Trust Accounts Examination (Payroll) v3.0

Collections and Verification Branch
Business Compliance Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Mohammad Rahman
Director General, Business Compliance Directorate
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns Compliance

Standard or institution specific class of record:

Employer Compliance
CRA CVB 188

Standard or institution specific personal information bank:

Employer Compliance
CRA PPU 120
TBS Registration Number: 001948

Legal authority for program or activity

The CRA administers Trust Accounts Examination (TAE) (payroll) program activities under the authorities in the following acts:

• Income Tax Act: subsections 220(1) and 220(2.01)
• Employment Insurance Act: subsections 97(1) and 108(1.1)
• Canada Pension Plan Act: subsection 5(2)
• Excise Act, 2001: section 8 and subsection 9(2)
• Excise Tax Act: subsections 275(1) and 275(3)

Section 241 of the Income Tax Act allows the CRA to provide certain taxpayer information to any person, including a federal, provincial or territorial official, with the taxpayer’s consent . Each written agreement specifies the legal authority that allows the provincial, territorial or federal government department to collect personal information and enter into an agreement with the CRA. The collection of personal information and its disclosure are qualified and stipulated more in section 241(1)(c) of the Income Tax Act.

The following acts provide legal authority to enter premises and inspect, audit, or examine taxpayer’s books, records and documents:

• Income Tax Act: section 231.1
• Excise Tax Act: section 288 
• Employment Insurance Act: section 88 
• Canada Pension Plan Act: section 25

The following acts provide legal authority to assess deficiencies when applicable:

• Income Tax Act: sections 152 and 227
• Excise Tax Act: section 296
• Employment Insurance Act: section 85
• Canada Pension Plan Act: section 22  
• Subsection 231.5 (1) of the Income Tax Act and subsection 291 (1) of the Excise Tax Act provide legal authority to make copies of documents.

The following legislative authorities enable the CRA to apply penalties and interest for payroll compliance:

• Every person who has failed to remit or pay is liable to a penalty of 10%:
  • Income Tax Act: paragraph 227(9)(a)
  • Canada Pension Plan Act: paragraph 21(7)(a)
  • Employment Insurance Act: paragraph 82(9)(a)

• If the person knowingly or under circumstances amounting to gross negligence failed to remit or pay, 20% of the amount owed:
  • Income Tax Act: paragraph 227(9)(b)
  • Canada Pension Plan Act: paragraph 21(7)(b)
  • Employment Insurance Act: paragraph 82(9)(b)
  • Interest payable at the prescribed rate:
  • Income Tax Act: subsection 227(9.2)
  • Canada Pension Plan Act: subsection 21(6)
  • Employment Insurance Act: subsection 82(8)
  • Section 125.7 of the Income Tax Act provides legal authority in regard to calculating tax to verify the 10% temporary wage subsidy for employers
  • Section 4 Reporting Obligation of the Dental Care Measures Act

Summary of the project, initiative or change

Overview of the Program or Activity

The objective of the TAE program (payroll) is to maintain the integrity of the tax system regarding:

• reporting employment income and taxable benefits
• withholding and remitting payroll related amounts, and
• properly characterizing workers

It does this through a combination of taxpayer education and responsible enforcement, including examining employers’ books and records. 

To increase and enhance voluntary compliance, the program promotes employer awareness and understanding of tax laws and obligations as provided in the:

• Income Tax Act
• Excise Tax Act
• Canada Pension Plan
• Employment Insurance Act, and
• their respective regulations

Trust accounts examination officers (TAEOs) conduct examinations of taxpayer's books and records to ensure employers comply with the:

• deducting, remitting, and reporting requirements for source deductions (CPP/CPP2/EI/tax), and
• filing and collection requirements for the goods and services tax/ harmonized sales tax (GST/HST)

If payroll accounts are non-compliant, other program areas may request a trust accounts examination (TAE). Additionally, the Workload Development and Business Intelligence Section of the Business Compliance Directorate develops the TAE workload. That directorate performs risk assessments to determine whether an employer will comply with their employer reporting obligations.

Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

• whether an individual's employment is pensionable under the Canada Pension Plan or insurable under the Employment Insurance Act
• the amount of pensionable or insurable earnings
• whether Canada Pension Plan contributions and employment insurance premiums are payable
• how many hours an insured person has in insurable employment
• how long an employment lasts, including the dates the employment began and ended
• the amount of Canada Pension Plan contributions or employment insurance premiums payable
• who is the employer
• whether employers are considered to be associated for the purposes of the Employment Insurance Act, and
• the refund amount

What’s New

The 10% temporary wage subsidy for employers (TWS) is a 3-month measure administered by the Employer Accounts program. This measure allows eligible employers to reduce the amount of payroll deductions they need to remit to the CRA. Eligible employers are those that paid eligible remuneration to an eligible employee from March 18 to June 19, 2020. The Employer Accounts program will send some non-compliant accounts to TAE program to resolve. The TAE program will verify and validate amounts an employer claimed for the subsidy and how they applied the subsidy to each pay period in their payroll account. The program will ask the taxpayer for a copy of Form PD27, 10% Temporary Wage Subsidy Self-identification Form for Employers, and complete a review to confirm the employer is eligible.

In 2019, desk examinations become a part of the TAE program, and the program continues to use the FileNet system to store documents received from employers, GST/HST registrants, and their authorized representatives.

In 2020, the CRA established a digital fax line for employers to submit their books and records. Documents received by digital fax are stored in FileNet.

As of January 2021, each representative authorized by a firm, a business, or a group must get their own representative identifier (RepID) and provide it to the CRA before they can represent their client. Businesses can manage who can access their tax information online using My Business Account. This includes authorizing or deleting a representative and monitoring any transactions a representative performs.

For offline access (phone, fax, mail, or in person) for a representative, a business must submit the AUT-01 - Authorize a Representative for Offline Access Form. The AUT-01 form replaced Form RC59, Business Consent. This new procedure is a proactive initiative put in place to support the CRA’s legal obligation to protect confidential taxpayer information. The Represent a Client Management Enquiries application allows the TAE program to authenticate the representative by cross‑referencing a representative’s RepID with the CRA’s records.

The Vancouver Island and North Tax Services Office has started a monitoring project to determine the level of tax compliance of participants receiving contracts to work. As a result, the office created a local application to:

• gather the data from different sources for easy access and productivity efficiency, and
• help users conduct an integrated compliance approach to high-risk entities operating in the Site C zone of interest

The application’s database contains external public information and internal information from the mainframe system. It is designed for data analysis, intelligence gathering, risk identification, file management, audit, and collections to ensure taxpayers are reporting and paying the appropriate tax for each program. The application offers specialized query and reporting functions for multiple users to efficiently review the population of taxpayers across business lines and serves to break down silos and optimize the existing program activities. The application allows different program line users, including the TAE program, to verify compliance for entities and individuals, add or update information, and get reports in real‑time.

The interim Canada dental benefit is meant to help lower dental costs for eligible families earning less than $90,000 per year. Parents and guardians may be eligible if they pay for dental care for a child under 12 years old who does not have access to a private dental insurance plan. Beginning with the 2023 tax year, issuers (including employers and pension plan administrators) of T4 or T4A slips must annually report whether a payee or any of the payee’s family members were eligible to access dental insurance due to their current or former employment. This includes dental coverage of any kind, including health spending and wellness accounts. According to legislation and procedures already in place, not reporting this information may result in financial penalties.

To support these new reporting requirements, the CRA made the following changes to the T4 and T4A slips:

• Box 45, Employer-offered Dental Benefits, was added to the T4 slip. This new box will be mandatory for all slips.
• Box 015, Payer-offered Dental Benefits, was added to the T4A slip. This new box will be mandatory if an amount is reported in Box 016, Pension or Superannuation. Otherwise, the box will be optional.

Program letters are being updated to ask the employer whether a dental plan was offered to employees and to whom it was offered. The TAE program will be ensuring employers fill out the new boxes on the slips. As well, it will file and amend slips during the course of exams as required in line with the new legislative policies.

Scope of the Privacy Impact Assessment

This PIA identifies and assesses privacy risks to personal information relating to activities of the TAE program. The activities of the Employer Accounts program and ECA program have been assessed under separate PIAs. Activities related to creating workloads, identifying unknown non‑compliance, and delivering business intelligence solutions in support of the TAE program are assessed in the Workload Development and Business Intelligence: Business Compliance Programs PIA. The Collections and Verification Business Intelligence PIA assesses the development of the business intelligence and related data solutions and services for the Employer Accounts program.

Some references to the GST/HST examination program and the air traveller’s security charge have been removed because those programs are covered under the Corporations and GST/HST Compliance Programs PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The program uses personal information to review the books and records of businesses to ensure they are compliant with filing, reporting, and withholding requirements and to assess deficiencies when applicable. This includes validating temporary wage subsidy claims. In addition, the program uses this information to review payroll and GST/HST accounts for taxable benefits and the proper characterization of workers.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

The TAE program has to review business books and documents, including any relevant tax slips issued to employees. When reviewing these records, the CRA employee would have access to social insurance numbers and other financial information. This is necessary to properly execute the program mandate.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Information about payroll deductions may be shared with Québec, in accordance with a memorandum of understanding with Revenu Québec, to correct misapplied payments.

Employment and Social Development Canada (ESDC) and the CRA jointly administer the Canada Pension Plan and employment insurance. The information the TAE program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A memorandum of understanding between the CRA and ESDC covers the provision of protected information in support of the Canada Pension Plan, Employment Insurance, and Old Age Security programs. 

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The payroll examinations population consists of employers, trustees, and payers responsible for deducting Canada Pension Plan contributions, employment insurance premiums, and income tax from remuneration or other types of income.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.  

Level of risk to privacy: 4

Details:

When on-site at an employer’s location, TAE officers use a laptop computer with access control and may also use an encrypted universal serial bus (USB) key.

Access to the CRA network from remote locations must be done with full disk encryption and standard secure remote access. The Information Technology Branch has developed an agency‑wide telecommuting platform that offers users secure access to the network.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and their information may be used without their knowledge or consent.