Non-Filer Program

Individual Compliance Directorate,
Collections and Verification Branch

Overview & PIA Initiation

Government institution
Canada Revenue Agency

Government official responsible for the PIA
Michael Snaauw
Assistant Commissioner,
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution
Returns Compliance

Description of the class of record and personal information bank
Standard or institution specific class of record:
Non-Filer Compliance, CRA CVB 181
Standard or institution specific personal information bank:
Non-Filer Compliance, CRA PPU 025

Legal authority for program or activity
Income Tax Act (ITA)

• Subsection 220(1) of the ITA - authority for the Minister to administer and enforce the ITA
• Section 231.1 of the ITA - authority to inspect, audit or examine
• Section 231.2 of the ITA - authority to issue a requirement to provide documents or information.
• Section 231.7 of the ITA - authority for a court order compelling a person to provide information or documentation sought under sections 231.1 and 231.2 of the ITA.
• Section 237 of the ITA - authority to collect and use the Social Insurance Number.
• Subsection 152(7) of the ITA – authority for the Minister to assess tax payable for taxpayers if they have not filed returns for specific years, if certain criteria have been met.
• Subsection 150(2) Demands for Returns
• Subsection 238(1) Offences and Punishment
• Subsection 238(2) Compliance Orders

Summary of the project / initiative / change

Overview of the program or activity

The mandate of the non-filer program is to promote compliance with the filing requirements of individuals, corporations and trusts, as outlined in the Income Tax Act and various other pieces of legislation.

Although the majority of Canadians file their tax returns on time as required by Canadian tax laws, some taxpayers do not. Filing an income tax return is the first step in the tax compliance continuum. The Agency raises a tax assessment once a taxpayer files a tax return. Taxpayers may not file their returns for a number of reasons. The Agency provides a variety of tools to help taxpayers file their returns.

The non-filer program performs an important enforcement role to protect revenue at risk. The Agency actively encourages tax payers to file voluntarily. In cases where taxpayers do not meet their filing obligations, the program may enforce filing compliance under the Income Tax Act. Enforcement action may involve demanding returns, raising assessments under subsection 152(7) of the Income Tax Act, field visits and in rare situations, prosecution.
Non-filers can be categorized as known or unknown. Known non-filers are those the Agency can identify as having a tax potential based on information that is available to the Agency (for example, information slips that are on file such as T4 or T5 slips).

Unknown non-filers are those the Agency cannot identify a factual tax potential due to the lack of information the Agency has about the taxpayer. Individuals that fall into the unknown category are often self-employed or may operate within the underground economy. Unknown non-filers continue to pose a risk as they are more difficult to identify and risk score for enforcement action.

Each tax year after the filing deadlines have passed, non-filers are identified through automated processes. Taxpayer accounts that have not filed tax returns are identified for the annual load and are loaded into the Système Universal Delpac System (SUDS).

Once the non-filer accounts are loaded into SUDS, the Agency applies a risk-scoring process that identifies whether or not there is tax potential on the accounts and prioritizes the accounts by their risk score. This process is used to identify the accounts selected for potential enforcement action. 

Currently accounts identified in SUDS for non-filer enforcement action are subject to the following processes:

• Automated letters
• Non face to face enforcement action at the National Verification and Collection Centres and Tax Centres
• Face to face enforcement action at the tax services offices

Accounts that score low or have no tax potential identified are routed to the SUDS drop silo. These accounts are selected for additional campaigns through the Debt management Call Centre, CRA nudge initiatives and Non-filer enforcement project work that targets the underground economy.

What’s new?

Requirement for Information Unnamed Persons

The Workload Development and Business Intelligence Section (WDBIS) in the Individual Compliance Directorate is responsible for developing new techniques to identify non-compliance. This includes developing   projects, conduct research and identify emerging risks, to gain understanding of compliance behaviours and suspected areas of non-compliance, test innovation risk treatments and improve risk assessment methodology. As part of the Requirement for Information Unnamed Persons (RFIUP), data is obtained through a federal court order to obtain data on unnamed persons.

The information obtained from RFIUP, is sorted and matched against existing source data for risk assessment purposes. Technology and Business Intelligence Directorate provides business intelligence and risk assessment services for the WDBIS.

Nudge

Nudge initiatives use the concept of gently influencing taxpayer behavior to become tax compliant. Studies have shown that the use of nudging has benefited the compliance continuum for other tax administrations, to improve compliant behavior by the taxpayer.

The non-filer program has initiated two nudging concepts using the Automated Dialing Announcement Device and letters to send soft messages to taxpayers from the Système Universal Delpac System (SUDS) drop silo. These are non-filer accounts that have not been selected for enforcement action. The results are being analysed by business intelligence.

New Workload Management System

The Collections and Verification Branch (CVB) is replacing the existing legacy systems with a new case and workload management system (WMS). The graduated replacement is ongoing to 2023. The new WMS will accommodate CVB’s compliance enforcement requirements. The non-filer program is the first to onboard under Release 1, scheduled for October 2018. This release will replace the SUDS used by the non-filer program.

Scope of the Privacy Impact Assessment

This privacy impact assessment identifies and assesses privacy risks to personal information relating to the administration of the non-filer program activities for the enforcement of the filing requirements of individuals, corporations and trusts under the Income Tax Act.

Business intelligence activities relating to the creation of Non-Filer compliance strategies and workload development have been assessed in a separate privacy impact assessment entitled Collections and Verification Business Intelligence.
 
Projects and initiatives that focus on the underground economy and non-compliance continue to be developed.  As a result, as new initiatives or a change to an existing process within the program is identified, this privacy impact assessment will be reviewed and updated as required.

Risk identification and categorization

A) Type of program or activity
Criminal investigation and enforcement / National Security

Level of risk to privacy: 4

Details: Individuals, corporations and trusts do not always file their required returns and do not directly provide information when requested by CRA. Non-filer officers need to obtain information from sources as necessary, to have sufficient factual information in order to raise 152(7) assessments or pursue prosecution action.

In the majority of circumstances, the data will be compiled to establish non-compliance demographics, trend analysis and workload management. In the event that the taxpayer continuously does not meet the obligations of their requirement to file, the non-filer program will consider proceeding with prosecution action under 238(1) or a compliance order under 238(2) of the Income Tax Act if needed.

B) Type of personal information involved and context
Social Insurance Number (SIN), medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The information used within the non-filer program is gathered from compliance activities, searching of open and publicly available social media web sites, unnamed persons requests, as well as from other program activities within CRA including those administered by the Domestic Compliance Programs Branch, International, Large Business and Investigations Branch, Assessment, Benefit, and Service Branch, and Collections and Verification Branch.

Information could include but is not limited to the SIN, information that is available in the CRA systems such as; current or past employers, assets, income amounts, other financial information, and contact information such as addresses and/or phone numbers. Certain information belonging to individuals and corporations that may not be directly associated with the subject taxpayers may be accessed during the non-filer program activities. The non-filer program will institute limitations in the examination and collection of personal information related to the taxpayer and others, and will segregate the information that is pertinent to the program through role based access.

C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: The non-filer program develops and applies strategies to identify and resolve noncompliance related to the filing of income tax and information returns. The program also addresses the underground economy activity that results in non-compliance related to unfiled returns, and is responsible to participate with building and maintaining internal and external federal, provincial, and municipal government partnerships through memoranda of understanding and data exchanges while promoting effective communication and horizontality.

Information for the most part is derived from internal CRA sources. As we move forward the Individual Compliance Directorate has sources of data obtained through named and un-named requirements for information from private sector companies and organizations.

In addition, archived paper copies of personal information are stored and retained at a private-sector records storage facility.

D) Duration of the program or activity
Long-term program

Level of risk to privacy: 3

Details: The non-filer program is a permanent activity and is based on necessity and Income Tax Act legislative provisions.

E) Program population
The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: This activity will affect non-compliant taxpayers with respect to their tax return and/or information return filing requirements under the Income Tax Act.

F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: n/a

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: The program does not involve the use of surveillance on individual taxpayers associated with the non-filer program.
However, all non-filer program employee accesses to identifiable taxpayer information (create, view, modify, and delete profiles) is logged and monitored to prevent, detect, and deter unauthorized access to taxpayer information. This allows the Agency to proactively monitor accesses and identify irregular activity and/or system misuses.
A national audit trail system is used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. This activity is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details: The Technology and Business Intelligence Directorate of the Collections and Verification Branch is responsible for providing analytical support services to the non-filer program, including the acquisition and maintenance of high quality data, business intelligence, business analytics, and risk assessment services. As a result, the Collections and Verification Business Intelligence PIA (file IC-076952) covers most of the automated personal information analysis, personal information matching, knowledge discovery techniques and predictive models as it pertains to business intelligence related to the non-filer program.
The non-filer program uses the data analysis to conduct further compliance risk and gap analysis for file selection purposes to identify the highest risk files for enforcement action. For example, by using predictive models, accounts that would "self-resolve" are identified allowing the focus on enforcement efforts to point to higher risk accounts.
The Workload Development Business Intelligence Section (WDBIS) supports workload development through the coordination of analytics, research and trends analysis report requests for all individual compliance program workloads.

G) Personal information transmission
The personal information is transmitted using wireless technologies.
Level of risk to privacy: 4
Details: The information is entered into the various CRA computer systems used by the Agency including the Système Universal Delpac System’s diary option.
At times, the non-filer program officers may obtain information from publicly open social media web sites which require a connection to the Internet. The internet access is controlled and monitored based on CRA policies.
Any data obtained by the non-filer program is not transferred to any type of portable device such as CD/DVD discs, USB keys.
NF field officers may use laptops with full disk encryption and standard Secure Remote Access (SRA) 2.0. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.
SRA 2.0 allows users to gain access to the CRA network anytime and anywhere internet is available. This application is managed by Shared Services Canada. All users are required to sign on with their individual Public Key Infrastructure certificate which sets out clear policies and procedures for employees. 

H) Risk impact to the individual or employee
Details: Reputation harm, financial harm, or embarrassment if the CRA systems are compromised and information is leaked to the public. In the event of a privacy breach, loss or misuse of taxpayers’ information, there may be opportunity for fraudulent activities or identity theft occurrences.