Small and Medium Enterprises Income Tax Audit and Examinations

Privacy Impact Assessment (PIA) summary - Domestic Compliance Programs Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Anne-Marie Levesque
Assistant Commissioner, Domestic Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Small and Medium Enterprises

Description of the class of record and personal information bank

Standard or institution specific class of record:
Small and Medium Enterprises Income Tax Audit and Examinations Class of Record (CRA DCPB 452) - formerly (CRA CPB 257)           

Standard or institution specific personal information bank:
Small and Medium Enterprises - Personal Information Bank (CRA PPU 421)

Legal authority for program or activity

Income Tax Act (ITA)

Excise Tax Act (ETA)

Canada Revenue Agency Act (CRAA)

Federal-Provincial Fiscal Arrangements Act

Summary of the project / initiative / change

In order to meet the requirements of the Directive on Privacy Impact Assessments, CRA is undertaking a new process as a means to align privacy impact assessments (PIAs) with CRA’s program activity architecture. This new process will enable the CRA to adequately describe and assess the risks with respect to the creation, collection and handling of personal information as part of its programs and activities. This program level PIA is being developed to support ongoing privacy awareness and compliance for the Small and Medium Enterprises (SME) program. The PIA covers all audits, examinations and reviews and program activities including risk assessment and research and analysis from the workload selection stage and audit quality review after the audit work is complete. This PIA should be read along with the Business Intelligence and Compliance Risk Assessment (BICRA) PIA. The BICRA PIA covers most of the business intelligence activities undertaken by all audit areas in the Domestic Compliance Programs Branch. Data gathered and analyzed for business intelligence (BI) or risk analysis may be used by BI officers in selecting files and auditors in the course of their audits. It is also used to select files for targeted communications.

The SME program plays a critical role in supporting the Agency's mission to ensure taxpayer compliance with federal, provincial and territorial tax laws. To achieve its mandate, the Directorate employs a wide range of mechanisms to promote voluntary compliance and to make non-compliance more difficult.

The SME population poses unique challenges to ensuring compliance. The population is large and diverse, with thousands entering and leaving the marketplace each year. Books and records are often poorly kept and there may be frequent cash transactions resulting in little or no audit trail.

The CRA has developed a strategy focusing on "the right intervention for the risk" to enable it to respond effectively to the unique compliance challenges posed by the SME sector. Implementing "the right intervention for the risk" means that we seek to find the least intrusive and most economical way to promote compliance. A range of interventions will be deployed to reach the most taxpayers possible within the SME population. Soft interventions or nudge approaches will be used instead of after-the-fact audit interventions where these less intrusive methods are more effective in ensuring compliance. While still an important part of our mandate, audits and penalties are generally reserved for the most serious cases of non-compliance. By using a range of interventions, we can enhance our non-compliance concurrently.

Activities that focus on SME compliance are constantly being refined. Therefore, as a new initiative or refinement is identified, this PIA will be reviewed and updated accordingly, and will support consultations with the Office of the Privacy Commissioner and any personal information bank updates that may be required.

For additional information, the Domestic Compliance Programs Branch maintains an accessible and regularly updated website at http://www.cra-arc.gc.ca/tx/bsnss/tpcs/lf-vnts/dt/menu-eng.html. Embedded in that site are videos and recorded webinars that explain CRA’s audit process.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: The SME program utilizes the audit and inspection powers afforded to them under the ITA to collect information relating to the business and/or personal affairs of taxpayers in order to determine the correct amount of taxes payable. The vast majority of cases will involve only administrative consequences - audits resulting in additional taxes owing and possibly civil penalties. The audit work could also result in leads being generated for other taxpayers and/or GST/HST registrants which in turn could result in those taxpayers and/or GST/HST registrants being audited. The SME program does not undertake criminal prosecutions but some cases may be referred to the Criminal Investigations Division for criminal prosecution.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details: Audit activities rely on information collected under the authority of the ITA and to perform their mandate. Information collected through the course of their mandate, such as an audit becomes part of the audit file and may include the social insurance number (SIN), financial or other sensitive information. In some cases, indirect verification of income may be necessary, which would include obtaining personal banking or life style information of taxpayers and other members of their household.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details: In accordance with the ITA and/or ETA, information may be collected from and shared with participating provincial or territorial partners and other federal institutions. Information may also be shared with foreign governments with respect to the resolution of audit cases involving taxpayers residing abroad or with foreign operations.

In some cases, an external third party service may be used to help identify additional risk factors on income tax accounts. For example, third party information from suppliers, banks, credit bureaus, may provide details on a taxpayer’s personal and business activities.

In addition, paper copies of personal information are stored and retained at a private-sector records storage facility.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The SME program is an ongoing long term program which ensures the integrity of the self-assessment system. Some activities may change focus or be added but the primary mandate to ensure that taxpayers are compliant will remain.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The SME program can affect businesses, individuals, trusts, partnerships, etc. who have filed an income tax or related information return. CRA relies on risk-assessment systems and research to determine which taxpayers are most likely to misunderstand their tax obligations. CRA also randomly selects tax returns and conducts audits and/or reviews to verify that taxpayers are paying their taxes in full and on time. If a review indicates that certain activities are more at risk for non-compliance than others, CRA may conduct more audits of taxpayers reporting these types of activities.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

The SMED is in the process of developing and implementing the Integras system for business intelligence workload management functions (case creation, management and assignment); audit and review use; and, file management. Personal information collected as needed during an audit, review or targeted communications may be included in the Integras file.

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A 

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: Income tax returns may undergo automated matching processes where certain characteristics of the return are matched against income tax filing information and certain other risk factors known to be associated with higher than average incidence of non-compliance such as industry and size of the business. Returns are given a score and they may be given to auditors or analysts for further review. The CRA is also developing statistical predictive models of risk that will be applied to all accounts to give an additional risk score that will be referenced when accounts are screened for potential audit action. Manual intervention by a screener, auditor or examiner is always required for a compliance action to be taken. A separate privacy impact assessment for these models has been completed. The Business Intelligence and Risk Management Division (BIRM), within the Business Intelligence and Corporate Management Directorate (BICMD), International, Large Business and Investigations Branch (ILBIB), is responsible for providing support services to the SME program, including the acquisition and maintenance of high quality data, Business Intelligence (BI), business analytics and risk assessment services. As a result, the Business Intelligence and Compliance Risk Analysis PIA covers off most of the automated personal information analysis, personal information matching and knowledge discovery techniques as it pertains to the SME program. In addition, the SME program conducts further compliance risk analysis for file selection purposes to ultimately identify the highest risk files in the SME’s program population.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: Auditors in the field use laptops with full disk encryption and standard secure remote access. CRA's Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to their network. The current release of this platform is Secure Remote Access (SRA) 2.0. SRA 2.0 allows users to gain access to the CRA network anytime/anywhere that internet is available. This application is now managed by Shared Services Canada. All users are required to sign on with the Privacy Key Infrastructure (PKI) and there are clear policies and procedures to be followed. Information may also be copied, exported, or transmitted between CRA systems, Integras and COMPASS, for purposes of risk assessment, workload development and auditing. 

H) Risk impact to the individual or employee

Financial harm.

Details: If a person’s personal information becomes compromised they may become a victim of identity theft, and their information may be used without their knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of their credit card information, debts being incurred on their behalf, etc.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility.

Details: Protecting privacy and confidentiality are paramount to the CRA administration of SME programs. The public must have confidence that the CRA is vigilantly maintaining taxpayer information to ensure fairness. A breach of tax filers’ personal information could negatively affect the Agency’s strategic outcome to ensure taxpayers meet their obligations and Canada’s revenue base is protected. Negative media attention and decreased public confidence can influence compliance behaviour. 

Page details

Date modified: