial/territorial forms and schedules, if they earned income and are required to pay income tax, want to claim a refund and/or receive federal and/or provincial/territorial benefits. Individuals report their income and claim any applicable deductions and tax credits on their T1 income tax and benefit return in accordance with the Income Tax Act.
Under the Canada Pension Plan and the Employment Insurance Act, self-employed individuals are also required to file a return if subject to Canada Pension Plan contributions and/or Employment Insurance premiums on self-employed earnings.
The Individual Returns program is responsible for developing and coordinating national workloads to process income tax and benefit returns, related adjustments and for issuing notices of assessment or reassessment to individuals.
What’s new
File My Return is a new user-interface that utilizes the existing systems to generate an assessment for individuals. No new elements of personal information are collected. It is simply a new way of using existing databases (T1 Assessing Master and Pre-match systems) to pre-populate income tax and benefit returns.
A redesigned T1 systems suite of applications was partially implemented. However, no new personal information elements will be collected via this new system. All personal information that was shared under the previous system will continue to be accessible under the new platform.
Scope of the privacy impact assessment
This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information related to the processing of individual taxpayer income tax returns, including initial assessments, payment processing, validations, accounting, and adjustments, for the federal government and for most provinces and territories, including determining eligibility for various refundable amounts.
Audit and/or compliance activities initiated by other programs of the CRA, whether before or after taxpayers have been informed of the results of their assessments or reassessments, do not fall within activities of the Individual Returns program and are outside the scope of this PIA.
Activities such as Tax Free Saving Account, Income Verification and individual refund set off are assessed in a different PIA and therefore are not included within the scope of this PIA.
Risk identification and categorization
A) Type of program or activity
Administration of Programs / Activity and Services
Level of risk to privacy: 2
Details: In filing the T1 Income tax and benefit return for a year, an individual is required to provide certain personal information which is used to determine the individual’s tax, penalties, and/or interest payable, or refund, as well as Canada Pension Plan contributions and/or Employment Insurance premiums payable, or overpayment, where applicable, and is reflected on a notice of assessment or reassessment.
Personal information is also used for statistical analysis to enhance and improve services administered by the CRA.
B) Type of personal information involved and context
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: Most of the personal information fits into category 3 since it relates to an individual’s information from the return such as social insurance number, date of birth, address, marital status, and financial information.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details: The information is used by other CRA areas to determine entitlement to various federal and provincial/territorial individual and family benefits (e.g. Canada Child Benefit, Goods and Services Tax Credit/Harmonized Sales Tax Credit, Canada Pension Plan and Employment Insurance benefits, social assistance payments, etc.), and for compliance activities (e.g. verifications, audits, collection, etc.).
The exchange of taxpayer personal information occurs between the CRA Individual Returns program and federal, provincial, and/or territorial government departments, the details of which are outlined in written collaborative agreements and would fall within a risk level of 3.
However, since private sector parties are involved in the storage and management of some personal information collected, a risk level of 4 has been indicated.
D) Duration of the program or activity:
Long-term program
Level of risk to privacy: 3
Details: The Individual returns program is a long-term program. There is no “sunset,” however individual agreements are terminated when partners’ programs change or end unless amended.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The Individual Returns program affects any individual who files a T1 income tax and benefit return with the CRA.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Details: The redesigned T1 systems involve a suite of applications that supports CRA's core activities related to Canada's self-assessment regime for the administration of personal income tax. However, no new elements will be collected via this new system. All personal information that was shared under the previous system will continue to be accessible under the new platform.
File My Return is a new user-interface that utilizes the existing systems to generate an assessment for individuals. No new elements of personal information are collected. It is simply a new way of using existing databases (T1 Assessing Master and Pre-match systems) to pre-populate returns.
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
Details: The redesigned T1 systems involve a suite of applications that replaces IT legacy systems. However, no new elements will be collected via this new system. All personal information that was collected and handled under the previous legacy system will continue to be collected and handled under the new platform.
The new or modified program or activity involves the implementation of one or more of the following technologies:
Enhanced identification methods
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: N/A
Use of Surveillance
This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: N/A
Use of automated personal information analysis, personal information matching and knowledge discovery techniques
For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details: The activities listed below are performed within the Individual Returns program and involve various elements of personal information and a certain measure of automated technology:
- Record Linkage: Identification information is stored on the Individual Identification (IDENT) mainframe system and is linked with other systems containing financial information.
- Information Reconciliation: Personal information (financial information) stored on various systems/databases is reconciled when the assessment process is finished.
G) Personal information transmission
The personal information is transmitted using wireless technologies.
Level of risk to privacy: 4
Details: When the T1 income tax and benefit return is filed electronically (EFILE/NETFILE), the personal information can be transmitted by the individual to the CRA using wireless or non-wireless technology. That information is then stored in various CRA systems and databases.
The personal information from paper-filed returns (mailed or faxed) is keyed into various CRA systems and databases.
The personal information is pulled from the CRA’s mainframe system and sent to the partner organizations or other Agency areas using file transfer protocol, often by means of Entrust encryption software. Limited amounts of personal information are also shared internally within CRA by means of wireless devices, such as laptops.
H) Risk impact to the institution
Details: A compromise of personal data has the potential to cause financial harm such as identify theft and/or embarrassment to the individual.
Page details
- Date modified: