Interactive warning system products

Privacy Impact Assessment (PIA) summary - Small Business Audit Division, Small and Medium Enterprises Directorate

What are the interactive warning system products?

The Canada Revenue Agency (CRA) as part of its on going risk assessment and audit selection processes intends to use the interactive warning system products to help identify high risk applicants attempting to gain access to tax refunds or benefits to which they have no lawful entitlement. The type of information that will be identified in the interactive warning system includes confirmed fraudulent misuses of an address, phone number, or Social Insurance Number (SIN). Canadian lending institutions use interactive warning system products that are made available by a third party service provider for the identification of compromised identities and fraud.

How will they be used?

The CRA will be using the interactive warning system products to complement its existing risk assessment and audit selection processes.  Interactive warning systems assist in detecting potential misuse or irregularities associated with addresses, telephone numbers or SINs by flagging the irregularities.

By comparing information contained in the interactive warning systems database to addresses, telephone numbers or SINs, any inconsistencies are discovered and a generic warning message, such as "current postal code and phone number are inconsistent", is generated to prompt further review.  No additional personal information is provided with the warning. 

With the use of these products, the CRA is taking steps to ensure that compromised identities are not used fraudulently in our systems.  By continually gathering and assessing information about our operating environment and by applying this knowledge through our risk management processes, the CRA maintains a high level of integrity with which the CRA operates.

The CRA works toward two strategic outcomes:

• taxpayers meet their obligations and Canada's revenue base is protected; and
• eligible families and individuals receive timely and correct benefit payments.

Protecting Personal Privacy

The CRA is fully committed to protecting the privacy of individuals while meeting its obligations to Canadians to effectively and efficiently administer and enforce the Income Tax Act, and the Excise Tax Act . The CRA is governed by the Privacy Act and is committed to ensuring that information is protected according to the legislation.  To accomplish this, the CRA conducts internal assessments to identify and address privacy and security risks.

In addition, a Privacy Impact Assessment (PIA) was undertaken to ensure that the CRA is compliant with privacy requirements as outlined in the Privacy Act and other relevant legislation.

Summary of the interactive warning system products PIA

The Small Business Audit Division (SBAD) in the Small and Medium Enterprises Directorate intends to use interactive warning system products from third party service providers for GST/HST, income tax, and benefit payment risk assessment.

Initially, the SBAD will conduct a pilot with the intention of identifying high risk GST/HST registrants and refund claims by cross-referencing CRA information to the interactive warning system products database. We plan to verify these refund claims to determine if the interactive warning system products will help to improve our risk assessment systems.  At no time will the interactive warning system database interact with the CRA's databases. 

The privacy impact assessment examined the CRA's adherence to the ten privacy principles provided in the PIA Guidelines. The interactive warning system initiative involves the use, external disclosure, and retention of personal information. A legal review of relevant aspects of this initiative was conducted and it confirmed that the CRA has the authority to use personal taxpayer information in the manner proposed. Furthermore, the CRA has always recognized the importance of ensuring the public's confidence in the tax system and will guard against acquiring more personal information than it requires to perform its duties under the Income Tax Act and Excise Tax Act.

To increase awareness of the importance of safeguarding personal information, the CRA provides training to its employees outlining relevant policies regarding breaches of security and privacy. A Security and Privacy Awareness session has been developed and is being made available to CRA employees. As an additional safeguard, only authorized individuals have access to this data.