Scientific Research and Experimental Development (SR&ED) Incentive Program (Enhanced Expenditures Claim Form T661)

Privacy Impact Assessment (PIA) summary – Scientific Research and Experimental Development Directorate, Compliance Programs Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Richard Montroy
Assistant Commissioner, Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Reporting Compliance – Scientific Research and Experimental Development

Description of the class of record and personal information bank

Standard or institution specific class of record:
Scientific Research and Experimental Development (CRA DCPB 155) - previously (CRA CPB 155)

Standard or institution specific personal information bank:
Scientific Research and Experimental Development (CRA PPU 441)

Legal authority for program or activity

Section 37 of the Income Tax Act (ITA) provides the framework for the SR&ED program. In addition, section 162 of the ITA provides for the collection of additional information.

Budget 2013 changes to ITA: Section 162 of the ITA is amended by adding the following after subsection (5):

Failure to provide claim preparer information

(5.1) Every person or partnership who makes, or participates in, assents to or acquiesces in the making of, a false statement or omission in respect of claim preparer information required to be included in an SR&ED form is jointly and severally, or solidarily, liable, together with any claim preparer of the form, to a penalty equal to $1,000.

Due diligence

(5.2) A claim preparer of an SR&ED form is not liable for a penalty under subsection (5.1) in respect of a false statement or omission if the claim preparer has exercised the degree of care, diligence and skill to prevent the making of the false statement or omission that a reasonably prudent person would have exercised in comparable circumstances.


(5.3) The following definitions apply in this subsection and subsections (5.1) and (5.2):

These provisions apply to forms filed on or after January 1, 2014.

Summary of the project / initiative / change

Budget 2013 introduced measures to provide the CRA with administrative tools to enable better risk assessment. The SR&ED program claim form T661 was revised to require more detailed information on SR&ED program claim preparers and billing arrangements. In particular, in instances where one or more third parties have assisted with the preparation of a claim, the Business Number (BN) of each third party is now required, along with details about the billing arrangements including whether contingency fees were used and the amount of the fees payable. In instances where no third party was involved, the claimant is now required to certify that no third party assisted in any aspect of the preparation of the SR&ED program claims. The CRA will be carefully analyzing the additional prescribed information in order to determine correlations with higher risk of non-compliance in SR&ED claims.

In order to ensure compliance with the Privacy Act and associated CRA and Treasury Board Secretariat privacy policies, this Privacy Impact Assessment examined the privacy risks which may be associated with this initiative, and with other personal information that is already requested from taxpayers when completing the Enhanced Expenditures Claim Form T661. Identified privacy risks have been mitigated, reduced or eliminated. A detailed listing of those risks can be found in the next sections.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: The information is used to determine the overall risk of non-compliance with the provisions of the ITA. In addition, the taxpayer and the claim preparer could be subjected to a civil penalty if the information provided is incomplete, inaccurate or missing.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: To supplement the personal information already requested on the T661, additional information requested under this initiative includes the name of the claim preparer, business number, and financial information (payment scheme and amount of payment). The personal information is collected through the T661 SR&ED Claim form, which itself is a schedule of the Tax Return, and it is treated as information that falls within the definition of taxpayer information or confidential information as the case may be and is subject to the confidentiality provisions set out in section 241 of the Income Tax Act.

The social insurance number (SIN) is being collected in cases where there is a partnership and partners are individuals without a Business Number. Members of a partnership are not required to file T661s with their individual returns however they can claim their share of the Partnership’s tax credits. The SIN serves as a link from the partnership return to the tax return of the partner in cases where the partner is an individual.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: The SR&ED program data and results are shared for analysis with Statistics Canada and the Department of Finance, and in that capacity, the personal information may also be shared with these institutions under their respective Memoranda of Understanding.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The SR&ED program has been in place since 1986 and will remain a long-term program.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The current personal information requirement applies to all SR&ED Claimants. There are approximately 30,000 SR&ED T2 claims filed each year. In addition there are approximately 4,000 T1 SR&ED claims filed each year.

Since January 1st, 2014, the additional personal information is required from all SR&ED claimants who use a claim preparer in completing their claim.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: Yes

Details: Some of the new information will be stored in CORTAX. CORTAX is a legacy system that is used to store all Corporate Tax Returns (T2) data. CORTAX will be modified to accept the new information.

The new T661 information filed through the Individual Income Tax Returns (T1) will be stored on RAPID.

Audit information will be stored on AIMS (Audit Information Management System) for both T1 and T2 T661s.

The CORTAX, AIMS and RAPID databases are located in CRA’s servers and are properly secured. Access is only available to CRA employees (who have necessarily undergone personal security screening). There is controlled access to the physical location where the computers are kept. There is an audit trail for all views and changes occurring on CORTAX, AIMS and RAPID. Each user is assigned a different level of access based on organizational structure and need to know.

In addition, Public Key Infrastructure (PKI) has been implemented to support several initiatives throughout the CRA, including Secure Remote Access (SRA), secure email, and other electronic transactions where security and/or digital signatures are required. PKI is a combination of policy and technology that establishes a secure electronic working environment, allowing CRA users to conduct secure electronic transactions. PKI uses digital certificates, critical tools for enabling secure and trusted use of our electronic networks. The digital certificates enable us to use our electronic networks to send, receive, and access designated (protected) information securely.

There is no need to temporarily or permanently store data on an external device (i.e. CD, USB, external hard drive) and external devices are prohibited from accessing CORTAX, AIMS and RAPID.

Overall privacy concerns and risks are low and are expected to remain low. Current mitigating practices are considered to be adequate.

Does the new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details: Information on the T661 is considered to be part of the Tax Return and as such, all controls that CRA has in place for Tax Returns also apply. The claim is received and processed by tax centres. Eighty percent of all SR&ED claims are filed electronically, and the information contained in the T661 would be automatically loaded onto the mainframe (CORTAX). The remaining 20% of claims would be manually input at the Tax Centres. T2 SR&ED claims are subjected to an initial risk assessment at the tax centre and have AIMS cases created by an automated system; T1s claims above a certain dollar amount threshold, partnerships, and T3s are sent directly to the CTSO. The information in CORTAX would be accessed by tax centres assessors dealing with the SR&ED program, and the assessor only considers the completeness of information on the form, not its truthfulness. A preliminary risk assessment determines whether the T2 claim should be accepted as filed or whether it should be sent to the CTSO for further review. This determination is automated, using the SR&ED Risk Management Tool (SR&ED RMT), and doesn’t require any input from the assessor. Approximately 40% of claims sent to the tax centre are accepted as filed by the tax centre, based on the automated preliminary risk assessment. In addition, SR&ED staff in field offices would access CORTAX to obtain information from the T661, in order to perform more detailed risk assessment, and to perform Technical and Financial reviews (audit actions) of the claim.

H) Risk impact to the individual or employee

Details: Financial harm.

I) Risk impact to the institution

Details: Reputation harm, embarrassment, loss of credibility.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: