Tax-Free Savings Account Program

Privacy Impact Assessment (PIA) summary

1. Purpose

This document summarizes the results of the privacy impact assessment (PIA) for the Tax-Free Savings Account (TFSA) program which is administered by the Canada Revenue Agency (CRA). This PIA summary will focus on the following key elements: the nature of the program and associated activities, the business process and the personal information data flows including the context of applicable privacy policies and legislation and finally, how privacy issues factored into the TFSA program design provides measures to resolve or mitigate any identified issues which enable CRA to effectively manage the TFSA program. This PIA summary is based on current information and reflects the situation as of February 2011.

2. Description – Tax-Free Savings Account

The TFSA was introduced as part of the Federal budget tabled on February 26, 2008 and is part of Bill C-50 that received Royal Assent on June 18, 2008. The TFSA program became effective on January 1, 2009.

TFSA Issuers, the majority of which are Financial Institutions (FI), must register with the CRA in order to sell qualified TFSA Arrangements. TFSA Issuers will be required to electronically file the transaction details for each TFSA Account each year. Such transmitted personal information would include the social insurance number (SIN) as well as other identification information, such as, the name, date of birth and address of the account holder. The CRA will use the transaction details filed by Issuers to calculate and advise individuals of their unused TFSA contribution room. This information will also be used to assist in identifying and assessing various potentially applicable taxes. TFSA unused contribution room will be provided with the T1 Notice of Assessment (NOA) and all transaction details, including dates, will be made available on the online service "My Account". The implementation of the TFSA has had a significant impact with the need to develop a separate database and processing system within the Agency.

The Department of Finance Canada will annually receive TFSA information from the CRA. This data will be used to help the Government assess the impact of this legislation.

The growing popularity of the TFSA program has and will create a considerable amount of data that will have to be managed by CRA. In 2009, over 4.8 million individuals opened a TFSA. The Fair Market Value of all TFSAs held on December 31, 2009, was over $19 billion, with this total projected to reach as much as $115 billion or more after the first 5 years.

3. PIA Findings

As a result of the PIA review, no major privacy risks were identified with respect to the TFSA program.

All privacy measures put in place were in line with CRA's mandate which is to register TFSA issuers and plans, inform individuals about TFSA legislation, collaborate with financial institutions with respect to their reporting obligations, provide individuals with individualized and accurate TFSA unused contribution room statements in a timely manner, ensure compliance with legislative rules, and assess any applicable taxes, penalties and interest.

4. Current Personal Information Data Flows

This PIA analyses the personal information data flows within the TFSA program with the intent to comply with the Privacy Act. The Privacy Act protects the privacy of individuals with respect to the use of personal information held by a government institution and allows individuals with a right of access to that information.

The analysis is summarized in the following tables:

Data cluster #1 – Issuers collect applicant information

Description of personal information cluster:
Each TFSA account holder must provide, part or all of the following information: social insurance number, name, date of birth, address, phone number, city, province, postal code, CIF/Contract number, application date, user ID, sub-transit number, account number and card number. The form could also indicate the preferred language to use in any future correspondence.

Collected by:
Financial Institutions, Trust Companies, licensed annuities provider, a person who is, or is eligible to become, a member of the Canadian Payments Association or a Credit Union with which an individual has a qualifying arrangement.

Type of format (e.g. paper, electronic:
Both paper and electronic format may be used when completing the TFSA application form. All transaction details from each TFSA Account holder must be transmitted electronically once a year to CRA.

Used by:
Financial Institutions, Trust Companies, licensed annuities provider, a person who is, or is eligible to become, a member of the Canadian Payments Association or a Credit Union with which an individual has a qualifying arrangement and CRA. Used by CRA to administer the TFSA program.

Purpose of collection:
Issuers collect this data to allow for the administration of the TFSA program including the assessment of TFSA returns and the provision of TFSA contribution room to the individuals.

Disclosed to:
Issuers will submit to CRA, once a year, all transaction details from each TFSA Account holder.

Storage or retention site:
Issuers will hold, maintain and update the records of every TFSA account holder at their designated premises or as per their administrative policies and procedures.

Data cluster #2 – CRA collects TFSA account information

Description of personal information cluster:
Issuers will submit to CRA, once a year, all transaction details from each TFSA account holder. Each account will hold the following information: CIF/Contract number, social insurance number, name, date of birth and address. TFSA Issuer contact information: name, telephone #, email address.

Collected by:
CRA

Type of format (e.g. paper, electronic):
Issuers will submit electronically to CRA once a year, by means of Infodec, all transaction details from each TFSA Account holder. TFSA Account holders will be required to use a paper format when corresponding with CRA.

Used by:
CRA

Purpose of collection:
CRA will use the transaction details, filed by Issuers, to calculate and advise account holders of their unused TFSA contribution room or to assist in identifying and assessing various potentially applicable taxes.

Disclosed to:
The Department of Finance Canada will annually receive TFSA information from the CRA for program evaluation purposes.

Storage or retention site:
The personal information within each CRA TFSA record will be retained for as long as the plan is registered. Once the plan is terminated or wound-up, information is retained for 5 years following the year in which notification is received and then destroyed.

When a TFSA account is created, individuals must consent to the collection of personal information by their financial institution. This information will then be electronically transmitted annually by the financial institution which will then be captured and stored by the CRA. The CRA will use its Information Declaration (Infodec) application to access this information.

This information is used by the TFSA system to determine each individual's contribution room based on slip summary and transaction details. From these details, the TFSA Unit will provide, to each account holder, the TFSA contribution room through one or more of the following avenues: a TFSA contribution room statement and or with a verse on a T1 Notice of (Re)Assessment.

All transaction details including dates will be made available on the online service "My Account". Separate unused contribution room statements will be provided upon request or where there was no Notice of Assessment issued to the account holder. The TFSA database will also be linked to the Tax Information Phone Service (T.I.P.S.) so that account holders are able to obtain their available contribution room.

All data elements are required, for:

The Department of Finance Canada will annually receive TFSA information from the CRA. This data will be used to help theGovernment assess the impact of this legislation.  The CRA may also conduct statistical analysis to aid in program improvement.

5. Security Management

A Threat Risk Assessment and Statement of Sensitivity (TRA/SOS) Report was completed to ensure that any security issues were addressed pertaining to internal and external stakeholders. All users and those having access to the TFSA data base have the necessary clearance and access is limited based on work responsibilities.

6. Privacy Risk Management Summary

As a result of the PIA review, no major privacy risks were identified with respect to the TFSA program. Appropriate remedies and/or mitigation strategies were implemented, as appropriate, to address any ancillary issues.

The TFSA account holders have access to their personal information via the traditional methods offered by CRA.

CRA personnel comply with the Government Security Policy which requires that access rights only be granted on a need-to-know-basis.

Under Section 241 of the Income Tax Act, all individuals are assured that their information will be secure and kept strictly confidential. Access will be controlled, monitored, and audited using existing mechanisms.

Page details

Date modified: