Collections and Verification Branch
Business Compliance Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Tammy Myers
Acting Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate
Public Affairs Branch

Name of program or activity of the government institution

Returns compliance

Standard or institution specific class of record:

Corporations and GST/HST Compliance, CRA CVB 186
Canada Emergency Subsidies Validation for businesses, CRA CVB 191

Standard or institution specific personal information bank:

Corporations and GST/HST Compliance, CRA PPU 185
Canada Emergency Subsidies Validation for businesses, CRA PPU 184

Legal authority for program or activity

Income Tax Act

Section 125.7 addresses the computation of tax and rules applicable to corporations.

Section 150 addresses the collection of personal information and its use to verify compliance.

Section 150(1) requires that taxpayers file a return for each tax year.

Subsection 164(3) addresses interest on refunds and repayments.

Section 220 addresses the Minister’s duty.

Section 237 addresses the production and authority to communicate social insurance numbers.

Subsection 241(3.5) addresses the authority to communicate the name of applicants under section 125.7 of the Income Tax Act.

Canada Revenue Agency Act

Section 61 allows the CRA to make agreements with federal, provincial, and territorial governments to carry out CRA-administered activities or programs.

Section 63(1) allows the CRA to make or change agreements with provincial, territorial, or aboriginal governments to administer a tax or other fiscal measure if the agreement is in accordance with guidelines relating to similar agreements that the Minister of National Revenue and the Minister of Finance established jointly.

Specific to the Canada emergency subsidies

Income Tax Act

Paragraph 87(2)(g.6) addresses COVID-19 emergency subsidies.

Subsection 152(3.4) addresses COVID-19 notices of determination.

Subsection 163(2.9) addresses partnerships liable to penalty.

Subsection 163(2.901) addresses penalties related to COVID-19.

Subsection 163(2.902) also addresses penalties related to COVID-19.

Subsection 164(1.6) addresses COVID-19 refunds.

Subsection 164(1.61) addresses COVID-19 refunds for partnerships.

Subsection 164(3) addresses interest on refunds and repayments.

Income Tax Regulations

Section 8901.1 addresses COVID-19 wage and rent subsidies.

Section 8901.2 gives definitions

Summary of the project, initiative or change

Overview of the Program or Activity

Canada emergency subsidies

In response to the COVID-19 pandemic, the CRA created the Pandemic Program Division (PPD) to provide centralized services and operational support to the Business Compliance Directorate. The PPD helps by directing, advising, training, and supporting field operations for the following five subsidies and programs:

• the Canada emergency wage subsidy, available from March 15, 2020, to October 23, 2021
• the Canada emergency rent subsidy, available from September 27, 2020, to October 23, 2021
• the Canada Recovery Hiring Program, available from June 6, 2021, to May 7, 2022
• the Tourism and Hospitality Recovery Program, available from October 24, 2021, to May 7, 2022
• the Hardest-Hit Business Recovery Program, available from October 24, 2021, to May 7, 2022

The Canada emergency subsidies process involves a pre-validation step to make sure taxpayers submitted claims correctly and accurately. The CRA educates taxpayers on how to claim the subsidies and promotes future compliance with CRA-administered tax legislation. The CRA reviews and analyzes initial applications and reassessment requests from the five subsidies listed above.

The PPD gets account referrals based on the application’s identified risk factors, and it selects accounts for post payment validation projects. The original risk factors determine whether the PPD or the Assessment, Benefit, and Service Branch (ABSB) will validate an account.

The CRA collects limited personal information during the application process, which includes examining the books and records it requested from taxpayers and their representatives. The CRA then verifies this information using existing information within its data holdings to validate and process the application. Subsequently, the CRA uses personal information to perform verification and compliance activities. The CRA collects employer names, business numbers, representative names, financial information, contact information, and attestation signatures electronically, by telephone, or by letter. It uses that information in the subsidy application process.

Business account security

The Business Account Security Compliance Division (BASCD) reviews and coordinates the response to unauthorized activity on CRA business accounts when it suspects that a third-party breach has occurred. By safeguarding the security and integrity of business accounts, the BASCD helps protect sensitive taxpayer information and plays a vital role in building trust in the Canadian tax system.

The BASCD manages casework related to compromised business accounts where a third party may have gained access to a CRA account. Their workload is currently built on referrals of suspicious accounts, but work is underway to design an internal system that can proactively identify cases for its workload based on certain parameters. The BASCD reviews business accounts for unauthorized activity and contacts taxpayers to verify information and tell them about account breaches. The BASCD coordinates corrective actions and control measures with other stakeholders according to CRA policies and procedures. These actions could be restorative or protective. The program documents cases and sends formal breach notification letters to taxpayers. If required, the BASCD collaborates with financial institutions to hold and return funds.

Scope of the Privacy Impact Assessment

This privacy impact assessment identifies and assesses privacy risks to personal information relating to:

• Canada emergency subsidies program activities concerning the validation, second review, and post validation of payments and accounts for the five subsidies and programs listed at the start of this summary
• business account security within the CVB

This privacy impact assessment does not cover the Canada Emergency Wage Subsidy Registry and the ABSB’s administration and pre-validation of the five subsidies and programs at the start of this summary. Other assessments cover them.

Risk identification and categorization

A) Type of program or activity

Compliance/Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Canada emergency subsidies

The CRA uses personal information to review applicants to make sure they:

• get the subsidies that they are entitled to
• meet all requirements of the subsidies they are applying to
• are eligible for the subsidies they are applying to

The CRA may also review personal or financial information to verify the reasonableness of claims. It uses personal information to make decisions about subsidy claims or accounts. The PPD conducts desk reviews of claims and does not conduct on-site visits.

This program also uses personal information to perform risk assessments to find suspicious claims it got from applicants or from individuals who got unauthorized access to a business’s online account. Personal information may include a name, contact information, social insurance number, date of birth, mailing address, income, and direct deposit information.

Business account security

The CRA uses personal information to review accounts and rebate applicants to confirm whether an unauthorized third party accessed that account. It also reviews personal or financial information to verify if a third party changed information. The CRA uses personal information to contact the valid taxpayer to confirm the information it reviewed in the case.

The BASCD uses personal information to perform risk assessments to find suspicious claims it got from applicants or an unauthorized third party so it can refer cases to other areas for further review. Personal information may include a name, contact information, social insurance number, date of birth, mailing address, income, and direct deposit information.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details:

Canada emergency subsidies

The CRA uses personal information to review claims. This personal information is necessary to properly review and verify claimed amounts, and it includes:

• the business number and information included in the account, such as the name, social insurance number, and address of the owner
• banking information
• employee tax slips that include a social insurance number and financial information
• other supporting documents, such as sales journals, general ledgers, revenue amounts, and working paper calculations that have personal or financial information and that help determine eligibility for rent or wage subsidies

Business account security

The BASCD uses personal information to review cases when unauthorized third parties access accounts. This information is necessary to carefully review and verify whether a third party accessed the account and to protect the account from future unauthorized access. This information includes:

• the business number and information included in the account, such as the name, social insurance number, and address of the owner
• banking information
• IP addresses
• employee tax slips that include a social insurance number and financial information

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details:

Canada emergency subsidies

Canada emergency subsidy reviews may require sharing personal information with:

• other CRA programs to collect outstanding balances, perform audit activities, or to report suspicious activities
• Statistics Canada for statistical analysis
• the Department of Finance Canada to make or evaluate fiscal policy
• Public Services and Procurement Canada to give funds
• the Department of Justice as part of a judicial application made in federal court as a recourse to decisions regarding the eligibility of subsidies, including requests for consideration to late file claims

Business account security

During review, the BASCD may share personal information with:

• other CRA programs to help protect business accounts or to report other suspicious activities
• financial institutions to recover funds

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

Short-term programs (Canada emergency subsidies)

The Canada emergency rent subsidy, Canada emergency wage subsidy, Tourism and Hospitality Recovery Program, Hardest-Hit Business Recovery Program, and the Canada Recovery Hiring Program were short-term, temporary programs to mitigate the impacts of the COVID-19 pandemic on eligible entities. The subsidy claim periods expired November 3, 2022, and all these recovery subsidies and programs have come to an end.

Long-term program (business account security)

The CRA created the BASCD to help identify accounts that it suspected unauthorized third parties had accessed because of suspicious activities. The BASCD has some permanent funding and has no end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

Canada emergency subsidies

The Canada emergency rent subsidy, Canada emergency wage subsidy, Tourism and Hospitality Recovery Program, Hardest-Hit Business Recovery Program, and the Canada Recovery Hiring Program affect businesses who apply for the subsidies.

Business account security

Business account security affects businesses if the CRA suspects an unauthorized third party has accessed their accounts.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: No

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

   Risk to privacy: Yes

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

   Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

   Risk to privacy: No

   Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

   Risk to privacy: Yes

   Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

   Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies

Level of risk to privacy: 4

Details:

The CRA takes personal information for all programs from its internal systems and might send it to other organizations electronically using Government of Canada-approved encryption technologies.

The CRA can use personal information in a system that has access to other systems and can transfer the information to secure portable devices with CRA-approved encryption.

Some employees work on CRA-issued laptops and use CRA-issued cell phones. Laptops and cell phones meet to the Government of Canada’s encryption and security standards. Employees telework using secure remote access.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If personal information becomes compromised, it can cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and third parties may use their financial or personal information without their knowledge or consent.