Scientific Research and Experimental Development Program

Privacy Impact Assessment (PIA) summary – Scientific Research and Experimental Development Directorate, Domestic Compliance Programs Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Anne-Marie Lévesque
Assistant Commissioner, Domestic Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Scientific Research and Experimental Development

Description of the class of record and personal information bank

Standard or institution-specific class of record:
Scientific Research and Experimental Development (CRA DCPB 155)

Standard or institution-specific personal information bank:
Scientific Research and Experimental Development (CRA PPU 441)

Legal authority for program or activity

Section 37 of the Income Tax Act sets out the framework for the SR&ED Program. Section 162 of the Act allows additional information to be collected and a penalty to be applied when taxpayers do not file or give certain information. Section 237 of the Act deals with collecting social insurance numbers.

Summary of the project / initiative / change

The Scientific Research and Experimental Development (SR&ED) Program is a federal tax incentive program. It is designed to encourage Canadian businesses of all sizes and in all sectors to conduct SR&ED in Canada. The Canada Revenue Agency (CRA) administers the SR&ED Program. Under the program, businesses prepare their claims in line with Canada’s tax laws and the CRA’s policies and procedures and the CRA delivers the SR&ED tax incentives the businesses qualify for in a timely, consistent, and predictable manner.

The CRA is committed to administering the program with fiscal integrity and to making sure businesses are aware of the program and can easily access it. It is important that the CRA apply the legislation correctly, consistently, and fairly so that claimants receive all that they qualify for under the program.

The program provides more than $3 billion in tax incentives to over 20,000 claimants every year. This makes it the single largest federal program supporting business research and development (R&D) in Canada.

The tax incentives come in three forms: an income deduction, an investment tax credit, and, in certain circumstances, a refund.

The federal government offers SR&ED tax incentives for three types of research:

• basic research: work done to advance scientific knowledge without a specific practical application in view
• applied research: work done to advance scientific knowledge with a specific practical application in view
• experimental development: work done to achieve technological advancement so new or improved materials, devices, products, or processes can be created

The CRA website has more information about the SR&ED Program.

To ensure compliance with the Privacy Act and associated CRA and Treasury Board of Canada Secretariat privacy policies, this privacy impact assessment examined the privacy risks associated with the SR&ED Program. All privacy risks that were identified have been mitigated, reduced, or eliminated.

A privacy impact assessment was already done for the Scientific Research and Experimental Development Incentive Program – Enhanced Expenditures Claim Form T661. It covered all privacy-related matters dealing with Form T661, Scientific Research and Experimental Development (SR&ED) Expenditures Claim. Because this privacy impact assessment covers all aspects of the SR&ED Program, including Form T661, it replaces the privacy impact assessment done for only the form. 

 A separate privacy impact assessment will be done for the Film and Media Tax Credit Program.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details: The personal information collected is used to decide the overall risk of not complying with the Act. It is also used to administer the program. The taxpayer and the claim preparer could be charged a penalty if certain required information is incomplete, inaccurate, or missing.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Form T661 asks for the following personal information:

• the name of the claimant
• the claimant’s social insurance number in the case of a sole proprietorship
• the names and telephone and fax numbers of persons to contact about the claim’s financial and technical information
• the names of partners and their social insurance numbers
• the names of employees directly involved in the project being claimed
• the names of other employees of the company, external consultants, and other key individuals directly involved in the project, along with their qualifications and experience
• the names of individuals involved in the project that are not employees
• the names and salaries of specified employees
• the names of claim preparers and financial information (payment schedule and payment amounts)
• the name of the authorized signing officer if the claim is for a corporation

The personal information collected on Form T661 and on forms T2SCH31, T2038 (IND), T1174, T1145, T1146, and T1263 falls within the definition of taxpayer information or confidential information. Therefore, it has to comply with the confidentiality provisions in section 241 of the Income Tax Act.

The social insurance number is collected when Form T661 is filled out by an individual not making a claim as a corporation (for example, a sole proprietorship). It is also collected when the claim is by a partnership the partners of which are individuals who do not have a business number. Depending on the type of partnership, its members may not have to file a Form T661 with their individual return. But, they can claim their share of the partnership’s tax credits. The social insurance number serves as a link from the partnership return to the tax return of the partner when the partner is an individual who does not file a Form T661.

Along with the above documents that have to be sent in when filing an SR&ED claim, the SR&ED Program may collect the same types of personal information that is in the supporting documents outlined in Appendix 2 of Guide T4088, Scientific Research and Experimental Development (SR&ED).

The SR&ED Program also collects personal information (that is, name, phone number, and email address) of individuals registering for online webinars and in-person information sessions.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: SR&ED program information may be shared with other federal government institutions in line with the income tax legislation. These institutions include the Department of Finance Canada (Tax Data – Evaluation and Formulation of Fiscal Policy) and Statistics Canada (statistical data). Information may also be shared with provincial government institutions in line with the memorandums of understanding that the CRA has with the provinces for administering the provincial R&D tax credits. In addition, program information is provided to Recall, a private-sector organization, in line with Contract 5500000790 between the CRA and Mobilshred Inc., operating as Recall for document transport and storage.

The CRA did a privacy protocol assessment related to Recall. It met with the Office of the Privacy Commissioner on October 6, 2011, and April 3, 2012. The CRA provided all documents (including the Request for Proposal contract with privacy clauses) to the Office of the Privacy Commissioner at these meetings.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The SR&ED Program has been in place since 1986. It is a long-term program with no end in sight.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The requirements for collecting personal information under the SR&ED Program apply to all SR&ED claimants and individuals involved in the projects being claimed. That said, there is a slight variation between what personal information is required if the claim is made by a corporation as opposed to by an individual. Each year, about 20,000 T2 SR&ED claims are filed and about 4,500 T1 SR&ED claims are filed.

Since January 1, 2014, all SR&ED claimants who use a claim preparer to complete their claim have to provide additional information about the preparer.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Business Intelligence and Risk Management Division, within the Business Intelligence and Corporate Management Directorate of the International, Large Business and Investigations Branch, is responsible for providing support services to the SR&ED Program. This includes acquiring and maintaining high-quality data, business intelligence, business analytics, and risk assessment services. As a result, the Business Intelligence and Compliance Risk Analysis privacy impact assessment covers most of the automated personal information analysis, personal information matching, and knowledge discovery techniques as they relate to the SR&ED Program.

In addition, the SR&ED Program does further analysis for file selection and business intelligence.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level of risk to privacy: 2

Details: The information on Form T661 and on forms T2SCH31, T2038(IND), T1174, T1145, T1146, and T1263 is considered to be part of the tax return (whether T1, T2, or T3). As a result, all controls that the CRA has in place for tax returns apply. SR&ED claims are received and processed by the tax centres. Eighty percent of all SR&ED claims are filed electronically, and the information on these forms is automatically loaded onto the mainframe (CORTAX). The remaining 20% of claims are entered manually at the tax centres. T2 SR&ED claims have to go through an initial risk assessment at the tax centres using an automated risk management tool and then have AIMS cases created automatically. T1 claims above a certain dollar amount threshold, claims for partnerships, and T3s are sent directly to the tax services offices for manual screening. The information in CORTAX is accessed by tax centre assessors dealing with the SR&ED Program, and the assessor looks only at whether the information on the form is complete, not whether it is correct. A preliminary risk assessment determines whether the T2 claim should be accepted as filed or sent to the tax services office for further review. This determination is automated, using the SR&ED risk management tool. The assessor does not have to provide any input. About 40% of the claims sent to the tax centres are accepted as filed based on the automated preliminary risk assessment. In addition, SR&ED staff in field offices access CORTAX to get information from Form T661, so they can do more detailed risk assessments and technical and financial reviews (audit actions) on the claims. These are recorded and stored in AIMS.

H) Risk impact to the individual or employee

Details: If an individual’s personal information is compromised, it could cause financial harm to him or her.

I) Risk impact to the institution

Details: If this information is accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA to be embarrassed and to lose credibility and the public’s trust.