Compliance Programs Branch
Small and Medium Enterprises Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Cathy Hawara
Assistant Commissioner
Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Reporting Compliance

Standard or institution specific class of record:

Small and Medium Enterprises Income Tax Audit
CRA CPB 452

Standard or institution specific personal information bank:

Small and Medium Enterprises
Bank Number: CRA PPU 421
TBS Registration Number: 20140083

Legal authority for program or activity

Income Tax Act

The Minister of National Revenue (MNR) is responsible for administering and enforcing the Income Tax Act (the Act). Part XV of the Act gives the legislative authorities under which the Small and Medium Enterprises Directorate (SMED) Program operates. Part I of the Act outlines the circumstances and means by which individuals and businesses must calculate, collect, remit, and report on their income. It also outlines the circumstances in which an individual or business may be eligible to claim credits or deductions.

Subsection 220(1) of the Act gives the minister of national revenue the authority to collect personal information to carry out the mandate of administering the Act There are specific reporting obligations for taxpayers, as well as specific audit and inspection powers in the Act.

Section 19 of the Underused Housing Tax Act (UHTA) provides the minister the authority to administer and enforce the act under which the SMED Program operates.

Subsection 5(1) of the Canada Revenue Agency Act is the legislation that bestows, on the Agency, the responsibility to administer and enforce these acts. Subsection 6(1) extends the minister’s powers, duties, and functions over all matters over which Parliament has jurisdiction relating to internal taxes and may be delegated under section 7.

Authority to inspect, audit, and examine

Section 231.1 of the Act authorizes the inspection, audit, and examination of documents, property, and processes of a person to validate the correct amount of income tax owing on the account. This includes information already in CRA systems originally collected under Part XV of the Act. This part also authorizes the requirement to produce documents or information to support a review, examination, or audit.

Subsections 98(3) and 288(1) of the Excise Tax Act (ETA) authorize the inspection, audit, and examination of documents, property, and processes of a person.

Section 62 of the UHTA authorizes the inspection, audit, and examination of documents, properties, and processes related to compliance with the Act. Section 31, 58, and 63 of the UHTA authorize the requirement to produce documents or information to support a review, examination, or audit.

Indirect collection and disclosure

Subsection 231.1(1) of the Act provides the authority to collect personal information from commercially purchased data such as credit bureau information or real estate data, from other persons, and publicly available open sources.

Under section 241(4) of the Act states personal information already in CRA systems originally collected under the Act may be used to validate, identity, and verify flow through reporting and the sharing of information..

Sections 289 and 289.1 and subsection 99(1) of the ETA authorize the issuance of requirements and compliance orders to provide documents and information for civil purposes.

Contracts, agreements, and arrangements

Subsection 7(1) in the Part III of the Federal-Provincial Fiscal Arrangements Act provides the authority for the MNR, with the approval of the Governor in Council, may on behalf of the Government of Canada enter into an administration agreement with the government of a province or an aboriginal government.

Section 61 of the Canada Revenue Agency Act allows the CRA to enter into contracts, agreements, or other arrangements with governments, public or private organizations and agencies, or any person in the name of His Majesty in right of Canada or in its own name.

Summary of the project, initiative or change

Overview of the Program or Activity

The mandate of SMED is to develop and administer a balanced approach towards compliance activities aimed at improving compliance with tax laws, including client assistance, education-first interventions, and quality audits. SMED also oversees regional audit operations for the small and medium business income tax sectors and the Underused Housing Tax Compliance Program (UHT).

The SMED provides functional leadership, policy development, and program direction to the regional audit operations. To assist the regional operations in delivering established strategies and planned results, Headquarters, in collaboration with the regions, monitors the programs and makes changes, or recommends changes, to policies, programs, tools, training, and legislation where necessary.

The SMED does this to:

• identify significant cases of non-compliance and take appropriate corrective measures
• reinforce compliant behaviour through risk assessment, service, and education
• maintain responsible levels of enforcement activity across all sectors, with increased audit coverage of those sectors at highest risk

These objectives are in direct support of our mandate to enhance compliance with tax laws and to preserve public trust in the fairness and integrity of Canada’s self-assessment tax system.

The key activities of the SMED include:

• compliance risk assessment
• income tax and Underused Housing Tax (UHT) audits
• clearance certificate issuance
• technical advice and assistance
• the Liaison Officer Service
• audit quality reviews
• real estate appraisals
• program reviews, analysis, and monitoring

What’s New

The rules governing which trusts must file an annual T3 Trust Income Tax and Information Return (T3 return) have been changed for trusts with a tax year ending after December 30, 2023. Specifically, all trusts must now provide a T3 return including additional beneficial ownership information on an annual basis unless specific conditions are met. Additionally, bare trusts may now be required to file an annual T3 return. These changes were made as part of Canada’s continuous efforts to ensure the effectiveness and integrity of the Canadian tax system. This will help the CRA verify that trusts, their fiduciaries, beneficiaries, and related parties have met their tax and filing obligations under the Act. The information related to the new trust data has not changed how personal information is being handled within SMED.

The Compliance Programs Branch agreed to update the data release listing under the memorandum of understanding, Establishing an Administrative Framework for the General Provision of Information and the Promotion of Cooperation and Mutual Assistance, between the CRA and the British Columbia Ministry of Finance, to remove “corporate data only” for:

• alcohol purchase data and license information (previously corporate data only)
• stumpage data (previously corporate data only)
• motor vehicle registration data (previously corporate data only).

New data collection methods and uses will include:

• using data sets provided by the Human Resources Branch will be used within SMED for analytical purposes, such as the following studies:
  • matching individual personal record identifiers (PRI) with specific audits for the purpose of identifying auditor PRIs in SMED to track training history
  • matching individual PRIs by auditor experience and Grade/Level for the purpose of tracking years of auditor experience by Grade/Level and Fiscal Year, in order to identify increases or decreases in average auditor’s experience
  • deriving turnover rates by region, auditor Grade/Level, and Fiscal Year using counts only (no personal PRI data)
  • deriving level of movement by auditor Grade/Level and Fiscal Year using counts only (no personal PRI data). The level of movement is calculated as a ratio of the total number of hires, promotions, acting appointments, and lateral and downward appointments of indeterminate employees during the fiscal year to the average of the active population at the start and at the end of the same fiscal year.
  • providing an overview of SMED’s workforce emerging trends in the regions and compare the evolution of SMED’s workforce to the evolution of the CRA’s workforce

Open source data

Usage of open source tables including, but not limited to, the 2016 census data from Statistics Canada to address the ministerial mandate-letter commitment to apply gender-based analysis plus (GBA+) in the SMED’s work.

Projects include the following:

• creating a GBA+ dashboard to provide divisional clients with a standalone tool to help improve the understanding of SMED’s target populations
• text analysis conducted on of T2020 audit communication forms to highlight how gender could be identified in these documents, to confirm that there are no systematic gender biases in our work

New Programs and Initiatives

The Assisted Compliance Program

The Assisted Compliance Program aims to increase coverage, improve voluntary compliance and address non-compliance using an education-first approach. The Assisted Compliance Program offers support to businesses and self-employed individuals by helping them understand their tax obligations and how to meet them.

Officers, who are subject matter experts, will contact taxpayers to explain potential tax issues identified in their accounts and help them correct any mistakes.

The Assisted Compliance Program addresses single issues and covers a variety of topics, such as how to properly report a property disposition, repairs and maintenance expenses on rental properties, the T5018 statement of contract payments, and other topics.

Officers :

• send a personalized letter outlining the potential tax issue
• follow up by telephone about two weeks later to give tailored information to the taxpayer to help them better understand their tax obligations
• provide information on the steps to self-correct the tax issue

The Assisted Compliance program uses existing risk assessment and file selection processes; no new taxpayer data is collected, disclosed, used, or retained.

The Underused Housing Tax Program

The Underused Housing Tax Section (UHTS) provides functional direction, policy guidance, and program support for compliance activities related to the Underused Housing Tax Program (UHTP).

The UHT is an annual federal one-percent tax on the value of non-resident, non-Canadian, directly or indirectly owned residential property situated in Canada that is vacant or underused. The UHT came into effect on January 1, 2022. Each owner (other than an excluded owner) must file an annual UHT return for each residential property that is owned. There are penalties for failing to file. The first returns were due April 30, 2023. To provide more time for affected owners to take necessary actions to comply, the CRA provided transitional relief to affected owners for the 2022 calendar year. This means that although the deadline for filing the UHT return and paying the UHT payable was still April 30, 2023, no penalties or interest were applied for UHT returns and payments that the CRA received on or before April 30, 2024.

Amendments have been made to section 116 of the Act to link UHT compliance with the issuance of a certificate under this section. Generally, when a non-resident disposes of a property, they must meet specific withholding tax requirements in order to receive a certificate of compliance from the CRA under section 116 of the Act. With this amendment, owners must be compliant with UHT filing and payment obligations, in addition to the withholding tax requirements, giving the CRA more leverage to enforce compliance with UHT.

Owners requesting a certificate of compliance from the Non-Resident Dispositions and International Waivers Program (based on amendments made to section 116 of the Act) are being referred to the UHTS since April 1, 2023, in order for the UHTP to ensure property owners are complying with their UHT obligations before a certificate of compliance is issued.

The mandate of the UHTP is to use a balanced approach of education, service, and responsible enforcement to ensure that residential property owners (other than “excluded owners”) comply with the laws enacted under the UHTA, which is administered by the CRA.

The UHT required the development of an entirely new compliance program. A pilot was launched in October 2023. UHTS within SMED will use the results of the UHTP pilot to inform or improve the overall approach and the program design. The pilot will be monitored closely and will allow UHTS to assess the effectiveness of the approach and tools in place, and will help determine if any refinements are required prior to the launch of the full UHTP.

Although, the data collected is new, the terms of how personal information is safeguarded within SMED will equally apply.

The Liaison Officer Service was leveraged to provide education and outreach to property owners to ensure they are aware of their UHT obligations. Designated liaison officers were responsible for delivering UHT webinars, as well as contacting identified stakeholders to offer webinars at their convenience.

Emergency wage and rent subsidy reviews

The SMED is conducting post-payment compliance audits to ensure those who received the emergency wage and rent subsidies were in fact entitled to them, and to identify any errors in submitted claims. Post-payment compliance audits began in the fall of 2021 and have wound down in 2024-2025. The CRA can pursue cases beyond the normal assessment and reassessment period in cases of negligent, careless, or wilful misrepresentation. Economic entity relationships

The SMED is currently moving towards a new model for risk assessment and auditing by grouping the small and medium enterprises population into Economic Entities (EE). An EE is defined as a group of corporations, individuals, trusts, and partnerships that are controlled by the same persons where the group is structured such that financial and taxation decisions are made as one. The focus of our efforts are being shifted to identifying risk at both the EE and the legal entity level, and auditing using a team audit approach for the larger more complex EE groups. Effective April 1, 2022, the Economic Entity Section formally launched the Economic Entity Team Audit pilot. The linking of the SMED population into EEs will provide efficiencies in assessing tax at risk as a group as opposed to each taxpayer individually. We will move beyond looking at the individual risk issues based on a single return and will look at the risks that arise as a result of the EE’s structure and transactions among the members.

Short-term rental compliance

Section 67.7 of the Act came into effect in June 2024 and applies to the 2024 and subsequent taxation years. This measure prohibits any deductions from income earned from short-term rentals of residential properties that are:

• located in provinces and municipalities that prohibit such short-term rentals, or
• not compliant with the applicable provincial or municipal licensing, permitting, or registration requirements

The Platform Economy Compliance Program in the GST/HST and Digital Compliance Directorate is heavily engaged in administering the provisions of section 67.7 of the Act. The CRA committed to work with provinces and municipalities by acquiring information from them on non-compliant short-term rentals.

Scope of the Privacy Impact Assessment

This SMED Privacy Impact Assessment (PIA) sets out to:

• identify those areas within the Directorate’s day-to-day operations where personal information is stored, shared, received, and subject to electronic data analysis
• identify and assess privacy risks, and
• ensure that the safeguards are in place that comply with the Privacy Act

This PIA encompasses products and written collaborative agreements that SMED owns or uses to enhance compliance with the tax laws administered by the CRA. The CRA’s use of external data from third-party sources is described within and in the scope of the Business Intelligence Research and Development Environment PIA.

Effective April 1, 2024, two new functional programs were established: the Cryptocurrency Section and the Platform Economy Section. The income tax compliance activities that were previously undertaken by the compliance programs in the SMED were officially transferred to these two new programs which operate under the GST/HST and Digital Compliance Directorate. This PIA continues to apply to the income tax activities.

Risk identification and categorization

A) Type of program or activity

Compliance or regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

The Small and Medium Enterprises (SME) programs utilize the audit and inspection powers provided to them under the Act and the UHTA to collect information relating to the business or personal affairs of taxpayers in order to determine the correct amount of taxes payable. The vast majority of cases will involve only administrative consequences – audits resulting in additional taxes owing and, possibly, civil penalties. The audit work could also result in leads being generated for other taxpayers or GST/HST registrants which, in turn, could result in those taxpayers or GST/HST registrants being audited. SMED does not undertake criminal prosecutions, but may refer cases to the Criminal Investigations Division for criminal investigation and potential prosecution.

B) Type of personal information involved and context

Social insurance number (SIN), medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Audit activities rely on information collected under the authority of the Act, ETA, or UHTA to perform their mandate. Information collected through the course of their mandate, such as an audit, becomes part of the audit file and may include the SIN, ITN, and financial information. In some cases, indirect verification of income may be necessary, which can include obtaining personal banking or lifestyle information of taxpayers, their associates or other members of a household, business, trust, or any other prescribed person.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments.

Level of risk to privacy: 4

Details:

In accordance with the Act, ETA, or UHTA, information may be collected from and shared with participating provincial or territorial partners and other federal institutions. Information may also be shared with foreign governments with respect to the resolution of audit cases involving taxpayers residing abroad or with foreign operations, in accordance with applicable tax treaties.

In some cases, an external third-party service may be used to help identify additional risk factors on income tax accounts. For example, third-party information from suppliers, banks, credit bureaus, may provide details on a taxpayer’s personal and business activities.

In addition, paper copies of personal information are stored and retained at a private-sector record-storage facility.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

The SME program is an ongoing long-term program that ensures the integrity of the self-assessment tax system. Some activities may change focus or be added, but the primary mandate is to ensure that taxpayers are compliant, understand their obligations and remain compliant.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The SME program can affect any prescribed person; for example, businesses, individuals, trusts/trustees, partnerships/partners, etc., who have filed an income tax, underused housing tax and election form (UHT-2900), or related information return. The CRA relies on risk-assessment systems and research to determine which taxpayers are most likely to misunderstand their tax obligations. If a review indicates that certain activities are more at risk for non-compliance than others, the CRA may conduct more audits of taxpayers reporting those types of activities.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   
   Risk to privacy: No
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Auditors in the regions use laptops with full disk encryption for locally stored files. Remote network access is provided using an encrypted VPN tunnel solution, with two-factor authentication (a private user certificate secured with a password). Once connected to the CRA’s infrastructure, information may be transmitted between the local device and the CRA’s systems for various purposes, including risk assessment, workload development, and auditing.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

Protecting privacy and confidentiality are paramount to the CRA’s administration of the SME program. The public must have confidence that the CRA is vigilantly maintaining taxpayer information to ensure fairness. A breach of tax filers’ personal information could negatively affect the CRA’s strategic outcome to ensure taxpayers meet their obligations and protecting Canada’s revenue base. Negative media attention and decreased public confidence can influence compliance behaviour.