By L.Kenway BComm CPB Retired
Edited May 13, 2024 | Revised April 13, 2024 | Originally Published on Bookkeeping-Essentials.com in 2009
WHAT'S IN THIS ARTICLE
CRA & PIPEDA Different Purposes | Who Must Keep | What to Keep | How to Store | Location of Servers | How Long to Keep | Keep Forever | Early Destruction | PIPEDA Guidelines | PIPEDA SWOT Analysis | CRA Audit Access | Wrap Up
NEXT IN SERIES >> Data storage considerations when selecting third party service providers
It's a balancing act.
The Canada Revenue Agency (CRA) and the Personal Information Protection and Electronic Documents Act (PIPEDA) both have guidelines for business record retention, but they serve different purposes.
CRA’s Guidelines
CRA’s guidelines pertain to tax-related documents. They stipulate that all records, including supporting documents and related financial files used to prepare income tax returns, must be kept for at least six years from the end of the last tax year to which they relate.
PIPEDA Guidelines
PIPEDA, on the other hand, mainly governs the collection, use, and disclosure of personal information in a manner that respects individual privacy. PIPEDA requires businesses to obtain an individual's consent when they collect, use, or disclose the individual's personal information and to ensure it is kept secure. It doesn't have a specific retention guideline and states that organizations should only retain personal information for as long as necessary to fulfill the identified purposes.
Is It Possible To Comply With Both?
It is possible to comply with both sets of guidelines, but businesses need to be cautious in doing so. For example, depending upon the nature of the records, organizations may face situations where they are required to retain certain personal information due to CRA requirements but will have to ensure that the methods and duration of storage align with the privacy rules established by PIPEDA.
No one that I know of ever said running a business in Canada was easy!
Section 230 of the Income Tax Act requires books and records be kept in a format that allows assessment and payment of taxes. The Excise Tax Act, Employment Insurance and Canada Pension Plan legislation also have this requirement. Who must keep these records:
Businesses must keep all records and supporting documents. Following is a general list of what must be kept:
Records generally refer to the organized method of documenting and summarizing accounting and financial information. This would include:
In addition, invoices MUST display sales tax information on a separate line OR by a statement that shows the amount of sales tax paid. Other invoicing information requirements must also be met.
When supporting documents are requested, it usually is a reference to source documents. Source documents are the original documents which prove the transaction occurred. Examples of this are:
If you are claiming the GST/HST input tax credits (ITCs), the detailed information required to support your claim is very specific. Read more here.
MORE >> CRA Audit Trails
How must you keep your records? Your records must be kept at your place of business or residence. They may not be kept outside of Canada, even if electronic access is available in Canada ... unless you receive CRA permission*. They must meet this criteria:
If you have more than one business, you must keep separate records for each business. It is also interesting to note that if the original transaction was electronic in nature, you must retain the original computerized or electronic files in a readable format ... even if you have printouts of the records.
The electronic format link above discusses CRA's policy on scanned receipts ... scanning is NOT the same as imaging. Articles I've read feel that scanned documents may be treated as secondary evidence in court the same way photocopies or microfiche images are. Scanned receipts will be subject to authentication.
CRA's GST/HST Memorandum 15-2 Computerized Records> place of retention> location outside Canada:
Point 16 states, "Persons with businesses that operate via the Internet and that are hosted on a server located outside Canada should be cognizant of their responsibility of maintaining their records within Canada. Persons with Internet-based businesses have the same responsibilities for record retention as all other business operators."
Does this mean cloud accounting options don't meet CRA's criteria. Yes and no. Yes the servers are outside Canada but the work around is to have a copy of your General Ledger in csv or pdf format on your local computer or hard drive. Keeping a backup of your file in Canada also works if you can remember to keep updating it so it is accessible.
Don't bother requesting permission from CRA. It is only provided in exceptional circumstances. Focus more on access to the data. A PDF file is a very accessible type of document unlike data files which are always being updated and upgraded to utilize the latest technology.
Large intensive data storage companies are becoming more accommodating in helping businesses in Canada meet data residency requirements. Check out where your SaaS providers store your business data.
MORE >> Common SaaS Platform Data Storage Locations
CRA's Position On Electronic Records Location:
CRA Website - Keeping Records: "Records kept outside of Canada and accessed electronically from Canada are not considered to be records kept in Canada."
The general rule for business record retention is records must be kept for six years from the end of the tax year which they are referring ... which really means seven years ... or as long as CRA has informed you (usually by registered letter).
The tax year is the calendar year for taxpayers and unincorporated businesses and the fiscal year for corporations.
MORE >> What is the difference between calendar year-end and fiscal year-end?
Some records and supporting documents that must be kept indefinitely are:
Some situations have different business record retention requirements:
Records may be destroyed early if permission is received from CRA and any other relevant authority. File T137 Request for Destruction of Records with CRA. Early destruction without permission may lead to prosecution.
In Canada, privacy rules and data retention guidelines are mainly governed by two federal regulations, (i) the Privacy Act and (ii) the Personal Information Protection and Electronic Documents Act (PIPEDA) in addition to several provincial laws, where applicable.
Quebec, Alberta and BC have their own privacy laws similar to PIPEDA. The Privacy Act is currently under review to be modernized as much has changed since 1983.
Both Acts regulate how businesses can collect, use, and disclose personal information in the course of commercial activities. PIPEDA is based on 10 internationally recognized principles for protecting personal information:
Here are some key points of PIPEDA:
1. What you can collect:
Under PIPEDA, businesses can collect personal information for purposes that a reasonable person would consider appropriate in the circumstances. Businesses should identify these purposes to the individual at or before the time of collection.
2. Consent:
Organizations must obtain an individual's consent when they collect, use, or disclose the individual's personal information. The consent must be obtained in a manner that ensures that the individual understands what they are consenting to.
3. Limiting Collection:
The collection of personal information must be limited to that which is necessary for the identified purposes. Information must be collected by fair and lawful means.
4. How long to keep the data:
PIPEDA does not specify a particular period for data retention. However, organizations should only retain personal information for as long as necessary to fulfill the purposes identified. Once the personal information is no longer required, it should be destroyed, erased, or rendered anonymous.
5. Security Safeguards:
Organizations must protect personal information using security safeguards appropriate to the sensitivity of the information to protect it against loss, theft, unauthorized access, disclosure, copying, use, or modification.
Lastly, businesses must also adhere to specific industry or sector-specific regulations which may specify the types of data to be collected and retention periods.
Keep in mind that the exact rules can vary depending on the province and the type of data involved. As mentioned, Quebec, Alberta, and BC have their own privacy laws.
Reference: Justice Laws Website: Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) and Justice Proposals for discussion for modernizing the Privacy Act 2021-09-01
It's crucial to address privacy regulations on data retention as businesses often deal with confidential and sensitive data. In Canada, violation of privacy regulations can lead to legal complications, penalties, and reputational damage for the businesses.
Cybersecurity becomes an issue when records are kept electronically. Businesses should adopt robust cybersecurity measures to prevent data breaches - easy to say, harder to do. Implementing secure backups, firewalls, encryption, and user access controls are a few means of ensuring data safety - again easy to say, harder to do.
You may need the assistance of an IT security consultant initially to help you identify potential cyber risks and recommend a strategic solution customized for your business. Depending on the size of your business, you may need to consider ongoing managed IT services to take care of that part of your business so you can do the stuff you enjoy working on.
Here is a quick SWOT (Strengths Weakness Opportunities Threats) analysis on other aspects of data storage for businesses to consider:
The SWOT analysis above is not in-depth. It would be worth your while to do a more detailed SWOT analysis for your business. Generally, businesses should prioritize regular policy reviews, staff training, and a solid disaster recovery plan to ensure effective business record retention.
The CRA has legal rights to inspect the books and records of a business during an audit. The documents must be either in hard copy or electronic format. If these records are kept electronically, they must be in an electronically readable format even if you have paper copies.
While Canadian business owners are required to keep their computerized records in an electronically readable format for CRA to be able to review them, CRA, unlike the IRS, does not require actual access to your accounting program as a user.
It is my understanding that the CRA does not normally need the hardware or software used to create these records. They only ask for hardware or software when the data in electronically readable format cannot be converted into a standard accessible software type.
Here are two options to provide a CRA auditor with access to the information they require during an audit. I used the QuickBooks® Online (QBO) Canada platform as an example.
Option 1: If you decide to give a CRA auditor access, set them up as Reports Only user which requires read-only access. In QBO Canada, this will give the auditor access to all reports except the Audit Log and Payroll Reports. Intuit says the auditor will be able to create a group of reports, memorize a report, and drill down as far as a transactions report. However, they will not have the ability to view the actual transaction. Unfortunately, this type of user is only available in QuickBooks Online Plus and is not available in QuickBooks Online Essentials. This means you may need to upgrade your subscription during an audit if your auditor requires this type of access.
You may want to create a new business file that includes only the relevant audit period prior to giving the CRA Auditor Report Only access. It may be advisable to provide a fourteen month period which includes the month before and after the relevant period in case cutoff procedures affect the data but check with your accountant before you do this.
Option 2: Another option if you use QuickBooks Online Canada is to export QBO data during a CRA audit. Exporting the data allows you to select only the data relevant to the dates you are being audited for. The export file will be in XLM format that you can provide to your CRA auditor.
If the auditor doesn't require actual access to your electronic data, you should be able to print out a group of PDF reports that meets the CRA auditor's information requirements.
It is always advisable to check in with your accountant prior to providing audit information to a CRA auditor. Your accountant will help you ensure you only provide the information needed for the auditor and nothing more.
Pay attention to CRA's record retention requirements and remember to factor in all the regulations pertaining to privacy and cyber security - where keeping too much information and for too long puts you at risk - not to mention the costs related to storing of the records.
Also keep in mind that I only discussed CRA's record retention requirements and PIPEDA's privacy rules. Other government agencies such as provincial finance departments or worker compensation boards may have different requirements.
1. Both CRA and PIPEDA have guidelines for business record retention in Canada, serving different purposes. CRA's guidelines are tax-related while PIPEDA governs personal information's collection, usage, and disclosure. Complying with both guidelines is possible but requires careful management, especially regarding personal information in line with both tax and privacy regulations.
2. CRA has specific rules exist about who should keep records, what records should be kept, how they should be kept and for how long.
3. PIPEDA privacy regulations also have specific rules regarding what can be collected, how it should be collected, and how long it should be retained. PIPEDA includes guidance on security safeguards for personal information.
4. Cybersecurity measures and data safety practices should be in place to avoid the risk of data breaches and safeguard against data loss or unauthorized use.
5. Regular SWOT analysis and policy reviews on data storage especially as it relates to the Patriot Act and CRA's data residency requirements are needed for businesses to reduce the likelihood of data breaches. Cybersecurity measures and data safety practices should be in place to avoid the risk of data breaches and safeguard against data loss or unauthorized use.
6. Businesses may consider engaging professional IT security consulting for comprehensive solutions and possibly ongoing managed IT services for maintaining the integrity and security of their records. This is especially important the more your business grows.
7. During an audit, CRA requires access to your business records. you have options on how you provide CRA access to your business computerized books an records.