Voluntary Disclosures Program (VDP) - Privacy impact assessment summary
Domestic Compliance Programs Branch (DCPB)
GST-HST Directorate
Canada Revenue Agency
Overview & PIA Initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Ted Gallivan
Assistant Commissioner
Domestic Compliance Programs Branch & International, Large Business and Investigations Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
Director
Access to Information and Privacy Directorate
Name of program or activity of the government institution
Voluntary Disclosures Program (VDP)
Description of the class of record and personal information bank
Standard or institution specific class of record:
Voluntary Disclosures Program (VDP) CRA DCPB 264
Standard or institution specific personal information bank:
Voluntary Disclosures Program (VDP) CRA PPU 220
Legal authority for program or activity
- Sections 88, 281.1 and 284 and subsection 284.1(3) of the Excise Tax Act;
- Section 4 of the Credit for Provincial Relief (HST) Regulations SOR/2011-57;
- Sections 173 and 255.1 of the Excise Act, 2001;
- Sections 30 and 55 of the Air Travellers Security Charge Act; and
- Section 37 of the Softwood Lumber Products Export Charge Act, 2006.
- Sections 150, 220, and 237 of the Income Tax Act,
- Subsection 220(3.1) of the Income Tax Act
Summary of the project / initiative / change
The purpose of the Voluntary Disclosures Program (VDP) is to promote voluntary compliance with the accounting and payment of duty and tax provisions under the Income Tax Act (ITA), Excise Tax Act (ETA), Excise Act, 2001(EA, 2001), Air Travellers Security Charge Act (ATSCA) and the Softwood Lumber Products Export Charge Act, 2006 (SLPECA). The VDP encourages taxpayers to come forward and correct deficiencies in order to be in compliance with their legal obligations.
The VDP allows taxpayers to come forward and correct inaccurate or incomplete information or to disclose information they have not previously reported to the Canada Revenue Agency (CRA).
Taxpayers may avoid penalties and prosecution if they make a valid disclosure before they become aware of any compliance action being initiated against them by the CRA. These taxpayers will have to pay the taxes owing, plus interest.
A disclosure is valid if it:
- is voluntary;
- contains complete information;
- involves the application or the potential application of a penalty;
- includes information that is more than one year overdue or more than one reporting period (GST/HST only); and
- includes a payment of the estimated tax owing.
The Voluntary Disclosures Program provides an avenue for taxpayers to correct past errors and omissions and become compliant with tax laws.
In terms of scope, this privacy impact assessment identifies and assesses privacy risks to personal information relating to the administration of the Voluntary Disclosures Program activities.
The program is going through a transition with an increased focus on offshore activities following recommendations from the Offshore Compliance Advisory Committee (OCAC) and the Standing Committee on Finance (FINA), and will be reviewed again in a few years. This privacy impact assessment will be reviewed and updated as required.
Risk identification and categorization
A) Type of program or activity
Administration of Programs / Activity and Services
Level of risk to privacy: 2
Details:
Personal information is used to process voluntary disclosures not previously reported by taxpayers who can avoid penalties that the taxpayers would otherwise be subject to under the Acts noted above, and avoid prosecution.
B) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details:
The Voluntary Disclosures Program (VDP) deals only with voluntary disclosure applications for relief of penalty and some interest. Clients are required to provide documentation and other personal information to support the amounts and information being disclosed as part of the application for relief of penalty, interest, and prosecution.
Personal information may include: name, contact information, Social Insurance Number (SIN), Business Number, name and contact number of authorized representative, main purpose of business, information about the disclosure/omission, and signatures of individual or authorized representative. Documentation such as tax information: income, benefits, investments, financial statements, personal and investment property.
C) Program or activity partners and private sector involvement
With other or a combination of federal/ provincial and/or municipal government(s)
Level of risk to privacy: 3
Details:
The Voluntary Disclosures Program (VDP) shares information collected with Revenu Québec, the Province of Ontario and the Province of Alberta by way of encrypted electronic communications for verification of enforcement action for the purposes of supporting the validity of the voluntary conditions of the VDP requests and assist the provinces with the administration of their own VDP. The information disclosed to the above mentioned parties is: name (first, last/business name) and account number (SIN/BN).
D) Duration of the program or activity:
Long-term program
Level of risk to privacy: 3
Details:
As the Voluntary Disclosures Program (VDP) gives taxpayers a way to come forward and correct inaccurate or incomplete information and is offered to taxpayers as an opportunity to correct earlier mistakes and put their tax affairs in order it is an ongoing long-tern program and does not have a sunset date.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details:
The Voluntary Disclosures Program allows taxpayers to come forward and correct inaccurate or incomplete information or to disclose information they have not previously reported to the Canada Revenue Agency (CRA).
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No
The new or modified program or activity involves the implementation of one or more of the following technologies:
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Details: n/a
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Details: n/a
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
Details:
A macro (an automated method of programmed tasks) is used to check CRA systems for enforcement action on the account and generate the VDP report. This report contains filtered and condensed information gathered from the CRA systems, allowing our officers to review accounts that are under the VDP in a much more efficient way and minimizing administrative repetitive tasks.
G) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy: 2
Details: Taxpayers may make a voluntary disclosure through the My Account, My Business Account or Represent a Client portals (IBM_ECM-Filenet) or they may be mailed or faxed to the National Verification and Collections Centre in Shawinigan. Personal information is then entered in the Case Appeals Management System (CSAPP). VDP utilizes the CSAPP for the recording, tracking and managing of voluntary disclosure requests received in the Agency. Furthermore, VDP officers are required to register all accepted VDP cases in the Taxpayer Relief Registry (TRR) system in order to provide system functionality to waive the penalties and interest that the taxpayer would otherwise be subjected to.
Circulation of hardcopy documents are controlled. VDP documents are kept in house until completion of the file. Once completed, documents are sent and maintained at a private-sector contractor records storage facility, retained according to Retention and Disposal Standards for a period of seven years and then destroyed – see RDA Number: 2017/012 (replaces 93/004).
H) Risk impact to the individual or employee
Details: If the personal information was compromised it has the potential to cause financial harm, identity theft and embarrassment to the individual.
Page details
- Date modified: