International and Large Business Income Tax Audit and Examination

Privacy impact assessment (PIA) summary – International and Large Business Directorate, International, Large Business and Investigations Branch

Overview & PIA initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Ted Gallivan
Assistant Commissioner, International, Large Business and Investigations Branch

Head of the government institution or delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Co-ordinator

Name of the program or activity of the government institution

Reporting compliance - International and Large Business Audit Program

Description of the class of record and personal information bank

Standard or institution-specific class of record:
International and Large Business Income Tax Audits and Examination Class of record (CRA ILBIB 415) - formerly (CRA CPB 415)

Standard or institution specific personal information bank:
Tax Avoidance Cases (CRA PPU 035)

Legal authority for program or activity

Income Tax Act (ITA)

• Subsection 220 (1) of the ITA ‒ Authority for the minister of national revenue to administer and enforce the ITA

Excise Tax Act (ETA)

• Subsection 275(1) of the ETA ‒ Authority for the minister of national revenue to administer and enforce the ETA

Collection of personal information and third-party penalties

• Section 231.1 of the ITA　‒ Authority to audit under the ITA and to examine documents and property of a taxpayer
• Section 231.2 of the ITA ‒ Authority to issue a requirement to provide documents or information
• Section 231.6 of the ITA ‒ Authority to issue a requirement to provide foreign-based information or documents
• Section 231.7 of the ITA ‒ Authority for a court order complying a person to provide information or documents sought under sections 231.1 and 231.2 of the ITA
• Section 237.1 of the ITA – Tax shelter provisions
• Section 233.3 of the ITA – Foreign reporting provisions
• Section 237.3 of the ITA – Reportable transaction provisions
• Section 244.2 of the ITA – Electronic funds transfer provisions
• Sections 163.2 of the ITA and 285.1 of the ETA – Third-party penalty provisions—misrepresentation of a tax matter by a third party (promoters who market and sell abusive tax shelter arrangements)
• Subsection 85(1), 85(2), and 97(2) of the ITA – Disposition of property by a taxpayer or partnership to a taxable or non-taxable Canadian corporation

Canada Revenue Agency Act

• Section 61 of the Canada Revenue Agency Act – This lets the Canada Revenue Agency enter into contracts, agreements, and other arrangements with governments, public or private organizations and agencies, and any person in the name of Her Majesty in Right of Canada and in the Agency’s name.

Summary of the project/initiative/change

This program-level privacy impact assessment (PIA) supports ongoing privacy awareness and compliance for the International and Large Business Audit Program of the Canada Revenue Agency.

This PIA covers the following types of income tax audits:

Large business: For income tax compliance of the largest and most complex business entities;

International tax: For reporting of world income and proper payment of taxes by non-residents working or carrying on business in Canada; international cross-border transactions between related parties; transfer pricing; foreign accrual property income; foreign affiliate rules; and other international tax issues;

Offshore compliance: For international transactions of unreported foreign income and undisclosed assets; and

Aggressive tax planning: This includes the identification of emerging tax avoidance issues and arrangements, the review of tax shelters and promoters, and the application of the general anti-avoidance rule.

This PIA also covers the administration of the third-party penalty provisions of the Income Tax Act and the Excise Tax Act.

The initiatives that focus on large business—income tax, international tax audit programs, aggressive tax planning, and offshore compliance—are in constant development. Therefore, as a new initiative or refinement is identified, this PIA will be reviewed and updated accordingly. The PIA will support consultations with the Office of the Privacy Commissioner and any personal information bank updates that may be required.

This PIA should be read along with the Business Intelligence and Risk Analysis PIA. That PIA will cover many of the business intelligence activities done for the Compliance Programs Branch.

In addition, this program-level PIA should be read along with other PIAs related to the program:

• (2013) Foreign Income Verification Statement (Form T1135)
• (2015) International Electronic Funds Transfers Business Intelligence

Risk identification and categorization

A) Type of program or activity

Compliance and regulatory investigations and enforcement

Level of risk to privacy: 3

Details: The International and Large Business Directorate and the Offshore Compliance Division use audit and inspection powers under the ITA and ETA to collect information about the business affairs of taxpayers to determine if they are complying with the ITA. Most cases will involve only administrative consequences—audits resulting in more tax owing and possibly civil penalties. An audit could result in leads being generated for other taxpayers including registrants for goods and services tax/harmonized sales tax, which could result in more audits. The Directorate does not start prosecutions. However, the personal information collected in an audit may be given to the Criminal Investigations Division for prosecution.

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

Details: Information may include a social insurance number, financial, and other sensitive information. In some cases, indirect verification of income may be necessary, which would include getting the personal banking or lifestyle information of taxpayers and members of their household.

C) Program or activity partners and private-sector involvement 

Private-sector organizations, international organizations, or foreign governments

Level of risk to privacy: 4

Details: Under the ITA and ETA, information may be collected from, and shared with, participating provincial or territorial partners, as well as other federal institutions. Information may also be shared with foreign governments under tax treaties or tax information exchange agreements (TIEAs). Subparagraph 241(4)(e)(xii) of the ITA allows the exchange of taxpayer information between two authorities representing treaty or TIEA partners. Information is typically exchanged to either determine the facts related to the rules of an income tax convention or to help one of the contracting parties in administering and enforcing its domestic tax law.

In some cases, an external third-party service may be used to help identify other risk factors for income tax accounts. For example, third-party information from suppliers, banks, and credit bureaus may provide details on a taxpayer’s personal and business activities.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details: Income tax audits done by the International and Large Business Directorate and offshore non-compliance actions of the Offshore Compliance Division are ongoing long-term activities that ensure the integrity of the self-assessment system. Some may change focus or be added, but the primary mandate will remain the audit of income tax returns to make sure that taxpayers comply with the ITA and ETA.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details: The income tax audit programs undertaken by the International and Large Business Directorate and the Offshore Compliance Division can affect businesses and individuals who have filed an income tax or other information return.

The Directorate’s activities focus mainly on corporate entities rather than individuals.

Offshore compliance activities focus mainly on individuals who have indicators of investing or moving funds to offshore jurisdictions. Also, focus is placed on the foreign reporting obligations of individuals.

F) Technology and privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software, or application (including collaborative software or groupware) that is implemented to support the program or activity for the creation, collection, or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems or services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods – This includes biometric technology (for example, facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, and radio frequency identification) as well as easy-pass technology, new identification cards— including magnetic stripe cards and cards that are embedded with an antenna or a contact pad connected to a microprocessor and a memory chip or a memory chip with non-programmable logic.

Risk to privacy: No

Details: N/A

Use of surveillance – This includes surveillance technologies such as audio and video recording devices, thermal imaging, recognition devices, radio frequency identification, secret surveillance/interception, computer-aided monitoring—including audit trails and satellite surveillance.

Risk to privacy: No

Details: N/A

Use of automated personal information analysis, personal information matching, and knowledge discovery techniques – For the purposes of the directive on privacy impact assessments, government institutions are to identify activities that involve the use of automated technology to analyze, create, compare, identify, or extract personal information elements. Such activities include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, and information filtering and analysis. These activities involve some form of artificial intelligence or machine learning to uncover knowledge, trends, and patterns, and to predict behavior.

Risk to privacy: Yes

Details: The CRA relies on risk-assessment systems and research to determine which taxpayers are most likely to misunderstand their tax obligations. The CRA also uses the results of the risk-assessment systems to select files for audit. Risk analysis focuses on the identification of the potential for under-reported offshore income and undisclosed offshore assets.

The information from income tax returns may be used in automated matching processes where certain characteristics of a return are matched against income tax filing information and certain other risk factors such as previous audits when there is a taxpayer-requested adjustment. This information may be given to auditors or analysts for review.

The Business Intelligence and Risk Management Division, within the Business Intelligence and Corporate Management Directorate, Compliance Programs Branch, is responsible for providing support services to the International and Large Business Directorate, including the acquisition and maintenance of high-quality data, business intelligence, business analytics, and risk assessment services. As a result, the Business Intelligence and Compliance Risk Analysis Privacy Impact Assessment covers off most of the automated personal information analysis, personal information matching, and knowledge discovery techniques related to the International and Large Business Directorate programs.

The International and Large Business Directorate also does other analysis for file selection and business intelligence purposes.

G) Sending personal information

Personal information is sent using wireless technologies.

Level of risk to privacy: 4

Details: Auditors in the field use laptops with full disk encryption and standard secure remote access. The Information Technology Branch has developed an enterprise-wide telecommuting platform that gives users secure access to the Branch’s network. The current release of this platform is Secure Remote Access (SRA) 2.0.

SRA 2.0 lets users gain access to the CRA network through the Internet. This application is managed by Shared Services Canada. All users have to sign on with public key infrastructure, and there are policies and procedures to be followed.

Information may also be copied, exported, and sent between CRA systems (including the Foreign Reporting Requirements Management System; Integras; and the Compliance, Measurement, Profiling and Assessment System) for risk assessment, workload development, and auditing.

H) Risk to the individual or employee

Details: If a person’s personal information becomes compromised they may become a victim of identity theft, and their information may be used without their knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of their credit card information, debts being incurred on their behalf, etc.

I) Risk to the institution

Details: Protecting privacy and confidentiality are paramount in the CRA’s administration of the International and Large Business Directorate’s programs.

The public must have confidence that the CRA is vigilantly maintaining compliance programs to ensure fairness. A breach of a taxfiler’s personal information could negatively affect the Agency’s strategic outcome to make sure taxpayers meet their obligations and Canada’s revenue base is protected. Negative media attention and decreased public confidence can influence compliance behaviour.