Children’s Special Allowance

Privacy Impact Assessment (PIA) summary – Benefit Programs Directorate, Assessment, Benefit, and Service Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency (CRA)

Government official responsible for the PIA

Frank Vermaeten
Assistant Commissioner, Assessment, Benefit, and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Children’s Special Allowance

Description of the class of record and personal information bank

Standard or institution specific class of record:
Not applicable

Standard or institution specific personal information bank:
Children's Special Allowances Personal Information Bank (CRA PPU 620)

Legal authority for program or activity

The legal authority for the Children's Special Allowances (CSA) program is governed in the Children's Special Allowances (CSA) Act and the Children's Special Allowances Regulations.

Information is collected pursuant to paragraph 4(1)(a) of the CSA Act and the specific data elements are listed in subsection 3(1) of the CSA Regulations.

Subsection 10(2) of the CSA ACT provides that CSA information can be used for the administration and enforcement of the ITA.   

Section 11 of the CSA Act provides the CRA with the authority to enter into an agreement with a province for the release of information and section 7 of the CSA regulations lists the conditions for the release of that information. Section 61 of the Canada Revenue Agency Act allows CRA to implement agreements with other federal, Provincial and Territorial Governments for the purpose of carrying out an activity or program administered by the CRA.

Summary of the project / initiative / change

Children’s Special Allowance

The CSA is a tax-free monthly payment for a child who:

By "agency", the CRA means:

A child is considered to be cared for by an agency (Federal or provincial department, agency or institution approved by a province or territory to have custody or care of the children) if, at the end of the month, the child is dependent on it for his or her care, maintenance, education, training, and advancement to a greater extent than any other agency or individual.

The monthly CSA payment is equal to the maximum Canada child tax benefit (CCTB) payment plus the National child benefit supplement (NCBS), the Child disability benefit (CDB), and the Universal child care benefit (UCCB) if applicable.

To be eligible to receive the CSA an agency must first register with CRA and obtain a registered account Business number. The process to create and administer a business number is not in scope of this PIA. The registered agency then must submit an RC64 Children's Special Allowances application for each child it maintains care of.

Applications may be received electronically via File Transfer Protocol (FTP), secure web application, or by paper.

Scope of the privacy impact assessment

The scope of this privacy impact assessment is the administration of the Children’s special allowance, including the compliance activities for enforcement purposes such as detecting fraud or investigating possible abuses within the benefit program.

Certain compliance activities such as audits and criminal investigations are separate programs and therefore are not included. In addition, the application process to determine if a child is eligible for the Disability tax credit is not included in this PIA.

The calculation, enforcement, and administration of Canada child benefits;  not limited to the CCTB, the National Child Benefit Supplement (NCBS), the Child Disability Benefit (CDB), and the Universal Child Care Benefit (UCCB) and Goods and Services tax Credits (GSTC) are not included in this PIA. 

Programs and initiatives that focus on child benefits and credits are constantly changing. Therefore, when a new initiative or a change to an existing benefit is identified, this PIA will be reviewed and updated accordingly.  

Risk identification and categorization

A) Type of program or activity

Administration of Programs

Level of risk to privacy: 2

Details: The personal information is used for the identification, determination, and payment of benefits and credits. Information could also be used for the validation of the benefits, and  to determine whether an n Agency knowingly participated in or made a false statement or omission.

The consequences can include reviews which may result in termination and/or recoup of benefits, and possibly levying civil penalties under section 163(2) of the Income Tax Act

Also in limited cases, information obtained during the course of a validation or compliance review could be used to refer the matter to the Criminal Investigations Program of the CRA for further investigation which could result in the laying of criminal charges under section. 238 or section 239 of the Income Tax Act against a particular individual.  

Note

A CSA Agency is defined as a Federal or provincial department, agency or institution approved by a province or territory to have custody or care of the children. As these Agencies are either part of or are approved by a government body, the non-compliance risk has been determined to be low. Notwithstanding, a thorough risk assessment of the CSA Program was performed by the Benefits Validation and Compliance Section. The results confirmed that the risk of non-compliance is extremely low and therefore, no further validation or compliance activities are planned at this time. The Collections and Verification Branch is participating in this PIA to document any future activities that may fall under the mandate of the CVB.

B) Type of personal information involved and context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy: 3

Details: Personal information on minors is collected and used to identify dependants (minors) and administer CSA payments.  This includes details such as Current and previous Name, Child identification Number, Place of birth, Date of birth , gender.

Information is also collected on previous caregivers: including name, address, and business # or SIN if applicable.

C) Program or activity partners and private sector involvement

With other federal institutions

Level of risk to privacy: 2

Details: The program includes the administration of benefits programs to registered agencies that maintain minors.  Aggravated information is disclosed by the CRA to Public Services and Procurement Canada for the issuance of payments,

CRA provides information on children in care to Employment and Social Development Canada in support of the Canada Education Savings Program and Learning Bond.

The information is also used internally within CRA for the administration of the benefits accounts and collection of outstanding balances, audit activities, appeals, statistical gathering, and call centre enquiry responses.

Paper copies containing personal information are stored by a third party in the private sector.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:  The Children’s special allowance is a long term program with no established end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The program affects individuals under the age of 18 whom are maintained by a registered agency within Canada

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Details: N/A

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Details: The program does not involve the use of surveillance on individuals associated with the Children’s Special Allowance.

However, as part of CRA security program CRA employees that will have access to personal information will be monitored by the use of the Online Audit Tracking System (OATS). OATS records information, such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc.

The information is used to verify that only authorized users have accessed personal information and to ensure that access can be linked to specific individuals to support the investigation of suspected or alleged misuse. 

Every time CRA employees log in on their computers, a notice pops up requiring employees to acknowledge that they are aware that all access to CRA networks is monitored and that access is on a need-to-know basis. This information is already described in the standard personal information bank Electronic Network Monitoring Logs PSU 905.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: An authorized employee can run queries to find trends, statistics or other required information. Reports are created from the Benefit Data Mart on a set identified parameters and filters that are then used for analysis.  A privacy impact assessment for the Agency data warehouse (ADW) including the Benefit Data Mart was published in 2007; it provides a broader privacy risk analysis of the ADW and the related data marts.

Data matching techniques are also used to ensure the accuracy of the personal information and to to ensure applicants continue to meet the eligibility and entitlement requirements for the child benefits.  Information provided on income tax and benefit returns is used to calculate payments. Therefore, information is also matched between the individual’s income tax account and benefits account.  In addition, information that was provided by the individual is verified with other sources.

G) Personal information transmission

The personal information is transmitted using wireless technologies. It may also be transferred to a portable device or is printed.

Level of risk to privacy: 3

Details: Personal information can be used in a system that has access to other systems and can be transferred to a secure portable device encrypted using CRA approved encryption.

Reconciliation Notices containing personal child details are sent electronically and via traditional mail each month to the registered agencies

H) Risk impact to the individual or employee

Financial harm

Details: If the personal information was compromised it has the potential to cause financial harm and embarrassment to the individual.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility

Details: Should this information be accidentally or deliberately disclosed or compromised, it could reasonably be expected to cause the CRA embarrassment, loss of credibility and decrease of public confidence.

Page details

Date modified: