Voluntary Disclosures Program (VDP) - Privacy impact assessment summary

Domestic Compliance Programs Branch (DCPB)
GST-HST Directorate
Canada Revenue Agency

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Ted Gallivan
Assistant Commissioner
Domestic Compliance Programs Branch & International, Large Business and Investigations Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Voluntary Disclosures Program (VDP)

Description of the class of record and personal information bank

Standard or institution specific class of record:
Voluntary Disclosures Program (VDP) CRA DCPB 264
Standard or institution specific personal information bank:
Voluntary Disclosures Program (VDP) CRA PPU 220

Legal authority for program or activity

Summary of the project / initiative / change

The purpose of the Voluntary Disclosures Program (VDP) is to promote voluntary compliance with the accounting and payment of duty and tax provisions under the Income Tax Act (ITA), Excise Tax Act (ETA), Excise Act, 2001(EA, 2001), Air Travellers Security Charge Act (ATSCA) and the Softwood Lumber Products Export Charge Act, 2006 (SLPECA). The VDP encourages taxpayers to come forward and correct deficiencies in order to be in compliance with their legal obligations.

The VDP allows taxpayers to come forward and correct inaccurate or incomplete information or to disclose information they have not previously reported to the Canada Revenue Agency (CRA).

Taxpayers may avoid penalties and prosecution if they make a valid disclosure before they become aware of any compliance action being initiated against them by the CRA. These taxpayers will have to pay the taxes owing, plus interest.

A disclosure is valid if it:

The Voluntary Disclosures Program provides an avenue for taxpayers to correct past errors and omissions and become compliant with tax laws.

In terms of scope, this privacy impact assessment identifies and assesses privacy risks to personal information relating to the administration of the Voluntary Disclosures Program activities.

The program is going through a transition with an increased focus on offshore activities following recommendations from the Offshore Compliance Advisory Committee (OCAC) and the Standing Committee on Finance (FINA), and will be reviewed again in a few years. This privacy impact assessment will be reviewed and updated as required.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2


Personal information is used to process voluntary disclosures not previously reported by taxpayers who can avoid penalties that the taxpayers would otherwise be subject to under the Acts noted above, and avoid prosecution. 

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3


The Voluntary Disclosures Program (VDP) deals only with voluntary disclosure applications for relief of penalty and some interest. Clients are required to provide documentation and other personal information to support the amounts and information being disclosed as part of the application for relief of penalty, interest, and prosecution.

Personal information may include: name, contact information, Social Insurance Number (SIN), Business Number, name and contact number of authorized representative, main purpose of business, information about the disclosure/omission, and signatures of individual or authorized representative. Documentation such as tax information: income, benefits, investments, financial statements, personal and investment property. 

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s) 

Level of risk to privacy: 3


The Voluntary Disclosures Program (VDP) shares information collected with Revenu Québec, the Province of Ontario and the Province of Alberta by way of encrypted electronic communications for verification of enforcement action for the purposes of supporting the validity of the voluntary conditions of the VDP requests and assist the provinces with the administration of their own VDP.  The information disclosed to the above mentioned parties is: name (first, last/business name) and account number (SIN/BN). 

D) Duration of the program or activity:

Long-term program

Level of risk to privacy: 3


As the Voluntary Disclosures Program (VDP) gives taxpayers a way to come forward and correct inaccurate or incomplete information and is offered to taxpayers as an opportunity to correct earlier mistakes and put their tax affairs in order it is an ongoing long-tern program and does not have a sunset date. 

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3


The Voluntary Disclosures Program allows taxpayers to come forward and correct inaccurate or incomplete information or to disclose information they have not previously reported to the Canada Revenue Agency (CRA).  

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: n/a

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: n/a

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes


A macro (an automated method of programmed tasks) is used to check CRA systems for enforcement action on the account and generate the VDP report. This report contains filtered and condensed information gathered from the CRA systems, allowing our officers to review accounts that are under the VDP in a much more efficient way and minimizing administrative repetitive tasks.

G) Personal information transmission

The personal information is used in a system that has connections to at least one other system.  

Level of risk to privacy: 2

Details: Taxpayers may make a voluntary disclosure through the My Account, My Business Account or Represent a Client portals (IBM_ECM-Filenet) or they may be mailed or faxed to the National Verification and Collections Centre in Shawinigan. Personal information is then entered in the Case Appeals Management System (CSAPP). VDP utilizes the CSAPP for the recording, tracking and managing of voluntary disclosure requests received in the Agency. Furthermore, VDP officers are required to register all accepted VDP cases in the Taxpayer Relief Registry (TRR) system in order to provide system functionality to waive the penalties and interest that the taxpayer would otherwise be subjected to.

Circulation of hardcopy documents are controlled. VDP documents are kept in house until completion of the file. Once completed, documents are sent and maintained at a private-sector contractor records storage facility, retained according to Retention and Disposal Standards for a period of seven years and then destroyed – see RDA Number: 2017/012 (replaces 93/004).  

H) Risk impact to the individual or employee

Details: If the personal information was compromised it has the potential to cause financial harm, identity theft and embarrassment to the individual. 

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: