Pooled Registered Pension Plans Program
Registered Plans Directorate
Legislative Policy and Regulatory Affairs Branch
On this page
- Overview & Privacy Impact Assessment Initiation (PIA)
- Summary of the project, initiative or change
- Risk identification and categorization
Overview & Privacy Impact Assessment Initiation (PIA)
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Janice Laird
Director General
Legislative Policy and Regulatory Affairs Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Lia Jackson
Director
Access to Information and Privacy Directorate
Name of program or activity of the government institution
Registered Plans
Standard or institution specific class of record:
Registered Deferred Income and Savings Plans
CRA LPRAB 117
Standard or institution specific personal information bank:
Registered Deferred Income and Savings Plans
CRA PPU 226
TBS Registration Number: 20090532
Legal authority for program or activity
The legal authority for the collection of personal information for this program or activity is found in section 220 of the Income Tax Act (ITA).
Section 147.5 of the ITA and section 213 of the Income Tax Regulations provide the legislative authority for the Pooled Registered Pension Plans program.
Section 237 of the ITA provides the legislative authority for the use of the social insurance number for identification purposes.
Summary of the project / initiative / change
Overview of the Program or Activity
Pooled Registered Pension Plans (PRPPs) are tax-assisted, broad-based, and professionally administered defined contribution pension plans. They are targeted to employees and self-employed persons who do not have access to a workplace pension plan. Because assets will be pooled with those of other individuals, the PRPPs will offer investment and savings opportunities at lower administration costs. Investment options in a PRPP are similar to those available in a registered pension plan (RPP).
PRPPs are intended to have design features which will remove traditional barriers that might have kept small- and medium-sized businesses from offering workplace pension plans to their employees in the past. In particular, the fiduciary obligations related to the management of the plan on behalf of plan members would be shifted from the employer to licensed administrators. An eligible PRPP administrator is defined as a corporation resident in Canada that is licensed to administer a PRPP under the Pooled Registered Pension Plans Act (PRPP Act) or similar legislation of a province.
PRPPs are subject to federal and provincial PRPP standards legislation. These generally ensure that contributions made by and on behalf of members are protected and are used to provide retirement income. The PRPP Act is administered by the Office of the Superintendent of Financial Institutions (OSFI). OSFI licenses, regulates and supervises PRPPs under the PRPP Act to ensure the plans meet minimum plan funding requirements and comply with the governing law and supervisory requirements. OSFI provides risk assessments of pension plans covering employees in federally regulated areas of employment, as well as timely and effective intervention and feedback to protect the financial interests of plan members and beneficiaries from undue loss.
Individuals who fall under the authority of the PRPP Act can participate in a PRPP. The PRPP Act applies to PRPPs offered to employees whose employment falls under federal jurisdiction. This includes work in federally regulated financial institutions, such as banks and insurance companies. The PRPP Act also applies to PRPPs offered to persons who are employed or self-employed in the Yukon, Northwest Territories, and Nunavut. Provincial legislation is required to implement PRPPs for all other areas of employment. The Voluntary Retirement Savings Plan Act in Quebec is modelled after the PRPP Act and is applicable to individuals participating in PRPPs in Quebec.
Contributions to a PRPP made by employers, employees and self-employed individuals will be deductible for tax purposes. Contributions and investment earnings are tax-exempt until such time as benefits commence to be paid. All PRPP contributions for a year made by and on behalf of a PRPP member will be limited to the member’s available registered retirement savings plan (RRSP) contribution limit for the year.
Employers are permitted to make direct contributions to a PRPP in respect of an employee, which will be excluded from salaried compensation (like employer contributions to an RPP). However, there is no requirement for an employer to make a minimum contribution to a PRPP. To help prevent situations where large employer contributions might create over-contributions for a PRPP member in relation to the member’s Registered Retirement Savings Plan (RRSP) limit, annual employer contributions to a PRPP in respect of an employee will be limited to a maximum of the RRSP dollar limit for the year, unless the employee directs the employer to contribute more than this amount.
PRPPs are subject to the ITA, which provides deductions in respect of both employee and employer contributions, registration rules and other tax related rules. The Canada Revenue Agency’s (CRA) Registered Plans Directorate (RPD) is responsible for administering, registering, and auditing PRPPs pursuant to section 147.5 of the ITA.
What’s New
The following provinces have enacted legislation governing PRPPs: British Columbia, Québec, Manitoba, Saskatchewan, Ontario, and Nova Scotia. As such, individuals who are employed or self-employed in those provinces can now participate in a PRPP. As more provinces enact legislation governing PRPPs, the plans will become available in more jurisdictions.
Scope of the Privacy Impact Assessment
This Privacy Impact Assessment (PIA) will focus on the privacy implications related to the administration of the PRPP program by CRA’s Registered Plans Directorate – reviews, registrations, amendments, revocations, monitoring and audits of PRPPs. It will identify privacy risks, develop correlating mitigation strategies, and provide a solid foundation of expected privacy practices as guidance.
Activities pertaining to PRPP contributions, deductions, limits, claims and other related requirements are administered by the Individual Returns Assessment Program and by the CRA Corporation Returns and Payment Processing Program, and are out of scope of this PIA.
Activities that are administered by OSFI, including the licensing, regulating and supervising of PRPPs, are also out of scope of this PIA.
Risk identification and categorization
A) Type of program or activity
Program or activity that does NOT involve a decision about an identifiable individual
Level of risk to privacy: 1
Details:
The administration of the PRPP program requires the collection, use or disclosure of personal information in order to:
- determine if an approval to administer a PRPP can be granted;
- determine if a plan can be registered as a PRPP;
- establish an amendment to the plan is acceptable;
- establish if a plan would be in a revocable position under the ITA; and
- conduct audits of the PRPPs to ensure compliance with section 147.5 of the ITA.
However, personal information will not be used to make decisions about individuals.
PRPP auditors would, however, provide information to the Individual Returns Assessment Program and/or to the Corporation Returns and Payment Processing Program, if applicable, to ensure that the individual members’ tax returns were in compliance.
B) Type of personal information involved and context
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals, or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details:
The program uses personal information, including the social insurance number and financial information, in order to administer PRPP activities.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details:
The CRA will disclose information to OSFI on a need to know basis. Subparagraph 241(4)(d)(vii) of the ITA authorizes the CRA to communicate taxpayer information to federal officials responsible for administering the Pension Benefits Standards Act, 1985 and the PRPP Act. Paper records containing PRPP information are stored by a third-party private sector service provider.
D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details:
The PRPP is a long-term savings plan for employed and self-employed individuals who do not have access to a workplace pension plan. As is the case with registered retirement savings plans, there is no clear “sunset” time frame.
E) Program population
The program affects certain individuals for external administrative purposes
Level of risk to privacy: 3
Details:
PRPPs are a kind of retirement savings option for employed and self-employed individuals who do not have access to a workplace pension plan. Not everyone eligible will elect to participate in this new voluntary savings arrangement.
F) Technology & privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No
- Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
- Does the new or modified program or activity involve the implementation of one or more of the following technologies?
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy No
G) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy: 2
Details:
Personal information is mainly processed in a paper/folder format system. Circulation of hardcopy documents is controlled. Access to hardcopy is restricted and monitored. There is no transmission of personal information to an external entity through email or internet. All communication with private parties is done through telephones, mail or by fax. Plan administrators will transmit to the RPD, by mail or by fax, personal information contained in:
- letters;
- form RC364 - Application to Register a Pooled Registered Pension Plan;
- form RC365 - Pooled Registered Pension Plan Amendment Information Form; and
- form RC368 - Pooled Registered Pension Plan Annual Information Return.
Data elements from forms RC364, RC365 and RC368 will be captured by RPD employees and stored in the Registered Plans Application Suite.
Security measures prevent personal information from being transferred from the Registered Plans Application Suite to a portable device or transmitted using wireless technologies.
Access to the Agency network from remote locations is enabled with full disk encryption and standard Secure Remote Access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Details:
Forms RC364, RC365, RC368, and the plan folder are classified as Protected “B.”
In the event of a privacy breach, there would be minimal impact on the individuals involved (sole proprietor members of a plan) because of the minimal amount of financial information.
Page details
- Date modified: