Specialty Business Returns Program v 2.0 – Privacy impact assessment summary

Business Returns Directorate
Assessment, Benefit, and Service Branch

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch (ABSB)

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Tax Services and Processing

Description of the class of record and personal information bank

Standard or institution specific class of record:
CRA ABSB 228

Standard or institution specific personal information bank:
CRA PPU 224

Legal authority for program or activity

Personal information is collected pursuant to section 150 and section 220 of the Income Tax Act, subsection 229(1) of the Income Tax Regulations under the authority of Section 221 of the Income Tax Act, subsections 5(2) and 5(3) of the Excise Tax Act, section 78 of the Excise Tax Act, section 36 of the Excise Act, section 160 and 161 of the Excise Act, 2001, section 17 of the Air Travellers Security Charge Act, and section 26 of the Softwood Lumber Products Export Charge Act, 2006.

Summary of the project / initiative / change

Overview of the program or activity

The Specialty Business Returns program assesses returns, refunds, and rebate applications and is used to issue notices of assessment and reassessment related to excise duties and taxes, other levies and charges, and customs duties and tariffs collected by the federal government. The Specialty Business Returns program is also responsible for all activities related to the filing of partnership information returns. The seven main lines of business are: 

1. Re – Excise Taxes:
   • Levy return
     • The Levy return is used to report the information and revenue data for clients who are endorsed to collect levies applied to commodities such as:
       • Motive fuels,
       • Air conditioners for vehicles
       • Fuel inefficient vehicle
   • Imposed under Parts II to VII (the non-GST/HST portion) of the Excise Tax Act.
2. RN – Excise taxes:
   • B241 - Broker return
     • The Broker return is used to report the number of insurees for whom the broker has obtained policies. These policies must have been obtained through a company whose home office is outside of Canada. The Broker return is an information return only.
   • B243 – Insuree return
     • The Insuree return is used to report the tax charged on insurance policies obtained by individuals from a company who act as agents or sell insurance policies from foreign insurance businesses.
     • Insurance Premium
   • Imposed under Parts I of the Excise Tax Act.
3. RD – Excise duty:
   • RD – duty accounts
     • The Duty return is used to report the information, revenue and inventory data for clients who are endorsed to produce, package, or warehouse wine, spirits, tobacco products and for Duty Free Shop. Cannabis is also a duty return under the provisions of the Excise Act, 2001 relating to the impositions of the excise duties on cannabis products. Excise duty is a manufacturing/production tax and is not associated with the duty collected when you cross the border.
   • RD – Excise duty
     • Beer is also a Duty return but imposed under the Excise Act.
   • Imposed under the Excise Act, 2001.
4. RG – Air Travellers security charge:
   • Imposes a security charge on Domestic, Trans-border and International enplanements.
   • Paid by the travellers to the registered air carrier who remits the charge to CRA.
   • Effective April 1, 2002, the Federal Government introduced an Air travellers security charge to fund air security expenses. This charge will be paid by air travellers and will be collected by air carriers or their agents when the airline ticket is purchased or when boarding an airplane at a listed airport in Canada. The rates and listed airports can be located on CRA webpage.
   • Imposed under the Air travellers Security Charge Act.
5. SL – Softwood Lumber products export charge: 
   • Imposes an export charge on Softwood Lumber products exported to the USA.
   • Paid by the exporter of record who remits the charge to CRA.
   • Imposed under the Softwood Lumber products export charge Act, 2006.
6. RZ – T5013 – Partnership Information Return
   • A partnership can be formed between individuals, corporations, trusts, or other partnerships, in any combination. A partnership is usually the relationship between persons who carry on a business in common with the belief they will make a profit. You can have a partnership without a written agreement. Each partner files an income tax return to report his or her share of the partnership's net income or loss.
   • The partnership information return is used to report any fiscal data about the allocation of net income, losses and other amounts from the partnership's activities to its members. It is also used by specified investment flow through (SIFT) partnerships to calculate the tax payable under Part IX.1.
7. Fuel charge
   • Fuel charge is a regulatory charge applied to fossil fuels. The fuel charge return and schedules are used to indicate registration type(s), and type(s) of fuel used in, transferred, delivered, brought into, imported in or produced and any combustible waste burned in proposed listed provinces.
   • Imposed under the Greenhouse Gas Pollution Pricing Act, 2018

• Excise taxes, duties, and levies
• T5013 Partnership Information Return filing requirements

What's new

• Addition of activities related to the Fuel charge program.
  • Greenhouse Gas Pollution Pricing Act sets a certain charge on various types of fuels used for combustion in transportation, heating, electricity, manufacturing and industry, such as gasoline, propane and natural gas that will be paid by fuel producers, distributors and importers.
• Addition of activities related to Cannabis duty.
  • The Cannabis Act (administered by Health Canada) and its supporting Regulations came into force on October 17, 2018. The Canada Revenue Agency (CRA) is responsible for the new provisions under the Excise Act, 2001 relating to the imposition of excise duties on cannabis products.

Scope of the privacy impact assessment

The scope of this privacy impact assessment (PIA) covers the assessment of returns, rebates and refund applications, elections, and registration of businesses associated with the Specialty Business Returns program.

Certain compliance activities such as audits and criminal investigations are separate programs and therefore are not included.

Activities related to specialty returns are constantly changing. Therefore, when a new initiative or a change to an existing activity is identified, this PIA will be reviewed and updated accordingly.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: The personal information collected is used for the administration of the activities related to Specialty Business Returns (e.g. identification purposes, processing returns, refunds and rebates, elections, and providing support to clients) in order to assess Excise Duty, Excise Tax, ATSC, Softwood Lumber, Fuel Charge and T5013 Partnership returns, refunds, rebates and fuel charge registrations.

All Specialty Business returns, refunds and rebates, may be subject to audits’ selection criteria. 

B) Type of personal information involved and context

Social Insurance Number (SIN), medical, financial, business information (legal names, address and business number),  or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information collected can include the following: name, contact information, financial information, social insurance number, and signature. Personal information collected from taxpayers can include the following: name, contact information, SIN and signature. 

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 4

Details: Specialty Business Returns program information is shared with business and individual tax program processing systems and applications across various branches and divisions of the CRA, as well as provincial partners. Data is cross referenced between programs on a need to know basis for program administration and enforcement purposes. Ultimately, the purpose is to encourage full disclosure of business activity, and encourage compliance with all program reporting and remitting requirements. All paper copies of returns, refunds and rebates are stored by a third party (Iron Mountain) for the duration of their retention period. 

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The Specialty Business Returns program is an existing long-term program with no anticipated sunset date. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details: The Specialty business returns program affects businesses and certain individuals, who have filed a return, rebate, or elections related to the Specialty Business Returns program. Individuals that are affected file XE8 refund applications based on the type of claiming ‘Individual with permanent mobility impairment’. We also collect the information from insured individual, on the Excise tax return (B243), which can include name, telephone number and signature. Personal Information is also collected on the T5013 SCH 50 for Individuals who are listed as partners on the T5013 return (SIN and Name). Personal information is also collected from individuals who file return, refund, and rebate applications on behalf of business that they represent. Including, Excise Duty, Excise Tax, ATSC, Softwood Lumber, and fuel charge accounts. 

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Details: N/A

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: No

Details: N/A 

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: SBR has a system functionality that will link with the T1 system to confirm if a social insurance number (SIN) provided on the T5013 return - SCH 50, is a valid SIN as well the system will confirm if the SIN provided is of a deceased taxpayer. The functionality will not confirm the SIN against the taxpayer, it will only validate if the SIN is a valid number.

When an SBR return is captured in the Other Levies System (OLS), there is a call to the Business Number System (BNS) to verify that the Business Number (BN) is valid. If the BN is not valid, a warning message will display in OLS.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: Information received from taxpayers via hard copies is data captured directly into the Other Levies System (OLS).

T5013 Partnership Information Returns can be submitted to CRA via My Business Account (MyBA), Represent a Client (RAC), or Internet File Transfer after receiving a Web access code. Information is transferred to the OLS via a secure connection.

Some headquarters staff have access to the mainframe on laptops encrypted with Secure Remote Access (SRA).

The OLS is a part of the Business suite which includes the following systems: Standardized accounting (SA), Business client communication system (BCCS), Business Number System (BNS), etc… Certain personal information that is collected for the SBR program, and is captured in the OLS is shared with the other systems in the business suite.

H) Risk impact to the individual or employee

Details: There could be a significant risk of financial harm to the individual should there be a breach of personal information. 

I) Risk impact to the institution

Details: Protecting privacy and confidentiality are paramount to the CRA administration of the Specialty Business Return program. A breach on either side - either the tax filers’ personal information or certain aspects of the program’s business rules and operating procedure - could negatively affect the Agency’s strategic outcome to ensure taxpayers meet their obligations and Canada’s revenue base is protected. Negative media attention and decreased public confidence can influence compliance behaviour.