T3 Trusts Returns Assessing

Individual Returns Directorate, Assessment, Benefit, and Service Branch

Overview and PIA Initiative

Government institution
Canada Revenue Agency (CRA)

Government official responsible for the privacy assessment
Frank Vermaeten
Assistant Commissioner
Assessment, Benefit and Service Branch

Head of the government institution or delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution
T3 Trust Returns Assessing

Summary of the project, initiative or change:

Trusts may have to file a T3 Trust Income Tax and Information Return (T3 return), and any related schedules and statements, if they meet certain requirements.  The T3 return is filed as both an income tax return, which calculates tax liability, and an information return, which reports amounts allocated and designated to beneficiaries. A trust can also apply for a trust account number.
The T3 Trust Returns Assessing Program includes assessing and reassessing the following income tax trust returns: T3-RET, T3 ATH-IND, T3D, T3F, T3GR, T3M, T3P, T3PRP, T3QDT, T3RI, and T3S. This review checks whether all amounts on the return are supported by the required documents and verifies the accuracy of calculations of the amounts reported on the documents.

The program is also responsible for:

The scope of this privacy impact assessment includes those sections of the T3 (re)assessing program that fall within the above description, including the application of the 162(7) late filing penalty which is applied in those cases where the T3 return acts only as an information return. 
Certain compliance activities such as identifying non-filers, audits and criminal investigations are separate programs and therefore are not included.

Additional information concerning Trust income tax is available on the CRA’s website at:
https://www.canada.ca/en/services/taxes/income-tax/trust-income-tax.html

Description of the class of record and personal information bank
T3 Trust Information and Income Tax Return
RDA Number: 92/005
Related Class of Record Number: CRA ABSB 139
TBS Registration: 003536
Personal Information Bank Number: CRA PPU 015

Legal authority for program or activity
Personal information is collected under the authority of sections 150 and 220 of the Income Tax Act. The social insurance number is collected pursuant to the definition of graduated rate estate (c) of section 248(1) of the Income Tax Act and is used for identification purposes.

Risk identification and categorization

1) Type of program or activity
Administration of Programs / Activity and Services
Level of risk to privacy: 2
Details:
Personal Information is used to determine a trust’s tax payable, penalties, interest, or refund, and is reflected on a notice of assessment or reassessment. Penalties include the application of the 162(7) late filing penalty which is applied at the assessing stage in those cases where the T3 return acts only as an information return. The 162(1) penalty is determined and applied at the accounting stage of the assessment.  All other penalties related to trusts are determined by other compliance programs.
The information is also used for statistical analysis to enhance and improve services administered by the CRA.

2) Type of personal information involved and context
Social insurance number (SIN), medical, financial or other sensitive personal information and the context surrounding the personal information are sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details: The personal information collected is used in the context of income tax assessments and reassessments including limited validations of these assessments. Most of this information fits into category 3 since it relates to an individual’s information from the return such as SIN, trust account number, date of birth, address, and financial information.

3) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details: The exchange of taxpayer information mainly occurs between the T3 Trust Returns Assessing program and other CRA departments. The CRA also provides aggregate information for the purpose of validating tax collection under tax collection agreements with the provinces and territories. Aggregate information is also shared with provincial governments for the purpose of formulating or evaluating fiscal policy.
Additionally the CRA contracts a private sector organization for record storage and disposal as mentioned in the below storage and retention section. Lastly the T3 Trust Returns Assessing Program contracts other federal government departments for the printing of certain types of T3 (re)assessment notices.

4) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details: This is a long-term core-CRA program with no clear sunset.

5) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: The program affects individuals involved in a trust that files a return. This could include the settlor (the person setting up the trust), beneficiaries of a trust and trustees which can include an executor, administrator, assignee, receiver, custodian or liquidator who owns or controls property for some other person, and their representatives. A trust must file a return if income from the trust property is subject to tax, and in the tax year the trust:

Receives from the trust property any income, gain, or profit that is allocated to one or more beneficiaries, and the trust has: total income from all sources of more than $500; income of more than $100 allocated to any single beneficiary; made a distribution of capital to one or more beneficiaries; or allocated any portion of the income to a non-resident beneficiary.

6) Technology and privacy
Does the new or modified program or activity involve implementing a new electronic system, software or application including collaborative software (or groupware) that is implemented to support the program or activity in how it creates, collects or handles personal information?
Risk to privacy: No

Does the new or modified program or activity require any modifications to information technology legacy systems or services?
Risk to privacy: No

The new or modified program or activity involves implementing one or more of the following technologies:
Enhanced identification methods – this includes biometric technology (that is, facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification, etc.). It also includes easy-pass technology, new identification cards including magnetic stripe cards, "smart cards" (that is, identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details:

Use of surveillance – this includes surveillance technologies such as audio or video recording devices, thermal imaging, recognition devices, radio frequency identification, surreptitious surveillance or interception, and computer-aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy: No
Details: The program does not involve the use of surveillance on the program population.

However, as part of CRA security program, CRA employees that will have access to personal taxpayer information will be monitored by the use of audit trails.

The audit trails are used to verify that only an authorized user accesses personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. 

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques – for the purposes of the directive on privacy impact assessment, government institutions have to identify activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information. Such activities include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. These activities involve some form of artificial intelligence or machine learning to uncover knowledge (intelligence), trends or patterns or to predict behavior.
Risk to privacy: Yes
Details:
The activities listed below involve various elements of personal information and a certain measure of automated technology:

Record Linkage
Identification information is linked with sub-ledger identification information.

Information Reconciliation
Personal information (financial information) stored on the ATS, OLINT, AutoIntcal, and Subledger is reconciled when the assessment process is finished. This is done on a weekly basis.

7) Personal information transmission
Personal information is sent using wireless technologies.
Level of risk to privacy: 4
Details:

When a tax return is filed electronically (Internet file transfer, for example), the personal information can be sent by the trust to the CRA using wireless or non-wireless technology. That information is then stored in various CRA systems and databases.

The personal information from paper-filed returns (mailed or faxed) is keyed into various CRA systems and databases.

The personal information is pulled from the CRA’s mainframe system and sent to other areas of the CRA using file transfer protocol, often by means of Entrust encryption software. Limited amounts of personal information are also shared within the CRA through wireless devices.

8) Risk impact to the institution
Details: Should information be accidently or deliberately discharged or compromised, it could cause the CRA and its federal/provincial/territorial partner embarrassment, loss of credibility and public trust. A significant privacy breach has the potential to result in a lawsuit and/or calls for the resignation of the minister and departmental officials.

9) Risk impact to the individual or employee
Details: A compromise of personal data has the potential to cause financial harm such as identify theft or fraud and/or embarrassment to the individual.

Page details

Date modified: