Part XIII Non-Resident Withholding Program

Privacy Impact Assessment (PIA) summary – Individual Compliance Directorate, Collections and Verification Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Collections, Compliance and Verification – Compliance and Verification

Description of the class of record and personal information bank

Standard or institution specific class of record:
Part XIII Non-Resident Withholding Program Record Number (CRA CVB 189)

Standard or institution specific personal information bank:
Part XIII Non-Resident Withholding Program Personal Information Bank Number: (CRA PPU 094)

Legal authority for program or activity

The personal information is collected under the authority of the ITA Part XIII section 215. The SIN is collected pursuant to the ITA Section 237 and subsection 220(1) and is used for identification purposes.

Summary of the project / initiative / change

The scope of this privacy impact assessment covers the workload for the Non-Resident Withholding Program (Part XIII), actioned primarily at the International and Ottawa Tax Services Office (IOTSO). It pertains to the withholding, remitting, reporting, and filing obligations under Part XIII of the ITA as well as the various elections and requests for refunds that are submitted by businesses, third parties and individuals.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: Personal information is used to identify the taxpayer and perform account updates and compliance activities such as:

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. The personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The Part XIII program collects and relies on information collected under the authority of the ITA to:

The personal information could include details such as name, contact information, phone and address, related tax identification numbers (e.g. BN, T1, T3, SL), related 3rd party tax identification numbers (i.e. the BN or SIN of a Canadian representative, the SIN of the non-resident client).

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 3

Details: Personal information gathered by the Part XIII withholding program may be shared internally within CRA to administer related CRA programs. CRA may also share personal information such as name, SIN or pension plan number with any applicable pension provider (federal, provincial or 3rd party) in order to process an NR5 application requesting a reduction in tax withheld.

D) Duration of the program or activity

Long-term program

Existing program that has been modified or is established with no clear "sunset".

Level of risk to privacy: 3

Details: These activities will continue indefinitely.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The Part XIII program affects businesses, 3rd parties and/or individuals who pay or receive passive income taxable under Part XIII of the ITA.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity requiring any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on individuals associated with filing a return, remittances, or elections related to the Non-Resident Withholding Program (Part XIII program). Service Officers access various accounts to enable them to respond to taxpayer inquiries or resolve account issues.

As per the requirements of CRA’s Logging and Monitoring of Access to Taxpayer Information Policy, all accesses to identifiable personal taxpayer information are monitored and logged, creating an audit trail, by the use of the Online Audit Tracking System (OATS)NATS. The use of an audit trail records information, such as CRA employee’s user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of taxpayer records accessed, including edits or changes made during each user session. The information is used to verify that only authorized user’s access personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: Platinum Reporting Facility (PRF) is a subset of the Statistical Tracking Analysis and Reporting System (STARS); it enables an authorized employee to run queries against the database to find trends or gather statistics or other required information. Reports are created from the PRF using a set of identified parameters and filters that are then used for analysis. 

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

The program or activity involves one or more connections to the Internet, Intranet or any other system. Circulation of hardcopy documents is not controlled.

Level of risk to privacy: 2

Details: The information is entered into the various CRA computer systems used by the Agency; however, information will only be used for Part XIII Withholding Program purposes. Safeguards are in place to protect information.

Any data obtained through the duties in the Part XIII Withholding Program is NOT transferred to any type portable device (ie; CD/DVD disc, USB).

H) Risk impact to the individual or employee

Level of risk to privacy: 3

Details: Should this information be accidently or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and trust with the public.

I) Risk impact to the institution

Level of risk to privacy: 4

Details: If the personal information was compromised it has the potential to cause financial harm and embarrassment to the individual.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: