GST/HST Audit and Examination Program

Privacy Impact Assessment (PIA) summary – GST/HST Directorate, Compliance Programs Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Richard Montroy
Assistant Commissioner, Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Reporting Compliance – International and Large Business, and Small and Medium Enterprise (GST/HST Audit and Examination Program)

Description of the class of record and personal information bank

Standard or institution specific class of record:
Goods and Services Tax/Harmonized Sales Tax (GST/HST) Audit Class of Record (CRA DCPB 476) - previously (CRA CPB 451 and CRA CPB 416)

Standard or institution specific personal information bank:
GST / HST Audit and Examination (CRA PPU 430) 

Legal authority for program or activity

Personal information collected indirectly from other sources is collected under 275(1) of the ETA and section 8 of the ATSCA. The Minister of National Revenue has a mandate (the words used in subsection 275(1) of the ETA and section 8 of the ATSCA are: "The Minister shall") to administer and enforce the ETA and the ATSCA.  It is implicit that the Minister must collect information to carry out this mandate.  While there are specific reporting obligations for taxpayers and others such as, for example, financial institutions and employers, in the Acts, and while there are specific audit and inspection powers in the acts, there is no generally worded provision in the statutes that authorizes the Minister to collect the information needed to carry out the Minister's mandate.  But in cases of non-compliance with the statutes, it is clear that the Minister will need information from other sources to carry out the Minister's mandate in cases of non-compliance with the tax laws and the authority of the Minister to collect such information is therefore implicit and flows from the mandate itself.

Pursuant to paragraphs 5(3)(a) and (b) of the Privacy Act, there is no requirement to collect personal information directly from individuals concerned, nor to advise them of the purpose for which such information is being collected, if doing so will result in the collection of inaccurate information, or defeat the purpose for which the information is being collected. Note that the substantially all of the information is collected from tax forms that the taxpayer completes and submits to the CRA.

The ETA and the ATCSA provide that a taxpayer or registrant is required to supply certain personal information for the purpose of assessing tax liability.

All personal information collected indirectly from other sources or directly from registrants and other persons is directly related to operational programs administered by the CRA’s Compliance Programs Branch, in particular the GST/HST Directorate and the GST/HST audit and examination programs. 

Summary of the project / initiative / change

The scope of this privacy impact assessment covers the GST/HST audit and examination program. This includes reviews, examinations and audits at the domestic and international level to determine the correct amount of excise taxes, other levies, GST/HST, and air travellers security charges owing on an account and to prevent the issuance of unwarranted refunds and rebates

In order to meet the requirements of the Directive on Privacy Impact Assessment, the Canada Revenue Agency (CRA) is undertaking a new process as a means to align privacy impact assessments (PIAs) with CRA’s program activity architecture. This new process will enable the CRA to adequately describe and assess the risks with respect to the creation, collection and handling of personal information as part of its programs and activities. This core PIA is being developed to support ongoing privacy awareness and compliance for the GST/HST audit and examination program and should be read along with previously completed PIAs related to program:

• Interactive warning system (IWS) products PIA published in 2006

As an organization we need to protect the privacy of individuals, as well as the revenue base while still allowing for ease of access. Any attempts at unauthorized access to our systems need to be immediately identified and appropriate measures undertaken. Every second counts in order to minimize the tax leakage, as well as to notify the potential victim of identity theft so that they can take measures to protect themselves.

Because of the tax leakage and the damage done to victims of identity theft we proposed the use of third party information to assist in the detection of this activity.  In 2010-2011 we piloted the use of a third party early warning system product (IWS PIA published 2006), and now we plan to use it on a regular basis to strengthen the ability to detect identity theft and fraudulent refunds being claimed with GST/HST accounts. The EWS assist in detecting potential misuse or irregularities associated with addresses, telephone numbers or SINs by flagging the irregularities.  We will compare information contained in the EWS database to help us to discover any inconsistencies as generic warning messages such as "current postal code and phone number are inconsistent" are generated to prompt further review.  No additional personal information is provided with the warning. This implementation will be consistent with the earlier PIA for the IWS, and will take into account all recommendations made by the Office of the Privacy Commissioner at that time.

In addition, this PIA should be read along with the Business Intelligence and Risk Analysis (BIRA) PIA that is currently in progress.  The BIRA PIA will cover the business intelligence activities undertaken by all audit areas in the Compliance Programs Branch.  Data gathered and analyzed for business intelligence or risk analysis may be used by auditors in the course of their audits.

Programs and initiatives that focus on GST / HST compliance are constantly being refined. Therefore, as a new initiative or refinement is identified, this core PIA will be reviewed and updated accordingly, and will support consultations with the OPC and any personal information bank updates that may be required.

This PIA is also assessing the following project that is being undertaken to enhance existing CRA GST/HST audit and examination program.

Capture and storage of Internet Protocol (IP) addresses

When a GST/HST return is filed via the NETFILE service, the IP Address is currently not being captured as part of the returns data being sent to the mainframe GST/HST Returns Processing System. We are modifying our processing systems to capture and store the IP address used to file an electronic GST/HST return. The IP address will be used to support:

• Automated processes in the detection of suspicious internet-based returns by determining the country and province from where the return was net filed. Businesses who file returns from an IP address originating in an area not synchronous with their business address may be subject to further risk assessment processes.
   
• Manual look up and storing of the IP address by an auditor to determine whether a taxpayer selected for audit is operating more than one business on the identified IP Address.Additional businesses using the same IP address will be reviewed in conjunction with other information available internally to identify possible non-compliance with the ETA and other acts administered by the CRA. Audits may be conducted if warranted. Where the IP address is reviewed by the auditor this information will become a part of the audit file.

This initiative was implemented in April 2015.

For additional information, the Compliance Branch maintains an accessible and regularly updated website. Embedded in that site are videos and recorded webinars that explain CRA’s audit process.

Risk identification and categorization

A) Type of program or activity

Personal information is used for purposes of detecting fraud or investigating possible abuses within programs where the consequences are administrative in nature.  These activities involve the audit or examination of business records for GST/HST, air travellers security charges, excise taxes and other levies.  Depending on the results of the audits certain civil penalties may be applied. Cases where fraud is suspected may be referred to the Criminal Investigations Division for possible prosecution.

Level of risk to privacy: 3

Details: The GST/HST Directorate uses the audit and inspection powers afforded to it under the Excise Tax Act (ETA) and the Air Travellers Security Charge Act (ATSC) to collect information relating to the business affairs of licensees and GST/HST registrants in order to determine the correct amount of excise taxes, other levies, GST/HST, and air travellers security charges owing on the account and to prevent the issuance of unwarranted refunds and rebates.  The vast majority of cases will involve only administrative consequences - audits resulting in additional excise taxes, other levies, GST/HST, or air travellers security charges owing, and possibly civil penalties. The audit work could also result in leads being generated for other registrants which in turn could result in those registrants being audited. The GST/HST Directorate does not undertake criminal prosecutions but some cases may ultimately be referred to the Criminal Investigations Division for criminal prosecution.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, will be used within the course of our audit and examination activities. In some cases personal information that reveals intimate details on the health, financial situation, or lifestyle choices of the individual and which, by association, reveals similar details about other individuals in that individual’s family.

Level of risk to privacy: 4

Details: Audit programs rely on information collected under the authority of the ETA and ATSCA to perform audits. Information collected during an audit becomes part of the audit file and may include the social insurance number (SIN), financial or other sensitive information. In some cases, indirect verification of income may be necessary, which would include obtaining registrants’ personal banking or life style information.  

Predictive models use a variety of different data elements that have been statistically correlated with audit returns to generate risk score predicting non-compliance. The dataset includes personal information available internally from source systems (e.g., audit result, number of owners, gross revenue, average age of owners, history of bankruptcy of owners, number of times account changed from monthly to quarterly to annually, etc.)

C) Program or activity partners and private sector involvement

CRA regularly collects information from provincial organizations and other federal institutions. CRA will also contract with private sector organizations to provide additional information in certain situations.

Level of risk to privacy: 4

Details: In accordance with the EA and ETA, information may be collected from and shared with participating provincial partners and other federal institutions.

In some cases, an external third party service may be used to help identify additional risk factors on GST/HST accounts.  For example, some credit bureaus offer a service that allows the user to retrieve flags on the SIN or address of an account.  Such flags do not provide personal information; the flags are generic, such as “SIN has been reported as misused”.

D) Duration of the program or activity

This program does not have an anticipated sunset date. The GST/HST audit and examination programs are part of the on-going workload of the Compliance Programs Branch of the CRA to ensure compliance with the ETA, and ATSC.

Level of risk to privacy: 3

Details: GST/HST Audit is an ongoing long term program to ensure the integrity of the self-assessment system. Some subprograms may change focus or be added, but the primary mandate will remain the audit, examination or inspection of GST/HST, air travellers security charges, excise taxes and other levies to ensure that every person pays the appropriate amount of tax. .

E) Program population

This program affects all GST/HST and ATSC registrants and licensees required to collect and pay excise taxes and other levies under the ETA.

Level of risk to privacy: 3

Details: The GST/HST audit and examination program can affect businesses and individuals, both registrants and non-registrants, who have filed a return, rebate, or election related to the Excise, ATSCA, or GST/HST. CRA relies on risk-assessment systems and research to determine which taxpayers are most likely to misunderstand their tax obligations. CRA also randomly selects tax returns and conducts reviews to verify that taxpayers are paying their taxes in full and on time. If a review indicates that certain activities are more at risk for non-compliance than others, CRA may conduct more audits of taxpayers reporting these types of activities.

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity a modification of a legacy IT systems and services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: Yes

Details: The IP address will be collected when GST/HST returns are filed electronically.  This will be used to determine the geo-location of the computer, with varying degrees of accuracy. Depending on the lookup tool used, this could include country, region/state, city, latitude/longitude, telephone area code and a location-specific map.

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

Details: All GST/HST returns undergo automated matching processes where certain characteristics of the return are matched against income tax filing information and certain other risk factors such as industry and size of the business.  Returns are given a score and screeners review the highest risk accounts.  Returns may be given to auditors or examiners for further review. 

CPB is also developing statistical predictive models of risk that will be applied to all accounts to give an additional risk score that will be referenced when accounts are screened for potential audit action.  Manual intervention by a screener, auditor or examiner is always required for a compliance action to be taken.

More information on automated tools will be provided in the PIA on CPB Business Intelligence and Risk Analysis, currently under development.

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details: Auditors and examiners in the field use laptops with full disk encryption and standard secure remote access.  CRA's Information Technology Branch (ITB) has developed an enterprise-wide telecommuting platform that offers users secure access to their network. The current release of this platform is Secure Remote Access (SRA) 2.0. SRA 2.0 allows users to gain access to the CRA network anytime anywhere that internet is available.  This application is now managed by Shared Services Canada.  All users are required to sign on with the Privacy Key Infrastructure (PKI) and there are clear policies and procedures to be followed.

H) Risk impact to the individual or employee

Details: If a person’s personal information becomes compromised they may become a victim of identity theft, and their information may be used without their knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of their credit card information, debts being incurred on their behalf, etc.

I) Risk impact to the institution

Details: Protecting privacy and confidentiality are paramount to the CRA administration of the GST/HST programs.

The public must have confidence that the CRA is vigilantly maintaining compliance programs to ensure fairness. A breach of tax filers’ personal information could negatively affect the Agency’s strategic outcome to ensure taxpayers meet their obligations and Canada’s revenue base is protected.  Negative media attention and decreased public confidence can influence compliance behaviour.