Scientific Research and Experimental Development Program v 3.0 - Privacy impact assessment summary

Domestic Compliance Programs Branch
Scientific Research and Experimental Development Directorate
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Ted Gallivan
Assistant Commissioner

Domestic Compliance Programs Branch 

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau


Access to Information and Privacy Directorate

Name of program or activity of the government institution

Domestic Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:

Scientific Research and Experimental Development (CRA DCPB 155)

Standard or institution specific personal information bank:

Scientific Research and Experimental Development (CRA PPU 441)

Legal authority for program or activity

Section 248(1) of the Income Tax Act (ITA) provides the definition of the scientific research and experimental development.

Personal information is collected pursuant to subsections 37(1), 37(11), 150 and 162(5.1) of the ITA and is used for verification of compliance, administration and enforcement of the SR&ED program requirements.

Subsections 37(1) and 37(11) of the ITA require the taxpayer to file with the Minister a prescribed form containing prescribed information in relation to this program and SR&ED claim.

Subsection 150 of the ITA requires a return of income that is in prescribed form and that contains prescribed information to be filed with the Minister, without notice or demand for the return for each taxation year of a taxpayer

Subsection 162(5.1) of the ITA requires SR&ED claimants to provide information on any claim preparer that worked on the SR&ED claim. The required information includes the business number of the claim preparer, the type of payment arrangement, and the actual amount of money paid. Failure to provide the required information could result in a $1000 penalty.

The social insurance number is collected pursuant to section 237 of the ITA and is used for identification purposes.       

Summary of the project / initiative / change

The Scientific Research and Experimental Development (SR&ED) Program is a federal tax incentive program. It is designed to encourage Canadian businesses of all sizes and in all sectors to conduct SR&ED in Canada. The Canada Revenue Agency (CRA) administers the SR&ED Program. Under the program, businesses prepare their claims in line with Canada’s tax laws and the CRA’s policies and procedures and the CRA delivers the SR&ED tax incentives the businesses qualify for in a timely, consistent, and predictable manner.

The CRA is committed to administering the program with fiscal integrity and to making sure businesses are aware of the program and can easily access it. It is important that the CRA apply the legislation correctly, consistently, and fairly so that claimants receive all that they qualify for under the program.

The program provides more than $3 billion in tax incentives to over 19,000 claimants every year. This makes it the single largest federal program supporting business research and development (R&D) in Canada.

The tax incentives come in three forms: an income deduction, an investment tax credit, and, in certain circumstances, a refund.

The federal government offers SR&ED tax incentives for three types of research:

The CRA website has more information about the SR&ED Program at

What's new

The CRA has improved and simplified retention and disposition authorities. While this disposition authority replaces the previous 18 authorities, all retention schedules remain in force until further notice. Thus, current RDAs are not valid; however; the SR&ED retention schedules that are contained within are still valid (see section V for more details).

The SR&ED program has updated the appropriate section of this PIA to reflect the fact that it uses and discloses data from/to the Service, Innovation and Integration Branch (SIIB)/Agency,  Analytics and Data Directorate Research and Development Environment (RDE) for research and analysis purposes. For further information, see the RDE PIA.

Scope of the privacy impact assessment

To ensure compliance with the Privacy Act and associated CRA and Treasury Board of Canada Secretariat privacy policies, this privacy impact assessment examined the privacy risks associated with the SR&ED Program. All privacy risks that were identified have been mitigated, reduced, or eliminated.

A separate privacy impact assessment has been done for the Film and Media Tax Credit Program.

This privacy impact assessment has been updated to reflect programs changes to the retention and disposition authorities, new data sources and new data disclosures. 

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3


The personal information collected is used to decide the overall risk of not complying with the Act. It is also used to administer the program. The taxpayer and the claim preparer could be charged a penalty if certain required information is incomplete, inaccurate, or missing. 

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.    

Level of risk to privacy: 3


Form T661 asks for the following personal information:  

The personal information collected on Form T661 and on forms T2SCH31, T2038 (IND), T1174, T1145, T1146, and T1263 falls within the definition of taxpayer information or confidential information. Therefore, it has to comply with the confidentiality provisions in section 241 of the Income Tax Act.

The social insurance number is collected when Form T661 is filled out by an individual not making a claim as a corporation (for example, a sole proprietorship). It is also collected when the claim is by a partnership the partners of which are individuals who do not have a business number. Depending on the type of partnership, its members may not have to file a Form T661 with their individual return. But, they can claim their share of the partnership’s tax credits. The social insurance number serves as a link from the partnership return to the tax return of the partner when the partner is an individual who does not file a Form T661.

Along with the above documents that have to be sent in when filing an SR&ED claim, the SR&ED Program may collect the same types of personal information that is in the supporting documents outlined in Appendix 2 of Guide T4088, Scientific Research and Experimental Development (SR&ED).

The SR&ED Program also collects personal information (that is, name, phone number, and email address) of individuals registering for online webinars and in-person information sessions, Pre-Claim Consultation Requests (PCC) and Pre-Claim Review Requests (PCR). For Administrative Reviews (AR), personal information is also collected (that is, name, business number (in the case of sole proprietorships), address, phone number, contact name, and signature). The SR&ED Self-Assessment and Learning Tool (SALT) does not collect any personal information as stated on the first page of the online SALT form.   

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4


SR&ED program information may be shared with other federal government institutions in line with the income tax legislation. These institutions include the Department of Finance Canada (Tax Data – Evaluation and Formulation of Fiscal Policy) and Statistics Canada (statistical data). Information may also be shared with provincial government institutions in line with the memorandums of understanding that the CRA has with the provinces for administering the provincial R&D tax credits. In addition, program information is provided to Recall, a private-sector organization, in line with Contract 5500000790 between the CRA and Mobilshred Inc., operating as Recall for document transport and storage.   

D) Duration of the program or activity:

Long-term program

Level of risk to privacy: 3


The SR&ED Program has been in place since 1986. It is a long-term program with no end in sight. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3


The requirements for collecting personal information under the SR&ED Program apply to all SR&ED claimants and individuals involved in the projects being claimed. That said, there is a slight variation between what personal information is required if the claim is made by a corporation as opposed to by an individual. Each year, over 19000 T2 SR&ED claims are filed and about 4,500 T1 SR&ED claims are filed.  

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? 

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).  

Risk to privacy: No

Details: n/a

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc. 

Risk to privacy: No

Details: n/a

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Business Intelligence and Risk Management Division, within the Business Intelligence and Corporate Management Directorate of the International, Large Business and Investigations Branch, is responsible for providing support services to the SR&ED Program. This includes acquiring and maintaining high-quality data, business intelligence, business analytics, and risk assessment services. As a result, the Business Intelligence and Compliance Risk Analysis privacy impact assessment covers most of the automated personal information analysis, personal information matching, and knowledge discovery techniques as they relate to the SR&ED Program.

In addition, and given that Research and Development (R&D) activities currently taking place within CRA are largely decentralized, the authorized SR&ED program researchers and analysts use the business intelligence research and development environment established by the Service, Innovation and Integration Branch on behalf of the CRA to obtain necessary data for research and analysis purposes. 

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.  

Level of risk to privacy: 2

Details: The information on Form T661 and on forms T2SCH31, T2038(IND), T1174, T1145, T1146, and T1263 is considered to be part of the tax return (whether T1, T2, or T3). As a result, all controls that the CRA has in place for tax returns apply. SR&ED claims are received and processed by the tax centres. Eighty percent of all SR&ED claims are filed electronically, and the information on these forms is automatically loaded onto the mainframe (CORTAX). The remaining 20% of claims are entered manually at the tax centres. T2 SR&ED claims have to go through an initial risk assessment at the tax centres using an automated risk management tool and then have AIMS cases created automatically. T1 claims above a certain dollar amount threshold, claims for partnerships, and T3s are sent directly to the tax services offices for manual screening. The information in CORTAX is accessed by tax centre assessors dealing with the SR&ED Program, and the assessor looks only at whether the information on the form is complete, not whether it is correct. A preliminary risk assessment determines whether the T2 claim should be accepted as filed or sent to the tax services office for further review. This determination is automated, using the SR&ED risk management tool. The assessor does not have to provide any input. About 40% of the claims sent to the tax centres are accepted as filed based on the automated preliminary risk assessment. In addition, SR&ED staff in field offices access CORTAX to get information from Form T661, so they can do more detailed risk assessments and technical and financial reviews (audit actions) on the claims. These are recorded and stored in AIMS.

Starting May 2019, T1 claims are stored in Integras. 

H) Risk impact to the individual or employee

Details: If an individual’s personal information is compromised, it could cause financial harm to him or her. 

I) Risk impact to the institution

Details: If this information is accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA to be embarrassed and to lose credibility and the public’s trust.

Page details

Date modified: