Working Income Tax Benefit Advance Payments

Privacy Impact Assessment (PIA) summary – Benefit Programs Directorate, Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency (CRA)

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment Benefit and Service Branch

and

Michael Snaauw
Assistant Commissioner, Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Program Activity – Sub Activity

Benefit Programs Administration

Description of the class of record and personal information bank

Standard or institution specific class of record:
Benefit Programs - Working Income Tax Benefit (WITB) Program (CRA ABSB 346)

Standard or institution specific personal information bank:
Working Income Tax Benefit (WITB) (CRA PPU 178)

Legal authority for program or activity

Section 122.7 of the Income Tax Act (ITA) provides for the administration of the Working Income Tax Benefit Advanced Payments

Section 220(1) of the Income Tax Act provides for the Minister’s duty to collect information for the purpose of the administration and enforcement of any program covered under the ITA. In this case the Working Income Tax Benefits Advanced Payments are administered under section 122.7of the ITA.

Section 61 of the Canada Revenue Agency Act allows CRA to implement agreements with other federal, provincial and territorial governments for the purpose of carrying out an activity or program administered by the CRA.

The legal authority to collect the SIN is found under section 237 of the Income Tax Act and is used for identification purposes.

Information may also be used to determine whether an individual knowingly participated in or made a false statement or omission. The consequences can include reviews which may result in termination and/or recoup of benefits, and possibly levying civil penalties under section 163(2) of the Income Tax Act.

Summary of the project / initiative / change

Working Income Tax Benefit Advance Payments

In cooperation with federal, provincial, and territorial partners, CRA develops and coordinates a variety of national, provincial and territorial benefit and credit programs which contribute to the economic and social well-being of Canadians. One of these programs is the Working Income Tax Benefit (WITB).

The WITB is a refundable tax credit for low-income individuals and families who have working income earned from employment or business. The WITB can be claimed each year on the personal Income Tax and Benefit Return if an individual is 19 years of age or older on December 31st; and is a resident of Canada for income tax purposes throughout the year. Individuals under 19 who have a spouse or common-law partner, or an eligible dependent on December 31st, may be eligible for the WITB.

Eligible individuals and families may apply for this benefit in advance of filing his or her tax return by completing the form RC201 –Working Income Tax Benefit Advance Payments Application. These payments are referred to as the WITB Advance Payments.

WITB Advance Payments correspond to a maximum of 50% of the WITB refundable tax credit (including a disability supplement for eligible individuals) claimed on the Income Tax and Benefit Return. An individual ineligible to the Goods and Services / Harmonized Sales Tax (GST/HST) Credit due to incarceration in a federal prison is not eligible for the advanced payment. Payments are issued in April, July, October and January.

Scope of the privacy impact assessment

This privacy impact assessment covers the administration of the Working Income Tax Benefit Advance Payments, including the compliance activities for enforcement purposes such as detecting fraud or investigating possible abuses within the benefit and credit program.

In addition, the calculation, enforcement, and administration of Canada Child Benefits and the federal and/or provincial Income Tax and Benefit returns are not included in this privacy impact assessment. The application process to determine if a person with a disability is eligible for the Disability Tax Credit is also not covered within this privacy impact assessment. Certain compliance activities such as audits and criminal investigations are separate programs and therefore are not included within the scope of this PIA.

Programs and initiatives that focus on economic benefits and credits are constantly changing. Therefore, when a new initiative or a change to an existing credit or benefit is identified, this privacy impact assessment will be reviewed and updated accordingly.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details: The personal information is used for the identification, determination, validation and payment of the Working Income Tax Benefit Advance Payments.

Information is also used to determine whether an individual knowingly participated in or made a false statement or omission. The consequences can include reviews which may result in termination and/or recoup of benefits, and possibly levying civil penalties under section 163(2) of the Income Tax Act.

Also, in limited cases, information obtained during the course of a validation or compliance review could be used to refer the matter to the Criminal Investigations Division of the CRA for further investigation which could result in the laying of criminal charges under section 238 or section 239 of the Income Tax Act against a particular individual.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information collected includes details such as name, contact information, financial information, social insurance number (SIN) and signature, biographical information, student indicator, disability indicator, marital status, employment information, and citizenship.

C) Program or activity partners and private sector involvement

With other or a combination of federal/ provincial and/or municipal government(s)

Level of risk to privacy: 3

Details: Information is disclosed by the CRA to Public Services and Procurement Canada for the issuance of payments. The information is also used internally within CRA for collection of outstanding balances, program administration, reviews, audit activities, appeals, statistical gathering, and call centre enquiry responses.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: The WITB is a long term program with no established end date. The advance payments portion is also a long term program with no established end date but does require a new a new application each tax year.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects any individual who applies for the Working Income Tax Benefit Advanced Payments, their spouse or common-law partner and his or her dependents under 18 years of age.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on individuals associated with the Working Income Tax Benefit Advance Payments.

However, as part of the CRA security program, CRA employees who have access to personal information are monitored by the use of the Online Audit Tracking System (OATS). OATS records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc.

The information is used to verify that only authorized users have accessed personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse.

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to the CRA’s networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: The Benefit Data Mart is a subset of the Agency Data Warehouse (ADW). It collects data from the Individual Credit (ICD) and IDENT databases and an authorized employee can run queries against the data mart to identify trends, statistics or other required information. Reports are created from the Benefit Data Mart using a set identified parameters and filters that are then used for analysis. A privacy impact assessment for the ADW including the Benefit Data Mart was published in 2007; it provides a broader privacy risk analysis of the ADW and the related data marts.

Data matching techniques are also used to ensure the accuracy of the personal information. Information is matched between the individual’s income tax account and benefits account for identification purposes and to determine eligibility and entitlement. If they are benefit recipients the Benefits Validation and Compliance workflow will further review to determine if these individuals are no longer eligible for benefits.

G) Personal information transmission

The personal information is transmitted using wireless technologies. It may also be transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: Personal information can be used in a system that has access to other systems and can be transferred to a secure portable device using CRA approved encryption technologies as required.

Online Services: CRA uses specially configured computer Web servers for any online services (e.g. My Account); and uses corporate firewalls to protect our Web servers from unauthorized access. Personal information is not stored on these servers; the CRA securely stores personal information on separate computer systems that are not directly accessible from the Internet.

When transmitting personal information, access to our Web servers is limited to Web browsers that meet our security standards of encryption. The CRA ensures that personal and financial information is encrypted—or scrambled—when it is transmitted between an individual’s computer and our Web servers. This ensures that computer hackers and other Internet users cannot view or alter the data being transmitted. Our standard for encryption is the 128-bit Secure Sockets Layer Version 3.0 (SSLV3) protocol. This is one of the most secure forms of encryption available in North America and is a typical requirement for Web-based services—such as online banking or shopping—where securing personal information is a priority.

Portable Devices: Some employees workstations are composed of CRA issued laptops in docking stations. Laptops comply to the Security for the Computing Environment Policy with Encryption and access control. Any telework done is through Secure Remote Access (SRA).

Any USB keys used must be Agency issued and formatted with encryption technology specific to the user.

H) Risk impact to the individual or employee

Financial harm

Details: If the personal information was compromised, it has the potential to cause financial harm and embarrassment to the affected individual. The affected individual may also become a victim of identity theft, and their information may be used without their knowledge or consent.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility

Details: Should this information be accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and decrease of public confidence.

Page details

Date modified: