Workload Development and Business Intelligence: Business Compliance Programs

Collections and Verification Branch
Business Compliance Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Marc Lemieux
Assistant Commissioner
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Acting Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns Compliance

Standard or institution specific class of record:

Employer Compliance
CRA CVB 188

Corporations and GST/HST compliance
CRA CVB 186

Standard or institution specific personal information bank:

Employer Compliance
CRA PPU 120

Corporations and GST/HST compliance
CRA PPU 185

Legal authority for program or activity

Section 220 of the Income Tax Act and section 275 of the Excise Tax Act outline the Canada Revenue Agency’s responsibilities regarding the administration and enforcement of these acts.

Section 241 of the Income Tax Act and section 295 of the Excise Tax Act provide the legal authority for a CRA officer to provide taxpayer information to another CRA officer for the purpose of administering or enforcing these acts.

The social insurance number is collected under section 237 of the Income Tax Act and is used for identification.

Summary of the project, initiative or change

Overview of the Program or Activity

The activities of the Workload Development and Business Intelligence Section involve creating workloads and identifying unknown non-compliance in support of the following business compliance programs:

Corporations and GST/HST Compliance Programs:

• GST/HST Returns and Rebates Post Assessing
• Corporation Assessing Review
• Corporation Registration Review
• GST/HST Enhanced Registration Review
• GST/HST Delinquent Filer
• Other Levies Delinquent Filer
• GST/HST Non-Registrant
• GST/HST Business Compliance Examination
• Air Travellers Security Charge

Employer Compliance Programs:

• Employer Accounts
• Employer Compliance Audit
• Trust Accounts Examination
• Canada Emergency Wage Subsidy
• Canada Emergency Rent Subsidy
• Canada Recovery Hiring Program

The activities of the Workload Development and Business Intelligence Section include developing projects and workloads through identifying emerging risk, such as a growing underground economy, as well as doing research and analysis, to gain an understanding of taxpayer behaviour. Regional Workload Development Teams are responsible for assigning the core workload and identifying unknown non-compliance for officers in the Trust Account Examination Program.

The role of the research and analysis group is to detect, observe, measure, and report on populations, actions, events, and trends that are relevant to the business compliance programs. Verifiable information is interpreted in order to determine and describe the possible past, current, and future implications of actions and events of the business compliance programs.

The Workload Development and Business Intelligence section works with the Technology and Business Intelligence Directorate to deliver business intelligence solutions. Although both groups are involved in the business intelligence process, their roles are distinct. Workload Development and Business Intelligence officers meet with Business Compliance program officers on an ongoing basis to discuss business problems and develop requirements that are needed to solve problems. Technology and Business Intelligence Directorate officers use the requirements to develop business intelligence solutions. For example, it may be determined that in order to meet a business need, a program needs a query that lists all businesses with currently outstanding GST/HST returns. Technology and Business Intelligence Directorate officers will take these requirements and use data tools (a query) to isolate all businesses that have currently outstanding GST/HST returns. They then deliver this data, which is later provided to the program that had the business problem and made the request.

Workload Development and Business Intelligence officers also assist the program areas in analyzing this data in order to discover new insights about how their services could be delivered in ways that are more efficient and effective. The results of the business intelligence activities enable the program areas to discover new insights about how their services could be delivered in ways that are more efficient and effective. This use of business intelligence information ensures program areas are more agile in addressing emerging risks and challenges, and allows the program areas to provide better service to taxpayers by implementing new compliance strategies and initiatives based on taxpayer behaviours.

Information for workload development is mostly derived from the Agency Data Warehouse, which houses data collected and created by CRA programs. For example, when individual tax returns are sent to the CRA, the data is stored in the CRA mainframe systems, loaded into the Agency Data Warehouse, and then made available to areas such as the Workload Development and Business Intelligence Section.

What’s New

The Workload Development and Business Intelligence Section uses information from the Third-Party Data Repository to analyze risks, identify taxpayer and business information that needs to be reviewed, and extract business intelligence. Third-party data includes information derived through memoranda of understanding with federal, provincial, and municipal bodies. Data is also obtained through federal court orders as part of a requirement for information unnamed persons document. The third-party data resides in a glasshouse managed by the Technology and Business Intelligence Directorate. More information about the third-party data within the glasshouse, its sources, and how it differs from the Agency Data Warehouse will be given in an update to the Collections and Verification Business Intelligence Privacy Impact Assessment.

Scope of the Privacy Impact Assessment

This privacy impact assessment (PIA) identifies and assesses privacy risks to personal information specific to the activities of the Workload Development and Business Intelligence Section in partnership with the regional workload development teams, in support of business compliance programs. This PIA supplements the Collections and Verification Business Intelligence Privacy Impact Assessment.

The results of business intelligence activities used for operational purposes are out of scope and are assessed in the PIAs of the individual business compliance programs.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The results of business intelligence activities such as research papers, operational and performance reports, and predictive data mining are used to establish demographics, explore potential workloads, monitor inventory, and develop an algorithm for a risk score. Personal information, such as social insurance number, postal code, age, language, and gross income, is summarized to produce these results. Workload development and business intelligence officers may identify and send lists of accounts to the applicable business compliance programs as part of workload development.

Personal information is also used to identify and assess trends of non-compliant behaviour. Personal data is used to develop and enhance predictive data mining models. This same income tax data is used to help develop and enhance predictive data models. The output generated by a predictive data model is integrated into existing mainframe systems to enhance workload and risk management. The decision to use output from predictive data models to support business compliance programs and activities is determined by the program.

Prior to commencing activity on any new compliance initiative or project, the project originator (either a regional workload development team member or a headquarters functional authority) must complete a reporting compliance project checklist and follow a mandatory submission process in order to obtain director general approval that the initiative has met all necessary conditions.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

Personal information such as social insurance number, business number, financial information, the address of the taxpayer, postal code, age, language, gross income, net income, goods and services tax / harmonized sales tax, payroll, and corporate data are all used and summarized to produce business intelligence results.

Bulk third-party data is cleansed and matched by the technology and business intelligence officers with CRA Ident or Business Number System data (data linkage or matching), filtered using criteria set by the program, and made available as one of a number of data sources for business compliance program workload development. The matched data can also be used to extract business intelligence.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

Information for the most part is derived from internal CRA programs. The data is also obtained through memoranda of understanding and data exchanges with federal, provincial, and municipal government partnerships, as well as through unnamed requirements for information from private-sector companies and organizations. Other types of third-party data sources include publicly available information, for a fee or for free (for example, social media websites).

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:

Business intelligence activities play an important role in achieving the Agency’s mandate. These activities will likely continue with no sunset date

E) Program population

The program affects certain individuals for external administrative purposes

Level of risk to privacy: 3

Details:

Workload development and business intelligence activities relate to most taxpayers. However, any decisions that may result in administrative actions taken on the non-compliant population are made by the business compliance programs. These activities are addressed in their privacy impact assessments.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

Risk to privacy: No

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Details:

Bulk third-party data acquired through a court order is received from a third party by means of encrypted data on a portable device such as a CD/DVD disc or a USB key. The device is sent to the CRA by a courier or through registered mail. The password is supplied separately by email.

The device is immediately provided to local information technology officers for virus scanning and uploading of the data to internal CRA shared drives. The device is then disposed of by information technology officers in accordance with policy.

In the near future, the Collections and Verification Branch will have a secure channel for external sources to send third-party data electronically to the CRA with automated virus check and malware checks.

Workload development and business intelligence officers submit queries for business compliance programs workload development to technology and business intelligence officers using a web form on InfoZone. The user enters information in fillable boxes with drop-down menus. For security purposes, no sensitive information is communicated through this form. Sensitive information is conveyed through access-restricted, shared drives or encrypted emails after a query has been assigned to an analyst.

Workload development and business intelligence officers receive data from technology and business intelligence officers through a secured, shared drive in an Excel spreadsheet format. This drive is access-restricted, and the spreadsheet is password-protected. The password to the spreadsheet is provided to workload development and business intelligence officers through encrypted email.

For workload management purposes, the regional workload development teams make use of macros to pull unassigned trust account examination referrals from CRA mainframe systems into an Excel spreadsheet.

The regional workload development teams assign accounts to trust accounts examination officers through the Agency’s mainframe system.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or business. In the event of a privacy breach, loss, or misuse of taxpayers’ information, there may be opportunity for fraudulent activities or identity theft occurrences.