Trust Accounts Examination Program – Privacy impact assessment v 2.0

Collections and Verification Branch
Business Compliance Directorate

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Michael Snaauw
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Returns Compliance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Employer Compliance
Record Number: CRA CVB 188

Standard or institution specific personal information bank:
Employer Compliance
Bank Number: CRA PPU 120

Legal authority for program or activity

Section 231.1 of the Income Tax Act; section 288 of the Excise Tax Act; section 88 of the Employment Insurance Act; section 25 of the Canada Pension Plan Act; and section 70 of the Air Travellers Security Charge Act provide legal authority to enter premises and inspect, audit, or examine taxpayer’s books, records and documents.

Sections 152 and 227 of the Income Tax Act; section 296 of the Excise Tax Act; section 85 of the Employment Insurance Act; section 22 of the Canada Pension Plan Act; and section 39 of the Air Travellers Security Charge Act, provide legal authority to assess deficiencies when applicable.

Subsection 231.5 (1) of the Income Tax Act and subsection 291 (1) of the Excise Tax Act provide legal authority to make copies of documents.

The legislative authorities used by CRA to apply penalties and interests for payroll compliance:
 
  • Where the failure was made knowingly or under circumstances amounting to gross negligence, 20% of that amount:
    • Income Tax Act: paragraph 227(9)(b)
    • Canada Pension Plan Act: paragraph 21(7)(b)
    • Employment Insurance Act: paragraph 82(9)(b)
  • Interest: Payable at the prescribed rate
    • Income Tax Act: subsection 227(9.2)
    • Canada Pension Plan Act: subsection 21(6)
    • Employment Insurance Act: subsection 82(8)

Summary of the project / initiative / change

Brief overview of the program or activity

Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:

In cases where payroll accounts are non-compliant, a trust accounts examination may be requested. The objective of the Trust Accounts Examination Program is to maintain the integrity of the tax system with respect to the reporting of employment income and taxable benefits, the withholding and remitting of payroll related amounts, and the proper characterization of workers, through a combination of taxpayer education and responsible enforcement including examinations of employers’ books and records. The program promotes employer awareness and understanding of tax laws and obligations as provided in the Income Tax Act, the Excise Tax Act, the Canada Pension Plan, the Employment Insurance Act, the Air Travellers Security Charge Act and their respective regulations, to increase and enhance voluntary compliance.

What's new

The Trust Accounts Examination program is currently running a pilot project whose objective is to explore the types of trust accounts examination files that could be worked efficiently and effectively within a tax services office without the need to travel to a taxpayer’s or to their authorized representative’s place of business.

With the implementation of e-Docs for the Trust Accounts Examination program, employers and their representatives now have the option to send documents to the CRA electronically through the CRA web portal using the My Business Account portal or the Represent a Client portal. This option makes it more feasible to complete trust account examinations (TAEs) within the office without having to visit the taxpayer or their representative.

Documents submitted through the My Business Account or Represent a Client portals are received through the FileNet system where officers review them.

Scope of the privacy impact assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Trust Accounts Examination program activities. The Employer Accounts program, Employer Compliance Audit program, and the Collections and Verification Business Intelligence program activities have been assessed under separate PIAs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement 

Level of risk to privacy: 3

Details:

Personal information is used to review the books and records of businesses to ensure that they are compliant with filing, reporting and withholding requirements, and to assess deficiencies when applicable. In addition, information is used to review payroll and GST/HST accounts with respect to taxable benefits, and the proper characterization of workers.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Trust Accounts Examinations require the review of business books and documents including any relevant tax slips issued to employees. The review of these records means that the CRA employee would have access to social insurance numbers and other financial information. This is necessary to properly execute the program mandate.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

The program may share personal information with other CRA programs for collection of outstanding balances, audit activities or to report suspected activities.

Information regarding payroll deductions may be shared with Québec, in accordance with a Memorandum of Understanding (MOU) with Revenu Québec, in order to process misapplied payments.

Employment and Social Development Canada (ESDC) and CRA jointly administer the Canada Pension Plan and employment insurance; CRA has an enforcement role. The information that the Trust Accounts Examination program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A Memorandum of Understanding between CRA and ESDC covers the provision of protected information in support of the Canada Pension Plan, Employment insurance and Old Age Security programs.

Paper records containing personal information are sent to the Records Management and Logistics Section of the Finance and Administration Branch.

However, TAE program also uses the private service provider Iron Mountain (formerly known as Recall) to store paper records containing personal information.

D) Duration of the program or activity: Long-term program

Long-term program

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The payroll examinations population consists of employers, trustees, and payers responsible for deducting Canada Pension Plan contributions, employment insurance premiums and income tax from remuneration or other types of income (T4 reporting).

The GST/HST examinations population consists of GST/HST registrants in all provinces except Quebec.

The Air Travellers Security Charge (ATSC) population consists of designated air carriers required to charge the ATSC.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

The new or modified program or activity involves the implementation of one or more of the following technologies:

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Level of risk to privacy: 4

Details: 

Trust Accounts Examinations officers use a laptop computer with access control and may also use an encrypted Universal Serial Bus (USB) key when on-site at an employer’s location.

Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access (SRA). The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

H) Risk impact to the individual or employee

Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.

 

Page details

Date modified: