Non-Filer Compliance Privacy Impact Assessment v2.0

Individual Compliance Directorate
Collections and Verification Branch

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Tammy Myers
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns compliance

Standard or institution specific class of record:

Non-Filer Compliance
CRA CVB 181

Standard or institution specific personal information bank:

Non-Filer Compliance
CRA PPU 025

Legal authority for program or activity

Income Tax Act

• Paragraph 150(1)e –  Designated persons
• Subsection 150(2) – Demands for returns
• Subsection 152(7) – Assessment not dependant on return or information
• Subsection 220(1) – Minister’s duty
• Subsection 220(2) – Officers, clerks and employees
• Subsection 220(2.1) – Waiver of filing documents
• Subsection 220(3) – Extension for returns
• Subsection 220(3.1) – Waiver of penalty or interest
• Subsection 220(3.2) – Late, amended or revoked elections
• Subsection 220(5) – Administration of oaths
• Subsection 230(1) – Records and books
• Subsection 230(3) – Minister’s requirement to keep records, etc.
• Subsection 230(7) – Exception where demand by Minister
• Section 231 – Definitions – authorized person
• Section 231.1 – Authority to inspect, audit or examine
• Subsection 231.2(1) – Requirement to provide documents or information
• Subsection 231.2(3) – Judicial authorization
• Subsection 231.5(1) – Copies
• Subsection 231.6(2) – Requirement to provide foreign-based information
• Subsection 231.6(8) – Consequence of  failure
• Subsection 231.7(1) – Compliance Order
• Subsection 233(1) – Information return
• Subsection 233(2) – Partnerships
• Subsection 237(1.1) – Production of number
• Subsection 237(1.2) – Designated number
• Subsection 237(2) – Number required in information returns
• Subsection 237(3) – Authority to communicate number
• Subsection 237(4) – Authority to communicate number
• Subsection 241(3.1) – Circumstances involving danger
• Subsection 241(6) – Appeal from order or direction
• Subsection 244(21) – Proof of return filed
• Subsection 244(22) – Filing of information returns

Canada Revenue Agency Act

• Section 2 – Definitions – program legislation
• Section 61 – Contracts, agreements and arrangements

Criminal Code

• Section 2 – Definitions – public officer

Summary of the project, initiative or change

Overview of the Program or Activity

The mandate of the Non-Filer Program (NFP) is to promote compliance with the filing requirements of individuals, businesses, corporations, and trusts, as outlined in the Income Tax Act and other laws.

Although the majority of taxpayers file their income tax returns on time as required by Canadian tax laws, some do not. Filing an income tax return is the first step in tax compliance. The Canada Revenue Agency (CRA) assesses a taxpayer after they file their return. Taxpayers may not file their returns for a number of reasons. The CRA provides a variety of tools to help taxpayers file their returns.

The NFP plays an important enforcement role to protect revenue at risk. The CRA actively encourages taxpayers to file voluntarily. When taxpayers do not meet their filing obligations, the NFP may take enforcement action such as demanding returns, raising assessments under subsection 152(7) of the Act, conducting field visits, and potentially prosecution.

Non-filers can be categorized as known or unknown. Known non-filers are those the CRA can identify as potentially owing tax based on information that is available on CRA’s systems (for example, information slips such as T4 or T5 slips).

Unknown non-filers are those for whom the CRA does not have enough information to identify as potentially owing tax. Individuals that fall into the unknown category are often self-employed or may operate within the underground economy. Unknown non‑filers continue to pose a risk because they are more difficult to identify and evaluate for enforcement action.

Each tax year after the filing deadlines have passed, the CRA identifies non-filers through automated processes. Taxpayer accounts identified through these processes are loaded into the workload management system for enforcement actions.

After the non-filer accounts are entered in the system, the CRA uses a variety of methods to apply a tax-at-risk score to each account.

Currently, accounts identified in the system for non-filer enforcement action are subject to the following enforcement actions:

• automated letters
• non-face-to-face enforcement action at the national verification and collections centres and tax centres
• face-to-face and non-face-to-face enforcement action at the tax services offices

Accounts that have a low tax risk are not loaded in the workload management system for normal enforcement action. These accounts are selected for additional campaigns through CRA nudge initiatives and non-filer enforcement project work that targets the underground economy.

The NFP also administers the Contract Payment Reporting System (CPRS) and the government service contract payments workloads. The CPRS requires construction businesses (contractors) to record payments they make to subcontractors for construction services and to report these payments to the CRA on a T5018 information return. The T5018 enforcement workload is selected after specific screening criteria has been applied to data bases such as T1 and T2 assessments, GST/HST registrants, and T5018 filed returns. Government service contract payments are reported on a T1204 slip to indicate the total contract payments a federal department or agency, or Crown corporation, made during a calendar year for services or payments for products, expenses, or reimbursements. If the T5018 or T1204 is filed with missing information, the accounts are referred to the NFP for compliance action.

The Workload Development and File Selection Section in the Non-Filer Division (NFD) creates, analyzes, and coordinates the requirements for the T1 and T2 non-filer annual workloads, risk models, and manual workloads including T3, T4A-NR, and the GST/HST Enhanced Registration Review Program

Filing compliance projects are activities taken to identify and address non-compliance with the filing of tax returns that are missed (unknown) or not prioritized by established systems or processes. Workload development teams in each region and Headquarters conduct filing compliance projects in a project management environment. They utilize local knowledge and experience, regional strategies, and national initiatives to address systemic non-compliance. The purpose behind any non-filer project is to identify gaps that exist in our established compliance programs and systems and pursue the cases that have been able to take advantage of those gaps. More information about filing compliance projects can be found in Appendix E.

Nudge initiatives use the concept of gently influencing taxpayer behavior to become tax compliant. Studies have shown that the use of nudging has increased compliance in other jurisdictions.

The NFP has initiated a nudging concept using the Automated Dialing Announcement Device. NFP uses this device for non-filers that have not been selected for enforcement action. The results are being analyzed by business intelligence.

What’s New

New workload management system

The Collections and Verification Branch (CVB) has replaced some of the branch’s existing legacy systems with a new system. The graduated replacement is ongoing. In 2018, the new system replaced the system previously used by the NFP.

Non-Filer T1 and T2 152(7) Challenge Project

The NFD introduced the T1 152(7) Challenge pilot in July 2017, to review taxpayer submitted T1 152(7) requests for reassessment of a return. In April 2018, the scope expanded to include the review of the T2 152(7) requests for reassessment of a return. The project reviews and validates returns and required documents and receipts submitted by taxpayers after the CRA completes a 152(7) assessment.

The purpose is to ensure that the income, expenses, and deductions claimed are allowable, reasonable, and consistent with the information obtained through the preliminary review and interview. The project was implemented into the core NFP on April 1, 2021, and is now called the Challenge Function. There was one team located in the Winnipeg Tax Centre and their workload consisted of T1 and T2 French and English cases. This project was completed April 1, 2025.

Digital economy

The NFP also focuses on unknown non-filers operating in the digital economy where tax potential cannot be calculated due to lack of information. Digital economy categories include the sharing economy, the gig economy, e-commerce platforms, digital currency, online payment platforms, internet sales, online influencers, online gaming, Coinsquare, Onlyfans, and digital artists. These cases are worked the same way as any other case. The only difference is whether there is third-party data attached to it or not.

Filing compliance projects

Many filing compliance projects are developed annually to ensure the CRA is addressing non‑compliance. See Appendix E for a list of current projects.

Scope of the Privacy Impact Assessment

This privacy impact assessment identifies and assesses privacy risks to personal information relating to the administration, including workload development, of the NFP for the enforcement of the filing requirements of individuals, businesses, corporations, and trusts under the Income Tax Act.

The Individual Compliance Directorate of the CVB does business intelligence activities related to the creation of non-filer compliance strategies. These activities include analyzing data and providing external third-party data. These activities are described in the Business Intelligence Research and Development Environment Privacy Impact Assessment (PIA of the Service, Innovation and Integration Branch. Those performed within the Technology and Business Intelligence Directorate are described in the Collections and Verification Business Intelligence PIA. However, any resulting administrative decisions made by the NFP are within the scope of this PIA.

Projects and initiatives that focus on the underground economy and non-compliance continue to be developed. As a result, as new initiatives or changes to an existing process within the program are identified, this PIA will be reviewed and updated as required.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement and Criminal Investigation / National Security

Level of risk to privacy: 4

Details:

Individuals, corporations, and trusts do not always file their required returns and do not always provide

information when requested by the CRA. Non-filer officers need to obtain sufficient factual information from sources to be able to assess taxpayers under subsection 152(7) of the Income Tax Act.

In the majority of circumstances, the data will be compiled to establish non-compliance demographics, trend analysis, and workload management. In the event that the taxpayer continuously does not meet their filing obligations and there is potential taxes owing, the NFP may consider proceeding with recommending prosecution action by the courts if needed.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

The information used within the NFP is gathered from compliance activities, searching open and publicly available social media websites, unnamed persons requests, and other program activities within the CRA including those administered by the Compliance Programs Branch (CPB), Assessment, Benefit and Service Branch (ABSB), and Collections and Verification Branch (CVB).

Information could include, but is not limited to, the social insurance number (SIN), information that is available in CRA systems such as current or past employers, assets, income amounts, other financial information, and contact information. The NFP may access certain information belonging to individuals and corporations that may not be directly associated with the subject taxpayer. The NFP will institute limitations in the examination and collection of personal information related to the taxpayer and others, and will segregate the information that is pertinent to the program through role based access.

C) Program or activity partners and private sector involvement

Within the institution, other federal institutions, provincial territorial and/or municipal government(s), and private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

The NFP develops and applies strategies to identify and resolve non-compliance related to thefiling of income tax and information returns. The NFP also addresses the underground economy activity

that results in non-compliance related to unfiled returns. As well, the NFP is responsible for building and maintaining internal and external federal, provincial, and municipal government partnerships through memoranda of understanding, data exchanges, promoting effective communication, and horizontal collaboration

The NFP gets most information from internal CRA sources or directly from taxpayers. Additional information is also acquired from federal or provincial sources as governed through written collaborative arrangements. Collaboratively, the CRA also used named and unnamed persons requirements issued to businesses or individuals to obtain information on third parties who may not have met their filing obligations.

In addition, archived paper copies of personal information are stored and retained at a private-sector records storage facility.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The NFP is a permanent activity and is based on necessity and the Income Tax Act provisions. The Non-Filer T1 and T2 152(7) Challenge Project was completed on April 1, 2025.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

This activity will affect non-compliant taxpayers regarding their income tax return or information return filing requirements under the Income Tax Act.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: Yes
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

The information is entered into the various CRA computer systems.

At times, the NFP officers may get information from publicly open social media websites, such as Facebook, LinkedIn, Twitter, and YouTube, which require a connection to the Internet. The Internet access is controlled and monitored based on CRA policies.

The NFP does not transfer data it gets to any type of portable device such as CDs, DVDs, or USB keys.

All NFP personnel use laptops with full disk encryption and standard secure remote access (SRA) 2.0. The Information Technology Branch has developed an agency-wide telecommuting platform that offers users secure access to the network.

SRA 2.0 allows users to gain access to the CRA network anytime and anywhere Internet is available. This application is managed by Shared Services Canada. All users are required to sign on with their individual Public Key Infrastructure certificate, which sets out clear policies and procedures for employees.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

There is a risk of reputation harm, financial harm, or embarrassment if CRA systems are compromised and information is leaked to the public. In the event of a privacy breach, loss, or misuse of taxpayer information occurs, there may be opportunity for fraud or identity theft.