Employer Accounts Program PIA v3.0 IC-129717

Collections and Verification Branch
Business Compliance Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Mohammad Rahman
Director General, Business Compliance Directorate
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director, Privacy and Access Policy Division
Access to Information and Privacy Directorate
Public Affairs Branch

Name of program or activity of the government institution

Returns Compliance

Standard or institution specific class of record:

Employer Compliance
Record Number: CRA CVB 188

Standard or institution specific personal information bank:

Employer Compliance
Bank Number: CRA PPU 120
TBS Registration Number: 001948

Legal authority for program or activity

The following legislation authorizes the Canada Revenue Agency (CRA) to collect personal information while collecting employer remittances of income tax, the reporting on these remittances, Canada Pension Plan (CPP) contributions, and employment insurance (EI) premiums that are deducted from employees’ pay:

• sections 153 and 227 of the Income Tax Act and sections, 101, 200, and 205 of the Income Tax Regulations for withholding and remitting income tax and the filing of information returns
• sections 8, 9 and 21 of the Canada Pension Plan Act and section 8 and 10 of the Canada Pension Plan Regulations for remittances of Canada Pension Plan contributions and the filing of information returns
• section 82 of the Employment Insurance Act and section 11 of the Insurable Earnings and Collection of Premiums Regulations for remittances of EI premiums and the filing of information returns

The legislative authorities the CRA uses to apply penalties and interest for payroll non‑compliance

Every person who has failed to remit or pay is liable for a penalty of 10% under:

• paragraph 227(9)(a) of the Income Tax Act
• paragraph 21(7)(a) of the Canada Pension Plan
• paragraph 82(9)(a) of the Employment Insurance Act

If the person failed to remit or pay knowingly or under circumstances amounting to gross negligence, the penalty is 20% under:

• paragraph 227(9)(b) of the Income Tax Act
• paragraph 21(7)(b) of the Canada Pension Plan
• paragraph 82(9)(b) of the Employment Insurance Act

Interest is payable at the rate prescribed by the CRA under:

• subsection 227(9.2) of the Income Tax Act
• subsection 21(6) of the Canada Pension Plan
• subsection 82(8) of the Employment Insurance Act

The CRA collects and uses individuals’ social insurance numbers for the identification purposes outlined in:

• section 237 of the Income Tax Act
• section 88 of the Canada Pension Plan Regulations
• section 153.12 of the Employment Insurance Regulations

The CRA amends non-financial information on T4 slips in relation to the Canada dental benefit under the:

• Section 4 Reporting Obligation of the Dental Care Measures Act

Summary of the project, initiative or change

Overview of the Program or Activity

The Employer Accounts (EA) Program is responsible for making sure all employers respect their obligations related to employee source deductions. The program balances people-centric service and strategic vision to help employers voluntarily comply with Canada’s tax laws, such as the Income Tax Act, Canada Pension Plan Act, and Employment Insurance Act. Through a variety of compliance activities, we make sure employers:

• deduct from their employees’ pay the required:
  • CPP contributions
  • EI premiums
  • income tax
• remit:
  • the deductions
  • their share of the CPP contributions
  • their share of the EI premiums
• report correctly using the right information return

Compliance measures also include responsible enforcement actions, such as assessing amounts owed to the CRA and charging penalties and interest, to make sure taxpayers comply with their payroll obligations.

When required, we will help develop and put in place any emergency measures related to source deductions and information returns for payroll accounts.

This privacy impact assessment focuses on the EA Program. In cases where non‑compliant accounts cannot be resolved by the EA Program, it may refer them to:

• the Trust Accounts Examination Program to examine the employer’s books and records in person
• the Employer Compliance Audit Section from the Trust Accounts Examination Program if non‑compliant accounts require a more in-depth review of employer records
• the CPP/EI Rulings Division if the EA Program is unable to get a resolution

The EA Program performs many compliance actions involving payroll accounts and includes tax deduction, CPP, and EI discrepancy notice (PD4R) replies; T4 amendments; T1 matching; TCR messages; PD4R notices; error correction; CPP contributors; and pensionable and insurable earnings review.

Account Review

• Employer services officers review payroll accounts in relation to:
• regular correspondence
• retirement compensation arrangement enquiries, compliance, and correspondance
• processing T4A-RCA slips, Statement of Distributions from a Retirement Compensation Arrangement
• tax centre responsibility messages
• T1 matching referrals
• replies to PD7As, Statement of account for current source deductions – Regular and quarterly remitters, and PD1114s, Requests for tax deductions, CPP and EI information if you remit late
• pensionable and insurable earnings reviews and subsequent replies
• Form PD24, Application for a Refund of Overdeducted CPP Contributions or EI Premiums
• the Nova Scotia-Workers Compensation Board
• the Payment average project
• taxpayer relief adjustments
• business enquiries and collections referrals
• replies to TX14 notices, Notice to file
• penalty exempt status
• Amendments

The CRA corrects information returns that have already been filed by the employer or representative through MyBA, electronic submission, or by mail or fax. It processes amendments within the payroll account using the Amendment System.

T1 matching

When the T1 Matching Section is unable to resolve a discrepancy, it refers the case to the Employer Accounts and Services Section. In the T1 matching process, the Employer Accounts and Services Section has a mandate to make sure valid T4 and T4A slips are posted to the correct payroll account. They accomplish this by:

• researching the CRA’s data and consulting with the employer, representative, or trustee
• referring suspicious slips for further investigation
• connecting T4 and T4A slips with the correct employer or payer

PD4R notices, Tax deduction, CPP and EI discrepancy notice

PD4R notices are computer-generated notices the CRA issues to employers when there is a difference between the total remittances they have made in the year and the total of the amounts they reported on T4-type slips. Program officers review the replies received from employers. Their and the results can be any of the following actions:

• payment received from the employer
• credit transfers
• amended information returns
• assessments
• a referral for a trust accounts examination

Pensionable and insurable earnings reviews

Pensionable and insurable earnings reviews (PIERs) detect and resolve discrepancies between pensionable or insurable earnings and the related CPP contributions and EI premiums on each employee’s T4 slips, Statement of Remuneration Paid.

A PIER report is a list, taken from a T4 information return, of employees for whom the CRA detected CPP or EI deficiencies.

The CRA generates a PIER to make sure employees or their beneficiaries receive the benefit payments they are entitled to, such as:

• EI payments (if the employee becomes unemployed or is eligible for other benefits, such as maternity leave)
• CPP payments (if the employee retires, becomes disabled, or dies)

The CRA sends the report to the employer for review, to make payment if the deficiency is valid, make corrections, or explain the apparent deficiency.

The PIER Program reviews the explanations and makes any needed adjustments to the T4 slips or the account.

Payroll compliance

Payroll accounts are non-compliant if they have overdue returns or remittance or if they have tax payable. Employer services officers work these cases to resolve non-compliance.

CPP Contributors Program

The CPP Contributors Program is an annual program that typically runs from October to March. The purpose of the program is to make sure the income reported on line 10400, “Other employment income,” and line 13000, “Other income,” of individuals’ income tax and benefit returns is correct. The CPP Contributors Program’s main purpose is to determine if a T4 slip, Statement of Remuneration Paid, should be prepared for income that is required to have CPP contributions or EI premiums deducted.

Specialized correspondence

Employer services officers review and respond to correspondence about:

• appeals
• CPP/EI rulings
• decisions of the Tax Court of Canada
• voluntary disclosure adjustments
• requests for comfort letters
• employee complaints
• regulation 102/105 audit referrals
• penalty exempt status
• requests to change quarterly remitter

What’s New

Electronic document application

In October 2017, the EA Program started using a new generic electronic document (E-Doc) application that allows taxpayers and authorized representatives to submit requests electronically to the CRA. This application also serves as a repository for storing documents submitted to tax program areas by taxpayers or their authorized representatives. Certain other documents can also be stored in the application. In 2019, the EA Program used the application to save documents originally received as paper and uploaded to the existing correspondence inventory managing application.

Canada Pension Plan improvement

Beginning in 2019, the CRA gradually increased CPP every year until 2023. Starting January 2024, the CRA is introducing a second CPP contribution, and it will modify the T4 to include this second CPP contribution. These will be displayed as employee’s CPP contributions (Box 16) and employee’s second CPP contributions (Box 16A). Employers will withhold and remit the second CPP in the same way they do for the base CPP. The second CPP contribution will follow the same structure as the current CPP contribution.

Temporary wage subsidy for employers

The 10% temporary wage subsidy for employers (TWS) is a 3-month measure administered by the EA Program. This measure allows eligible employers to reduce the amount of payroll deductions they need to remit to the CRA. Eligible employers are those that paid eligible remuneration to an eligible employee from March 18 to June 19, 2020. The EA Program is responsible for determining employer’s eligibility, determining the allowable subsidy amount, and communicating the results with the employer. In cases where written communication is required, EA Program uses a CRA‑wide solution to manage, create, issue, and archive correspondence items issued to taxpayers and benefit recipients. It provides a secure, controlled facility to store, access, and manage taxpayer correspondence within programs and across the CRA. It allows taxpayers to send correspondence electronically through the My Business Account (MyBA) and My Account online services to clients that are registered.

Authorized representative

As of January 2021, each representative who is authorized by a firm, a business or a group must get their own individual representative identifier (RepID) and send it to the CRA before they can represent their client. Businesses can manage their authorized representatives using MyBA. Businesses can also authorize offline access (phone, fax, mail, in person) to representatives by submitting an Form AUT-01, Authorize a Representative for Offline Access. Form AUT-01 replaced Form RC59. A new application allows the EA Program to authenticate the representative by cross referencing a representative’s RepID with the CRA’s records. This new procedure is a proactive initiative implemented to support CRA’s legal obligation to protect confidential taxpayer information.

New filing application

The EA Program launched a new Internet-based application in summer 2022. This application allows EA Program employees to file original slips with a shorter processing time than when sending returns to the processing centre. This new application validates data in real time with prompts to correct errors before filing the slips.

Records management software

Starting fall 2023, information that is currently stored on our shared drives will be stored on a new records management software.

National inventory management system

Launched in fall 2023, a new integrated system has replaced the CPP/EI rulings web form to request CPP/EI rulings directly. To identify the proper status of an individual worker, a CPP/EI ruling is required.

Reporting for the Canadian dental care plan

The interim Canada dental benefit is intended to lower dental costs for eligible families earning less than $90,000 per year.. Beginning with the 2023 tax year, issuers (including employers and pension plan administrators) of T4 slips, Statement of Remuneration Paid, and T4A slips, Statement of Pension, Retirement, Annuity, and Other Income, must report on a T4 or T4A slip whether, on December 31 of the tax year to which the information return relates, a payee or any of their family members were eligible to access dental insurance or dental coverage of any kind, including health spending and wellness accounts, because of their current or former employment.

This reporting requirement is mandatory for employers beginning with the 2023 tax year, and will continue to be required annually.

To support these new reporting requirements, the following changes were made to the T4 and T4A slips:

• Box 45, “Employer-offered Dental Benefits,” was added to the T4. This new box will be mandatory for all slips
• Box 015, “Payer-offered Dental Benefits,” was added to the T4A. This new box will be mandatory if an amount is reported in Box 016, Pension or Superannuation. The box will otherwise be optional.

The impact of these new boxes on the EA Program is very minimal. These new boxes will be verified during the regular T4 amendment workflow.

Scope of the Privacy Impact Assessment

This PIA identifies and assesses privacy risks to personal information related to the EA Program’s activities. The scope of this PIA is limited to the EA Program’s activities, which include administering the TWS.

The Employer Compliance Audit Program and the Trust Accounts Examination Program have been assessed under separate PIAs.

Activities related to creating workloads, identifying unknown non-compliance, and delivering business intelligence solutions in support of the EA Program are assessed in the Workload Development and Business Intelligence - Business Compliance Programs PIA. The Collections and Verification Business Intelligence PIA assesses the process to develop the business intelligence and related data solutions and services for the EA Program.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement

Level of risk to privacy: 3

Details:

Personal information is used to identify taxpayers, perform account updates, and compliance activities such as:

• updating a taxpayer’s file (for example, address changes, authorized representative updates)
• reviewing account transactions
• sending notices
• performing post validations to make sure the 10% TWS subsidy was granted for the allowable amount and to eligible employers
• assessing or re-assessing amounts owing (such as tax, penalty, or interest)
• performing account adjustments

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Personal information is used to make sure employers comply with filing, reporting, and withholding requirements related to the CPP, EI, and income tax, and it may include:

• name
• social insurance number
• contact information
• financial information
• payroll program account number
• employee personnel information
• date of birth
• date of death
• medical information
• language
• signature

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

The EA Program enters the information it gathers into the payroll  system. Various CRA areas can then access the information to administer their related CRA programs. For example, information employers give about their deducted remittances can be cross-referenced against their employees’ T4s  to make sure both portions match. This cross-referencing process is part of the CRA’s individual returns and payments programs.

Employment and Social Development Canada (ESDC) and the CRA jointly administer CPP and EI. The CRA has an enforcement role. A memorandum of understanding (MOU) between the CRA and ESDC covers the sharing of protected information while administering CPP, EI, and Old Age Security.

The CRA may share information about payroll deductions with Revenu Québec to fix misapplied payments. It may also share information about payroll deductions with the Nova Scotia Workers’ Compensation Board (NSWCB) to transfer remittances. The CRA has MOUs with these institutions that cover the sharing of this information.

The CRA may share identification information of all BN registrants  with Statistics Canada in line with the MOU between the CRA and Statistics Canada. The MOU outlines the roles and responsibilities for the release of income tax and goods and services tax / harmonized sales tax information.

A private-sector third-party service provider, stores paper copies of documents the CRA receives from taxpayers containing personal information.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The EA Program affects every payer or employer who is required to deduct from the remuneration of its employees, the prescribed amounts for the purposes of income tax, CPP, and EI.

The TWS affects only employers who request the subsidy.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

   Risk to privacy: No

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Paper correspondence received from employers are scanned, saved to a secure shared drive,  uploaded into the CRA system.

Electronic correspondence is received through a generic document (E-Doc) application. Documents submitted by employers that cannot automatically be securely transferred to a CRA system, will be temporarily saved to a secured shared drive, printed off weekly, and mailed to the applicable CRA office or scanned and uploaded to a CRA system.

The CRA does not transfer information to any portable devices, such as CDs, DVDs, or USB drives.

The CRA may get personal information from various internet sources for tracing purposes, and it documents this in its systems. The Information Technology Branch (ITB) monitors Internet access according to CRA policies.

Employer accounts officers use a laptop computer with access control. Access to the CRA network from remote locations must be done with full disk encryption and standard secure remote access. The ITB has developed an enterprise-wide telecommuting platform that offers users secure access to the network.

A correspondence application allows EA Program to send electronic or paper letters to employers regarding the TWS.

Personal information is transferred from ESDC by a tape transfer of rate changes made twice a month directly to the payroll system for current or last year, or a PD19 form for previous years.

Personal information regarding BN files is sent to Statistics Canada via Secure File Transfer Protocol (SFTP) on a continuous monthly basis for all BNs that are issued.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employer. The affected individual or employer may also become a victim of identity theft, and their information may be used without their knowledge or consent.