T3 Trust Returns Assessing v 2.0 - Privacy impact assessment summary

Individual Returns Directorate
Assessment, Benefit, and Service Branch

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner
Assessment, Benefit, and Service Branch (ABSB)

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

T3 Trust Returns Assessing

Description of the class of record and personal information bank

Standard or institution specific class of record:
T3 Initial Assessment and Reassessment program
CRA ABSB 139

Standard or institution specific personal information bank:
T3 Assessment program
TBS registration: 003536
Personal Information Bank Number : CRA PPU 015

Legal authority for program or activity

Personal information is collected under the authority of section 150 and section 220 of the Income Tax Act. The Social Insurance Number is collected pursuant to 248(1) definition of graduated rate estate (c) of the Income Tax Act and is used for identification purposes.

Summary of the project / initiative / change

What is a trust?

A trust is a binding obligation, voluntarily undertaken, but enforceable by law when undertaken, created orally or by written instrument or by a court order or statute whereby the responsibility for the property real and/or personal is taken on by the trustee for the benefit of a person or persons on the instructions of the settlor, court or statute. The Trustee who has management and control of the trust, although not having physical possession of the trust assets, will be the person who has most or all of the following powers or responsibilities:

 A trust is either a testamentary trust or an inter vivos trust. Each trust has different tax rules.  A testamentary trust is a trust or estate that is generally created on and or as a result of the death of a person. The terms of the trust are established by the will or by the court order in relation to the deceased individual’s estate under provincial or territorial law. An inter vivos trust is a trust that is not a testamentary trust.

Types of trusts

A trust must file a return, and any related schedules and statements, if income from the trust property is subject to tax, and in the tax year the trust:

The T3 return is filed as both an income tax return, which calculates tax liability, and an information return, which reports amounts allocated and designated to beneficiaries. A trust can also apply for a trust account number.

The T3 Trust Returns Assessing Program includes assessing and reassessing the following income tax trust returns: T3-RET, T3 ATH-IND, T3D, T3F, T3GR, T3M, T3P, T3PRP, T3QDT, T3RI, and T3S. This review checks whether all amounts on the return are supported by the required documents and verifies the accuracy of calculations of the amounts reported on the documents.

The program is also responsible for:

Additional information concerning Trust income tax is available on the CRA’s website at: canada.ca/en/services/taxes/income-tax/trust-income-tax

What’s new

As a result of the tabling of a new provincial action plan on tax havens and aggressive tax planning, the CRA now shares with the Ministère des Finances du Québec (MFQ) the same data file we currently share with Revenu Québec (RQ). This additional data would provide them with tools to better analyse international taxation and tax planning questions, and announce eventual legislative adjustments on this matter. The data requested is:

Scope of the privacy impact assessment

The scope of this privacy impact assessment includes those sections of the T3 (re)assessing program for resident and non-resident returns that fall within the above description, including the application of the 162(7) late filing penalty which is applied in those cases where the T3 return acts only as an information return.

Certain compliance activities such as identifying non-filers, audits and criminal investigations are separate programs and therefore are not included.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

Details: Personal Information is used to determine a trust’s tax payable, penalties, interest, or refund, and is reflected on a notice of assessment or reassessment. Penalties include the application of the 162(7) late filing penalty which is applied at the assessing stage in those cases where the T3 return acts only as an information return. The 162(1) penalty is determined and applied at the accounting stage of the assessment.  All other penalties related to trusts are determined by other compliance programs.

The information is also used for statistical analysis to enhance and improve services administered by the CRA. 

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: The personal information collected is used in the context of income tax assessments and reassessments including limited validations of these assessments. Most of this information fits into category 3 since it relates to an individual’s information from the return such as SIN, trust account number, date of birth, address, and financial information.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments 

Level of risk to privacy: 4

Details: The exchange of taxpayer information mainly occurs between the T3 Trust Returns Assessing program and other CRA departments. The CRA also provides aggregate information for the purpose of validating tax collection under tax collection agreements with the provinces and territories. Aggregate information is also shared with provincial governments for the purpose of formulating or evaluating fiscal policy.

Additionally the CRA contracts a private sector organization for record storage. Lastly the T3 Trust Returns Assessing Program contracts other federal government departments for the printing of certain types of T3 (re)assessment notices.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details: This is a long-term core-CRA program with no clear sunset. 

E) Program population

The program affects certain individuals for external administrative purposes. 

Level of risk to privacy: 3

Details: The program affects individuals involved in a trust that files a return. This could include the settlor (the person setting up the trust), beneficiaries of a trust and trustees which can include an executor, administrator, assignee, receiver, custodian or liquidator who owns or controls property for some other person, and their representatives.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Details: N/A

Does the new or modified program or activity require any modifications to IT legacy systems and/or services? 

Risk to privacy: No

Details: N/A

The new or modified program or activity involves the implementation of one or more of the following technologies: 

Enhanced identification methods

This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance

This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on the program population.

However, as part of CRA security program, CRA employees that will have access to personal taxpayer information will be monitored by the use of audit trails.

The audit trails are used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques

For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The activities listed below involve various elements of personal information and a certain measure of automated technology: 

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: When the return is filed electronically (Internet File Transfer/Submit Docs), the personal information can be transmitted by the trust to the CRA using wireless or non-wireless technology. That information is then stored in various CRA systems and databases.

The personal information from paper-filed returns (mailed or faxed) is keyed into various CRA systems and databases.

The Personal information is pulled from the CRA’s mainframe system and sent to other Agency areas using file transfer protocol, often by means of Entrust encryption software. Limited amounts of personal information are also shared internally within CRA by means of wireless devices. 

H) Risk impact to the individual or employee

Details: A compromise of personal data has the potential to cause financial harm such as identify theft or fraud and/or embarrassment to the individual.

Page details

Date modified: