About

SR&ED Program v 3.0 – Privacy impact assessment summary

Danielle Cooper
SR&ED Program v 3.0 - Privacy impact assessment summary
SR&ED Program v 3.0 – Privacy impact assessment summary

On January 14, 2020, the CRA posted the Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary  (PIA). This post will provide a summary of the assessment and its potential impacts.

SR&ED Program v 3.0 – PIA Summary

The CRA improved and simplified its retention and disposition authorities.  One disposition authority has replaced the previous 18 authorities, while the retention schedule remains unchanged until further notice. Therefore, current Records Disposition Authorities (RDAs) are no longer valid, however, the SR&ED retention schedules are still valid.1

Additionally, the article addressed another change:

The SR&ED program has updated the appropriate section of this PIA to reflect the fact that it uses and discloses data from/to the Service, Innovation and Integration Branch (SIIB)/Agency,  Analytics and Data Directorate Research and Development Environment (RDE) for research and analysis purposes. For further information, see the RDE PIA.1

All privacy risks which were identified in the PIA which were identified have been mitigated, reduced, or eliminated.1 This PIA has been updated to show changes to the retention and disposition authorities, new data sources and new data disclosures.

Risk identification and categorization

The following are part of the list of “Risk identification and categorization” from the report.1

  • Compliance / Regulatory investigations and enforcement
    • Level of risk to privacy: 3
  • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
    • Level of risk to privacy: 3
  • Private sector organizations or international organizations or foreign governments
    • Level of risk to privacy: 4
  • Long-term program
    • Level of risk to privacy: 3
  • The program affects certain individuals for external administrative purposes.
    • Level of risk to privacy: 3
  • Technology & privacy
    • Risk to privacy: No
  • Use of automated personal information analysis, personal information matching and knowledge discovery techniques
    • Risk to privacy: Yes
  • The personal information is used in a system that has connections to at least one other system.
    • Level of risk to privacy: 2

As business is increasingly conducted digitally it is reassuring to read:

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No1

The report discussed the use of automated personal information analysis, personal information matching and knowledge discovery techniques, which were determined to pose a risk to privacy.1 This includes activities such as personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis.  These activities involve some form of artificial intelligence to uncover knowledge, trends/patterns, or to predict behaviour.1

Details: The Business Intelligence and Risk Management Division, within the Business Intelligence and Corporate Management Directorate of the International, Large Business and Investigations Branch, is responsible for providing support services to the SR&ED Program. This includes acquiring and maintaining high-quality data, business intelligence, business analytics, and risk assessment services. As a result, the Business Intelligence and Compliance Risk Analysis privacy impact assessment covers most of the automated personal information analysis, personal information matching, and knowledge discovery techniques as they relate to the SR&ED Program.

In addition, and given that Research and Development (R&D) activities currently taking place within CRA are largely decentralized, the authorized SR&ED program researchers and analysts use the business intelligence research and development environment established by the Service, Innovation and Integration Branch on behalf of the CRA to obtain necessary data for research and analysis purposes.1

Conclusion

The SR&ED Program v 3.0 – Privacy impact assessment summary is extremely informative in regards to privacy risks and the SR&ED program. If you are worried about your privacy in regards to the personal information you are required to provide the CRA, this article illustrates what steps the CRA has taken to safeguard your security.

Connect With Us! 

Share your thoughts by commenting below or joining the conversation on our LinkedIn page, Facebook page, or via Twitter. 

Show 8 footnotes

  1. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  2. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  3. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  4. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  5. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  6. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  7. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html
  8. Government of Canada. (2019, December 23). Scientific Research and Experimental Development Program v 3.0 – Privacy impact assessment summary. Retrieved May 4, 2020, from https://www.canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/scientific-research-experimental-development-v3.html

Leave a Reply