Trust Accounts Examination Program – Privacy impact assessment v 2.0
Collections and Verification Branch
Business Compliance Directorate
Overview & PIA initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Michael Snaauw
Assistant Commissioner
Collections and Verification Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator
Name of program or activity of the government institution
Returns Compliance
Description of the class of record and personal information bank
Standard or institution specific class of record:
Employer Compliance
Record Number: CRA CVB 188
Standard or institution specific personal information bank:
Employer Compliance
Bank Number: CRA PPU 120
Legal authority for program or activity
Section 231.1 of the Income Tax Act; section 288 of the Excise Tax Act; section 88 of the Employment Insurance Act; section 25 of the Canada Pension Plan Act; and section 70 of the Air Travellers Security Charge Act provide legal authority to enter premises and inspect, audit, or examine taxpayer’s books, records and documents.
Sections 152 and 227 of the Income Tax Act; section 296 of the Excise Tax Act; section 85 of the Employment Insurance Act; section 22 of the Canada Pension Plan Act; and section 39 of the Air Travellers Security Charge Act, provide legal authority to assess deficiencies when applicable.
Subsection 231.5 (1) of the Income Tax Act and subsection 291 (1) of the Excise Tax Act provide legal authority to make copies of documents.
- Every person who has failed to remit or pay is liable to a penalty of 10%:
- Income Tax Act: paragraph 227(9)(a)
- Canada Pension Plan Act: paragraph 21(7)(a)
- Employment Insurance Act: paragraph 82(9)(a)
- Where the failure was made knowingly or under circumstances amounting to gross negligence, 20% of that amount:
- Income Tax Act: paragraph 227(9)(b)
- Canada Pension Plan Act: paragraph 21(7)(b)
- Employment Insurance Act: paragraph 82(9)(b)
- Interest: Payable at the prescribed rate
- Income Tax Act: subsection 227(9.2)
- Canada Pension Plan Act: subsection 21(6)
- Employment Insurance Act: subsection 82(8)
Summary of the project / initiative / change
Brief overview of the program or activity
Under the Canada Pension Plan and the Employment Insurance Act, the CRA is responsible for determining:
- whether or not an individual's employment is pensionable under the Canada Pension Plan and/or insurable under the Employment Insurance Act;
- the amount of pensionable and/or insurable earnings;
- whether or not Canada Pension Plan contributions and employment insurance premiums are payable;
- how many hours an insured person has in insurable employment;
- how long an employment lasts, including the dates on which the employment began and ended;
- the amount of Canada Pension Plan contributions and/or employment insurance premiums payable;
- who is the employer;
- whether or not employers are considered to be associated for the purposes of the Employment Insurance Act; and
- the refund amount.
In cases where payroll accounts are non-compliant, a trust accounts examination may be requested. The objective of the Trust Accounts Examination Program is to maintain the integrity of the tax system with respect to the reporting of employment income and taxable benefits, the withholding and remitting of payroll related amounts, and the proper characterization of workers, through a combination of taxpayer education and responsible enforcement including examinations of employers’ books and records. The program promotes employer awareness and understanding of tax laws and obligations as provided in the Income Tax Act, the Excise Tax Act, the Canada Pension Plan, the Employment Insurance Act, the Air Travellers Security Charge Act and their respective regulations, to increase and enhance voluntary compliance.
What's new
The Trust Accounts Examination program is currently running a pilot project whose objective is to explore the types of trust accounts examination files that could be worked efficiently and effectively within a tax services office without the need to travel to a taxpayer’s or to their authorized representative’s place of business.
With the implementation of e-Docs for the Trust Accounts Examination program, employers and their representatives now have the option to send documents to the CRA electronically through the CRA web portal using the My Business Account portal or the Represent a Client portal. This option makes it more feasible to complete trust account examinations (TAEs) within the office without having to visit the taxpayer or their representative.
Documents submitted through the My Business Account or Represent a Client portals are received through the FileNet system where officers review them.
Scope of the privacy impact assessment
This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information relating to the Trust Accounts Examination program activities. The Employer Accounts program, Employer Compliance Audit program, and the Collections and Verification Business Intelligence program activities have been assessed under separate PIAs.
Risk identification and categorization
A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3
Details:
Personal information is used to review the books and records of businesses to ensure that they are compliant with filing, reporting and withholding requirements, and to assess deficiencies when applicable. In addition, information is used to review payroll and GST/HST accounts with respect to taxable benefits, and the proper characterization of workers.
B) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details:
Trust Accounts Examinations require the review of business books and documents including any relevant tax slips issued to employees. The review of these records means that the CRA employee would have access to social insurance numbers and other financial information. This is necessary to properly execute the program mandate.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments.
Level of risk to privacy: 4
Details:
The program may share personal information with other CRA programs for collection of outstanding balances, audit activities or to report suspected activities.
Information regarding payroll deductions may be shared with Québec, in accordance with a Memorandum of Understanding (MOU) with Revenu Québec, in order to process misapplied payments.
Employment and Social Development Canada (ESDC) and CRA jointly administer the Canada Pension Plan and employment insurance; CRA has an enforcement role. The information that the Trust Accounts Examination program shares with other CRA programs, including with the Individual Returns Program, may be shared with ESDC. A Memorandum of Understanding between CRA and ESDC covers the provision of protected information in support of the Canada Pension Plan, Employment insurance and Old Age Security programs.
Paper records containing personal information are sent to the Records Management and Logistics Section of the Finance and Administration Branch.
However, TAE program also uses the private service provider Iron Mountain (formerly known as Recall) to store paper records containing personal information.
D) Duration of the program or activity: Long-term program
Long-term program
Level of risk to privacy: 3
Details:
This program does not have an end date.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details:
The payroll examinations population consists of employers, trustees, and payers responsible for deducting Canada Pension Plan contributions, employment insurance premiums and income tax from remuneration or other types of income (T4 reporting).
The GST/HST examinations population consists of GST/HST registrants in all provinces except Quebec.
The Air Travellers Security Charge (ATSC) population consists of designated air carriers required to charge the ATSC.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Risk to privacy: Yes
- Details: FileNet, a generic electronic document application, has been implemented to support trust accounts examinations. Prior to FileNet, program officers had to travel to the employers’ locations in order to review their books and records. With the use of FileNet within the program, employers and authorized representatives can submit their documents electronically.
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
- Risk to privacy: No
The new or modified program or activity involves the implementation of one or more of the following technologies:
- Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
- Risk to privacy: No
- Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
- Risk to privacy: No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
- Risk to privacy: Yes
- Details: The Workload Development and Business Intelligence Section (WDBIS) supports workload development through the coordination of analytics, research and trends analysis report requests for all business compliance program workloads. WDBIS relies on risk-assessment systems and research to determine which employers are most likely to misunderstand their tax obligations. WDBIS also uses the results of the risk-assessment systems to select files for trust accounts examination. Business intelligence activities are assessed separately in the Collections and Verification Business Intelligence Privacy Impact Assessment. The information from income tax returns may undergo automated matching processes where certain characteristics of the T4 return are matched against an individual’s income tax filing information. In some cases this may lead to a request for a trust accounts examination.
G) Personal information transmission
The personal information is transferred to a portable device or is printed.
Level of risk to privacy: 4
Details:
Trust Accounts Examinations officers use a laptop computer with access control and may also use an encrypted Universal Serial Bus (USB) key when on-site at an employer’s location.
Access to the Agency network from remote locations must be done with full disk encryption and standard Secure Remote Access (SRA). The Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the network.
H) Risk impact to the individual or employee
Details: If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and his/her information may be used without his/her knowledge or consent.
Page details
- Date modified: