Privacy Impact Assessments

Table of contents

Introduction

Indigenous and Northern Affairs Canada (INAC) reinforces privacy management across the Department through the development of Privacy Impact Assessments (PIAs).

A Privacy Impact Assessment is an evaluation process which allows Aboriginal Affairs and Northern Development Canada to assess and evaluate privacy, confidentiality or security risks associated with the collection, use or disclosure of personal information, and to develop measures intended to mitigate and eliminate identified risks.

In accordance with the Privacy Impact Assessment Policy, Aboriginal Affairs and Northern Development Canada will conduct Privacy Impact Assessments for all new and significantly redesigned systems and programs involving the collection, use, or disclosure of personal information that raises unique or additional privacy, confidentiality, or security risks.

Institutions must develop and maintain PIAs to evaluate whether program and service delivery initiatives involving the collection, use, disclosure or retention of personal information comply with privacy requirements and to resolve privacy issues that may be of potential public concern.

Under Treasury Board Policy, all departments and agencies must conduct PIAs for proposals of all new programs and services that raise privacy issues. The PIA goes through an internal approval process, including approval by the Deputy Minister (or his/her delegate). In addition, the assessment is also sent to Office of the Privacy Commissioner for review.

Below are links to the executive summaries of all Privacy Impact Assessments completed by INAC:

Executive Summary-Income Assistance Program

This Privacy Impact Assessment (PIA) documents and defines the risk associated with the collection, use, disclosure and retention of the personal information required to administer the Income Assistance Program and the Reform component.

Indigenous and Northern Affairs Canada (INAC) Income Assistance Program provides funding to assist eligible individuals and families who are ordinarily resident on-reserve with basic and special needs services that are aligned with those provided to other residents of the reference province/territory. INAC invests approximately $865 million per year in support payments. As of 2012-2013, there were 162,255 residents on-reserve that benefited from Income Assistance. About 550 First Nations participate in the program (this figure does not include First Nations under self-government arrangements).

The program also funds the delivery of pre-employment measures designed to increase self-reliance, improve life skills and promote greater attachment to the work force. In the Economic Action Plan 2013, the Government of Canada announced a new investment of $241 million over four years to help support Income Assistance beneficiaries, aged 18-24, access a range of supports and services to help them enter and remain in the job market. This initiative, which is part of the Income Assistance Reform, is led by two departments: INAC and Employment and Skills Development Canada. Each department manages one of the two new components of the program and shares aggregated (non-personalized) data on their respective results.

In most regions, these services are provided by third parties (such as First Nations, First Nation organizations, and other service providers). Aggregated (non-personalized) data to administer the program is collected from these third parties. The use of aggregated data means that there are no risks relating to personal information.

The only exception to third party delivery is in the Yukon region where the INAC office directly administers the program and collects personal information from individuals accessing the services. Program officers for the Income Assistance Program are committed to managing a program that safeguards the information they collect about clients and their dependents.

The PIA risk analysis identified four medium and two low risks related to the management of personal information in the Yukon Region. No high or extreme risks were identified. The six risks have been integrated into a mitigation strategy under three specific categories: The Privacy Notice, the Personal Information Bank and Disposal of Electronic Records.

The medium risks are:

  1. The Privacy Notice provided to Income Assistance applicants during the data collection process is not compliant with the expectations of the Directive on Privacy Practices. The following modifications are required:
    • The legal authority to collect the information and the authority of the individual serving as an official contact need to be added to the privacy notice;
    • The privacy notice should include a reference to the Personal Information Bank (PIB) described in Info Source;
    • The retention and disposition schedule needs to be reflected in the privacy notice; and
    • The privacy notice should contain a reference to client rights of access to, correction of and protection of personal information under the Privacy Act (1985).

Prior to finalizing this report, these recommendations were addressed during the last annual update of the Data Collection Instruments on which the Privacy Notice is provided.

  1. The Personal Information Bank does not adequately document collection, uses, and disclosure of the information. The following inconsistencies were noted:
    • Categories of personal information are not reflected in the Personal Information Bank; and
    • Data matching that is cited in the Personal Information Bank does not appear to be occurring.

Prior to finalizing this report, these recommendations were addressed during the last annual update of the Personal Information Banks and Info Source.

  1. There is no specified time line provided for the disposal of electronic records in the Yukon Region's Tribal Administration System. Electronic records in the Tribal Administration System should be disposed of as specified in the Records Disposition Authority (RDA).

INAC will ensure that the Yukon Region's Tribal Administration System disposes of records in accordance with the Retention Disposition Authority.

  1. The Consent and Release of (personal) Information form for the Yukon region does not contain the retention and disposition schedule and needs to be modified to reflect that information.

INAC will ensure that the Yukon region's Consent and Release of Information form contains the appropriate retention and disposition schedules as defined by the Retention Disposition Authority and our Personal Information Bank.

Executive Summary - Assisted Living Program

The purpose of this report is to provide an assessment of the Assisted Living program's compliance to the Privacy Act (1985) and regulations as well as the directives and policies related to privacy issued by Treasury Board of Canada. It documents and identifies privacy-related risks in the collection, use, disclosure and retention of personal information required to administer the Assisted Living program.

Assisted Living is an income-tested program that provides funding for non-medical social supports and services for on reserve seniors and children and adults living with chronic illness or disabilities in three distinct areas of progressively intensive care needs:

Like other social programs, rates and eligibility criteria for these services are intended to align with that of the reference province/territory. The Assisted Living program is available to all individuals residing on reserve, or ordinarily resident on reserve, who have been formally assessed by a health care professional (in a manner aligned with the relevant province or territory) as requiring social support services. The Assisted Living program is delivered predominantly through third party Funding Recipients, such as Chiefs and Councils of First Nation bands.

The steps that use personal information for the program have been reviewed for compliance to privacy requirements. No interviews were conducted with Funding Recipients, the organizations responsible for program delivery. While privacy assessment of the Funding Agreement Model has been undertaken, the assessment focuses mainly on personal information that is received by INAC to issue funding agreements to the Funding Recipients.

The section below summarizes the deficiencies and risks that were identified in this Privacy Impact Assessment, as well as the actions INAC will undertake to address them.

  1. The Privacy Act (1985) only applies to the Government of Canada, and current Funding Agreements and program manuals do not adequately define the expectations of Funding Recipients with respect to the protection of personal information.
  1. The Privacy Act Statement provided to Funding Recipients during the data collection process is not compliant with the expectations of the Directive on Privacy Practices.
  1. The Personal Information Bank did not adequately document the collection, uses, disclosure and retention of the information.
  1. Personal information is stored on INAC's Social Shared Drive which does not have features relating to retention or disposal of information and only allows limited access levels.
  1. There is a lack of clarity as to what happens to personal information submitted by regular mail after the information is entered into the appropriate database.

INAC employees for the Assisted Living program are committed to administering a program that safeguards the information they collect about clients who are, by nature, a vulnerable class of individuals.

Executive Summary - Social Policy and Program Branch Compliance Activities

This Privacy Impact Assessment documents and defines the risks associated with the collection, use, disclosure and retention of the personal information required to administer Indigenous and Northern Affairs Canada's (INAC) Social Policy and Program Branch Compliance Activities.

INAC's Social Policy and Programs Branch deliver funding for five social programs: Income Assistance, National Child Benefit Reinvestment, Assisted Living, Family Violence Prevention Program and First Nations Child and Family Services. Over the past few years, the Operations and Quality Management Directorate has been developing and updating tools, manuals, guidelines and templates in order to enhance the management controls for these programs including program compliance. Funding recipients must deliver programs in accordance with their funding agreements and the program delivery requirements set out in the National Manual. Personal information is often required during activities such as desk and on site compliance reviews. This Privacy Impact Assessment focuses on the information management and privacy processes, practices, risks and controls associated with the Social Policy Program Branch's compliance activities.

The Privacy Impact Assessment identified three high-level privacy risks around documentation and communication of procedures for the transmission, safeguarding and retention of personal information collected through compliance activities. One medium risk was also identified through the Privacy Impact Assessment. The following recommendations were provided to INAC for consideration:

  1. Notice: Ensure that funding agreements contain appropriate privacy protection provisions including a requirement to provide an adequate privacy notice to individuals.

INAC will ensure that funding agreements and program manuals contain appropriate privacy protection provisions including a requirement to provide an adequate notice to individuals. Management will take into consideration Treasury Board Secretariat's guidance document-Taking Privacy Into Account Before Making Contracting Decisions.

  1. Retention: Communicate to Regional Officers the requirements for retention of compliance paper files and incorporate retention requirements within the Education and Social Development Programs and Partnership's Program Recipient Compliance Review Handbook.

Once retention requirements for paper compliance files are defined, INAC will ensure that the requirements for retention are communicated to all regions and incorporate the retention requirements within the Education and Social Development Programs and Partnership's Program Recipient Compliance Review Handbook. INAC will also undertake quality assurance activities to ensure regional implementation.

  1. Transmission of Documents: Develop and communicate guidance on the appropriate methods to transmit documents from the Funding Recipient to the department to comply with departmental guidelines for protecting and handling information.

INAC will incorporate specific guidelines on the appropriate methods for document transmission from the Funding Recipient to INAC within the Education and Social Development Programs and Partnership's Program Recipient Compliance Review Handbook. These instructions will be consistent with INAC's guidelines for protecting and handling of personal and private information.

  1. Portable Devices: Incorporate requirements from INAC's Portable Storage Device Protection and Disposal Standard into the Education and Social Development Programs and Partnership's Program Recipient Compliance Review Handbook to ensure that compliance officers understand the requirements and standards for portable devices.

INAC will incorporate the requirements from the departmental Portable Storage Device Protection and Disposal Standard, approved July 1, 2014, within the Education and Social Development Programs and Partnership's Program Recipient Compliance Review Handbook to ensure that compliance officers understand the requirements and standards for portable devices.

Executive Summary - First Nations Child and Family Services Program

This Privacy Impact Assessment (PIA) documents and defines the risk associated with the collection, use, disclosure and retention of the personal information required to administer Indigenous and Northern Affairs Canada (INAC)'s First Nations Child and Family Services Program and the First Nations Child and Family Services Information Management System that was launched in April, 2013.

The objective of the First Nations Child and Family Services Program is to support culturally-appropriate prevention and protection services for First Nation children and families residing on reserve, in accordance with the legislation and standards of the province or territory of residence. The anticipated result is a more secure and stable family environment for children on reserve. INAC's First Nations Child and Family Services Program is delivered through recipient funding to approximately 100 First Nation child and family services agencies through Funding Agreements. These family services agencies are established, managed and controlled by First Nations and delegated by provincial or territorial authority. Federal funds are provided on the condition that the agency is mandated by the province or territory in accordance with provincial or territorial legislation standards. In every province and in Yukon, consideration of a child's cultural heritage is an aspect of the provincial and territorial Child and Family Services legislation. The legislation and standards vary by jurisdiction and are subject to change.

All aspects of the program have been reviewed for compliance to the requirements of the Privacy Act (1985). No interviews were conducted with Funding Recipients, the organizations responsible for program delivery. While an assessment of the Funding Agreement Model has been undertaken as part of this work, the assessment mainly focuses on personal information received by the department at Regional offices in the administration of the program.

The section below summarizes the deficiencies and risks that were identified in this Privacy Impact Assessment, as well as the actions INAC will undertake to address them.

  1. The Privacy Notice provided to Funding Recipients during the data collection process is not compliant with the expectations of the Directive on Privacy Practices.

Based on the results of this assessment, modifications to the privacy notice during the data collection process have already been implemented as part of the yearly Data Collection Instrument (DCI) review and update.

  1. The Personal Information Bank does not adequately document collection, uses, and disclosure of the information.

As part of this Privacy Impact Assessment, recommendations on modifications to the Personal Information Bank have been made and will be integrated in 2015.

  1. Funding Agreement Models and/or program manuals do not provide the Funding Recipient with appropriate requirements to protect the personal information of the client, notably regarding the provision of notice to clients, limitations of disclosure, and safeguard requirements.

The department will strengthen Funding agreements and/or program manuals to clearly state expectations of the Funding Recipients regarding the protection of personal information.

  1. The current retention/disposal schedule for personal information does not allow the program to evaluate Key Performance Indicators concerning recurrent use of services.

Based on this Privacy Impact Assessment, INAC has revised the retention schedule to reflect the true retention of personal information. The revised retention schedule has been communicated in the Personal Information Bank.

  1. Personal information collected on the Data Collection Instrument (DCI) is stored in multiple systems within the department. This creates a risk of uncontrolled access, and unclear retention and disposal rules.

INAC will continue to examine ways to streamline how data is collected and stored so as to eliminate any areas of needless duplication.

A risk mitigation strategy has been developed in order to ensure that all of the identified risks are addressed.

Secure Certificate of Indian Status: Return to Original Documents - Privacy Impact Statement Executive Summary

This report contains a Privacy Impact Assessment (PIA) for the Indian Secure Certificate of Indian Status – Returning Document (SCIS) project. The purpose of this PIA is to provide recommendations to mitigate any privacy issues or risks that may be identified with the SCIS – Returning Document project. A Privacy Impact Assessment (PIA) was conducted in November 2002 on the full Indian Registry System / Secure Certificate of Indian Status (IRS/SCIS).

This PIA is restricted to the processes related to the return of original documents (the SCIS – Returning Document project).

The Indian Act sets out the necessary criteria that a person must meet in order to be registered as an Indian and identifies Indigenous and Northern Affairs Canada (INAC) Registrar officer as responsible for maintaining the Indian Register. Section 87 of the Indian Act, confers certain rights and privileges to status Indians living on reserve. The rights apply to benefits such as tax exemptions for goods purchased on, or delivered to reserves and to health care benefits.

The Registrar is responsible for determining who is entitled to be registered as an Indian and to enter the names into the Indian Register. As a result, all persons seeking to be registered must apply to the Registrar in Ottawa. However, once an applicant has been registered, however, all subsequent administration of their record (including births to registered parent[s]) is normally delegated to the regions or First Nations employed Indian Registry Administrators (IRAs).

After the Registrar has determined that an individual is registered as an Indian the individual may apply for the Secure Certificate of Indian Status (SCIS), commonly referred to as a Status Card or Treaty Card. The application is processed and distributed both by INAC, districts offices and by Indian Registry Systems (IRSs). The SCIS is issued by one centralized National Print Center.

The Operations Directorate of the Secure Integrated Registration and Card Unit (SIRCU) will continue to receive SCIS applications and, will be returning original documents applicants through non-registered first class mail. While the use of registered, secure mail would be considered a best practice to ensure that the intended recipient receives potentially sensitive documents, this practice is no longer sustainable.

The new process will send documents such as birth certificates and identification documents back to the recipient through regular mail. The use of regular mail for the return of these documents is consistent with government security policies and with the RCMP'sGuide G1-009 Standard for the Transport and Transmittal of Sensitive Information and Assets, which allow government departments to send documents up to a Protected B classification through regular mail.

There are a number of risks that the SIRCU Program faces by returning original documents through regular mail. The use of non registered mail will mean that the delivery status of mail will be unknown. Mail may be lost, returned unopened to SCIS, disposed of or intercepted for nefarious purposes.

SIRCU Program Management have already proposed and are in the process of developing additional controls to mitigate the impact of original documents that may be lost through regular mail. The mitigation measures proposed include:

SIRCU will ensure that applicants are aware that original documentation submitted to SIRCU at the time of application will be sent back to the applicant through regular mail. Also, instructions should also give the applicant alternative options to sending in their application should they not wish to send original documents to SIRCU. Applicants are able to contact the SIRCU Program through the SCIS Call Centre if original documents are lost through regular mail.

Business Support Decision – Privacy Impact Assessment Executive Summary

Under the Chief Financial Officer Sector Information Management Branch, the Business Decision Support (BDS) Directorate provides a corporate service for the Department of Indigenous and Northern Affairs Canada (INAC). The primary purpose of the service is to provide departmental clients and select stakeholders with Business Intelligence (i.e., insight) based on, and drawn from, corporate and administrative program data.

Privacy Impact Assessments (PIAs) take a close look at how government departments protect personal information as it is collected, used, disclosed, stored and ultimately destroyed. These assessments help create a privacy-sensitive culture in government departments. This PIA report has been prepared to report to management on privacy related to Business Decision Support's Business Intelligence Program and its Enterprise Data Warehouse (EDW).

BDS provides departmental end-users with permission-based Business Intelligence. Business Intelligence can be described as evidence-based reporting, either as pre-formatted outputs such as dashboards or as ad-hoc reports where the end-user decides what data to query. Business Intelligence draws from corporate (e.g., Finance, Human Resources) and administrative program (e.g., Education Information System, First Nation & Child and Family Services) data sources in the department and sometimes integrates data from multiple sources (e.g., employee costs drawing on human resource and financial data). Business Intelligence can support functions such as decision-making, research and analysis, performance measurement, planning, as well as accountability and reporting.

The responsibilities of the Business Decision Support Directorate are to:

Departmental data custodians (i.e., the "owner" of the data) remain solely responsible for the source data stored in the authoritative systems, and for ensuring that all BI data requirements provided to the BDS team fall within their legal authority as custodians of the source data.

The business owner roles are to:

End-users accessing the BDS reporting solutions are responsible for the appropriate use and dissemination of any information they generate using these solutions. Information accessed by these users must be safeguarded under the provisions of the Government of Canada's Security Policy and release of any information contained herein, to any person not authorized by the originating agency to receive it, is strictly prohibited.

Information Management Branch plays peripheral roles relating to providing infrastructure (e.g., servers, IT Security) and support (e.g., Service Desk).

Responsible authorities in INAC have committed to taking further action to mitigate eight privacy risks identified in the PIA process. Of these risks, six (6) have been identified as low, and two (2) have been deemed a medium, while none (0) are high risk level.

BDS will:

ATIP office will:

Integrated Environmental Management System (IEMS)

As part of the Government's plan for Responsible Resource Development, which seeks to modernize the regulatory system for project reviews, the Canadian Environmental Assessment Act (S.C. 1992, c. 37) was repealed when the Canadian Environmental Assessment Act, 2012 (CEAA 2012) came into force on July 6, 2012.

Pursuant to s.67 of CEAA 2012:

An authority must not carry out a project on federal lands, or exercise any power or perform any duty or function conferred on it under any Act of Parliament other than this Act that could permit a project to be carried out, in whole or in part, on federal lands, unless (a) the authority determines that the carrying out of the project is not likely to cause significant adverse environmental effects; or (b) the authority determines that the carrying out of the project is likely to cause significant adverse environmental effects and the Governor in Council decides that those effects are justified in the circumstances under subsection 69(3).2012, c. 19, s. 52 "67", c. 31, s. 431(E).

Additionally, s.71 requires that federal authorities, at the end of each fiscal year, report to Parliament on its activities under sections 67 to 69 during the previous fiscal year and make that information available to the public.

In response to CEAA 2012, the Environment Directorate, Lands and Environmental Management Branch of the Department of Indigenous and Northern Affairs Canada (INAC) has developed an Environmental Review Process for projects and considers their environmental effects prior to issuance of a permit, lease, licence or other authorizations. As a result, to better manage environmental reviews under this new process, the Environmental Assessment component of the Integrated Environmental Management System (IEMS) was enhanced by creating an Environmental Review - Project Description Form (Form). This Form will gather the preliminary information required to assist in the determination of the potential environmental effects of a proposed project, and in turn, to report to Parliament. Other objectives in the IEMS enhancement are to document due diligence, improve national consistency, implement shorter timelines in providing a recommendation on environmental effects to all implicated programs, as well as other benefits in having the information documented electronically.

The personal information contained in IEMS and in the Form will be limited to name, contact information and position/role of the Proponent or individual representing the Proponent. All of the remaining information will be of an environmental nature.

The objectives of the PIA are to ensure privacy principles are taken into account in the design and execution of the enhancements to IEMS and creation of the Form. To identify any privacy risks associated with the enhancements, and recommend mitigation strategies to limit those risks to an acceptable level.

The PIA did not identify any high level privacy risks. Risks of a low and moderate nature were identified and the following recommendations provided (refer to Summary of Privacy Risks Analysis for additional details):

Privacy Principle Recommendations
Accountability Recommend revising existing procedural or process documents to reflect the responsibilities of the Environmental Review Team (ERT) with respect to the protection and handling of personal information, including the Operational Procedure.
Openness Recommend publishing procedural documents on INAC's website so the public is aware of how INAC handles personal and other information.
Recommend requesting that a Personal Information Bank be created.
Individual Access Recommend establishing ways by which individuals may access their personal information.

Environment Directorate has developed an Action Plan to follow-up on all these recommendations.

Nunavut Map Selection

The Privacy Impact Assessment (PIA) process is designed to assure Canadians that privacy principles are taken into account in the design and execution of government programs and services.

Virtually all government institutions, as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations, must conduct PIAs for new or redesigned programs and services that raise privacy issues.

PIAs take a close look at how government departments protect personal information as it is collected, used, disclosed, stored and ultimately destroyed. These assessments help create a privacy-sensitive culture in government departments.

Northern Mineral Resources, in conjunction with the Lands and Contaminated Sites Directorate, Nunavut Regional Office, is in the process of developing the new Nunavut Map Selection Solution to provide an on-line map selection system to the general public conducting mineral claim searches and to named users who will select mineral claims from a map. It is expected that the general public will mostly consist of exploration and mining industry users in Canada and elsewhere. An audit trail to identify access to the information is planned as part of the Confidentiality measures to be implemented in the new Nunavut Map Selection Solution.

The personal information contained in map selection will be limited to the name and contact information of the people who own a mineral claim and is required by the Nunavut Mining Regulations.

The purpose of the PIA is also to report and manage privacy related risks identified in this process. The PIA did not identify any high-level privacy risks. Risks of a low and medium level were identified and the following recommendations are provided (refer to Summary of Privacy Risk Analysis for additional details):

  1. The Director, Lands and Contaminated Sites, Nunavut Region should make sure staff have up to date ATIP training and are aware of the information they collect and under what authority it is collected.
  2. The Director, Lands and Contaminated Sites, Nunavut Region should make sure that the map selection system includes a statement reflecting why information is being collected.
  3. The Director, Lands and Contaminated Sites, Nunavut Region should ensure the Privacy notices are updated based on the current template provided by ATIP and should be applied at all points of collection.
  4. The Director, Lands and Contaminated Sites, Nunavut Region should work with ATIP to ensure the Personal Information Bank (PIB) is updated for the annual Info Source update in June 2014.
  5. The Director, Lands and Contaminated Sites, Nunavut Region should ensure that no fields for collecting credit card information or social security numbers are included in the NMS system.
  6. The Director, Lands and Contaminated Sites, Nunavut Region should ensure there will be no direct links to any third party databases which will prevent accidental disclosure by containing the data in one, monitored and known environment.
  7. The Director, Lands and Contaminated Sites, Nunavut Region should ensure staff will be trained in procedures to handle accidental breaches of information and will use approved methods to handle such events.
  8. The Director, Lands and Contaminated Sites, Nunavut Region should ensure staff will be trained in how to identify inaccurate information and what steps to take to properly document what needs to happen to correct it.
  9. The Director, Lands and Contaminated Sites, Nunavut Region should ensure staff are trained in the sensitivity of the information they collect and enter, for example never giving out your passwords, or leaving a computer without locking it or logging out.
  10. The Director, Lands and Contaminated Sites, Nunavut Region should ensure there are planned yearly reviews of the system that will include: a review of the audit logs and a review of the information contained in the consent form.

TeamMate System

Indigenous and Northern Affairs Canada's (INAC) Assessment and Investigation Services Branch (AISB) is a component of the Audit and Evaluation Sector. AISB is responsible for planning, organizing and conducting/managing examinations, assessments, investigations, forensic audits and special examinations based on allegations received from First Nation and Inuit members, Chief and councils, INAC employees, suppliers and contractors, and the general public related to the misuse or misappropriation of INAC funding or wrongdoing. AISB is also responsible for assessing and processing band members' complaints related to the provision and administration of programs and services in accordance with the terms and conditions of funding agreements.

AISB is in the process of customizing new software, TeamMate, which was recently implemented in the Audit and Assurance Services Branch (AASB) in the Audit and Evaluation Sector. The software will be used to track allegations and complaints and to assist AISB in its reporting requirements. Approximately 25 persons will use AISB TeamMate across Canada within INAC.

The personal information contained within TeamMate will be limited to name and contact information of complainants (if the complainant has voluntarily provided their name and contact information), as well as the nature of the complaint itself. The process allows for the anonymous submission of allegations and complaints.

The PIA focused on the Implementation of AISB Teammate and the use of AISB TeamMate by AISB staff and Regional Allegations and Complaints Coordinators. The activities conducted to assess/investigate allegations and address complaints are not within the scope of this PIA.

The PIA did not identify any high-level privacy risks. Risks of a moderate and low nature were identified and the following recommendations provided (refer to Summary of Privacy Risk Analysis for additional details):

  1. The Director AISB should amend the Policy on Dealing with Allegations and Complaints to specifically outline AISB's responsibilities with respect to the handling of personal information in accordance with the Privacy Act.
  2. The Director AISB should amend the privacy notice for allegations and complaints to comply with the privacy notice requirements outlined within TBS' Directive on Privacy Practices.
  3. The Director AISB should ensure that privacy notices provided across all mediums of collection are consistent. This should also include the acknowledgement letter sent back to the complainant.
  4. The Director AISB should work with the IMB to develop a formal process to ensure that personal information is retained within AISB TeamMate, CIDM and RACS according to the Library and Archives Canada requirements (which are currently under review) and then securely disposed.
  5. The AISB Director should ensure that Procedures for Handling Allegations and Complaints are updated to reflect the use of TeamMate and updated to ensure that users do not enter personal information in the Description/Nature of Complaint field.
  6. The AISB Director should ensure that training provided to AISB staff and Coordinators on AISB TeamMate includes training on privacy principles and information management and security procedures.
  7. The AISB Director should work with Department Security or IM/IT to ensure that the original TRA is updated to reflect AISB configuration and separate instance of Teammate to ensure that safeguards are commensurate with the sensitivity of information recorded.
  8. The AISB Director should work with IMB and AASB to develop and implement a formal quality assurance and review program for AISB TeamMate to ensure application security is appropriate.
  9. AISB Director should ensure that PIB INAC PPU 151 is updated to reflect the replacement of RACS with AISB TeamMate and accurately describes the purpose for collection, consistent uses and disclosures.

*AISB has developed an Action Plan to follow-up on all these recommendations.

Education Information System (EIS)

Background

The Department of Indigenous and Northern Affairs Canada (INAC) and its Education Branch are responsible to provide mandated services to the Canadian Aboriginal Communities and its student population. All personal information collected and managed by Government of Canada (GC) Departments or Agencies must respect the GC Privacy Act. The GC Privacy Act requires, whenever practicable, that GC Departmental Programs communicate and seek consent directly with the individuals providing their personal information to explain: (what) the information required; the purpose (why) this information is required; how this information will be used and safeguarded; if/when/how and to whom this information may be disclosed; and their individual rights and processes under the Privacy Act to access any of their personal information. First Nations also embrace an evolving set of information management principles, known as First Nation OCAP Footnote 1. principles, for individuals and communities' rights to privacy and how information ought to be safeguarded.

The partnership between INAC and First Nations is of prime importance to the enforcement of and compliance to the Privacy Act, as First Nations are often the primary, if not the only contact with the individuals comprising the student population.

The Office of the Privacy Commissioner (OPC) is responsible for the overall administration of the Privacy Act within each Department / Agency and provides an authoritative conduit to address Canadian's concerns about the management of personal information. Specific Treasury Board Secretariat (TBS) Policies, Standards, and Guidelines assist GC Departmental Programs to complete Personal Impact Assessment (PIA) and to report annually to Canadians through the publicly accessible InfoSource web site, where all Personal Information Banks Footnote 1 (PIB) are maintained.

Main Findings

This report is a Privacy Impact Assessment (PIA) which addresses all elements of personal information related to the new INAC ducation Branch Program IM/IT solution, the Education Information System (EIS). EIS delivers on the opportunity to develop a comprehensive national education information system for school/institution-based learning in which INAC and First Nations have a shared interest and responsibility. INAC, in participation with First Nations, collects pertinent and personal information to confirm the identity of individuals and to assign, track and monitor specific elements of the services offered by INAC's Education Branch.

The EIS Application is a systematic improvement in the collection, centralization and management of information currently gathered by First Nations and INAC Regional staff members via disparate, largely manual, processes. EIS is the enabling component of the2008 Reforming First Nation Education initiative.

The scope of this PIA is limited to an analysis of the collection, use, retention and disclosure of personal information in the EIS. The focus of the PIA is on the identification, usage and assessment of the EIS Application personal information. As a minimum, the system must ensure adherence and compliance to the following PIA principles: Principle 1 — Accountability; Principle 2 — Identifying Purposes; Principle 3 — Consent; Principle 4 — Limiting Collection; Principle 5 — Limiting Use, Disclosure, and Retention; Principle 9 — Individual Access.

This report presents a complete listing and privacy assessment for each Personal Information (PI) element of the INAC Education Program. Each element (individually and collectively with the ensemble of these PI elements) has been assessed for privacy sensitivity (confidentiality), the integrity importance and availability requirements. The EIS personal information present in the application repository and managed through DCI forms has been grouped into seven (7) information Clusters to facilitate the dataflow review and privacy impact assessment. These clusters are closely aligned to the EIS DCI forms grouping and are: Students (NR), Special Education, Post-secondary education, Education staff information, First Nations and Inuit Youth Employment Strategy (FNIYES), Recipients & DCI handlers, and Authentication.

Protected B

The findings of this report support the initial EIS privacy and security requirements assessment report stating the EIS application will manage up to Protected B information, since it uses the Indian Registration Number contained within the Indian Registry System (IRS), which has a Protected B (PB) confidentiality level, to validate the student population. EIS will also contain certain personal medical conditions information purposely not associated with a specific student identifier. Therefore, due to several personal information elements collected and aggregated by EIS, the overall significant numbers of records and the inherent First Nations and geographical groupings, the overall EIS repository is rated as PB information.

Risks and Mitigation

The PIA technical risk assessment and mitigation recommendations are often expressed in the term of IM/IT security requirements. The security Threat Risk Assessment (TRA), and Certification and Accreditation processes are planned to ensure that these privacy security requirements and recommendations are in place prior to officially launching the EIS. However, a number of the PIA risks identified are not purely technical in nature, and have been addressed at the business operational and procedural levels.

As a result, access restrictions, security controls and safeguards have been identified and will be implemented to sufficiently address these requirements and lower the overall operational risks to an acceptable level to the INAC Education Program Service Delivery Manager (PSDM), in consultation with key stakeholders as deemed necessary. They have been addressed in the report. No major issues are expected.

Executive Appointment System (EAS)

The Corporate Secretariat is responsible for the management of ministerial appointments of qualified and experienced individuals to crown corporations, organizations, agencies, boards and commissions. Indian and Northern Affairs Canada (INAC) is responsible for appointing approximately 278 individuals across the country from coast to coast.

Currently, the Corporate Secretariat is using a dated system to manage its mandate. As a direct result, the reporting structure lacks efficiency and is no longer considered as an effective management tool. Consequently, users are often required to run reports manually. In addition, the Microsoft Access system is used as a base for the core of the program and maintaining the software has become onerous as the department has adopted the Oracle database standards for the majority of its systems, rendering internal Information Technology (IT) support obsolete.

The proposed updated Executive Appointment System (EAS) will enable users to create and manage Ministerial appointments and employment contracts. Oracle will be implemented as the supporting software framework, thus enabling immediate on-site IT support when required. In addition to salary information and the storing of resumes, the program will also include a Bring-Forward system. The reporting structure will be redesigned to support user needs and administrators will have greater control in maintaining reference tables such as sectors and organizations (boards, commissions, claims, etc.). New security features will promote tighter access controls and limiting access. All folders modified by users are tracked by an audit trail. The fields in the folder cannot be audited, instead when a folder is modified the user is provided general information about what has been changed, when it was changed and by whom. To examine the changes a user must enter the system and find the record that was modified. Rather than each individual field being audited, one can view which folder has been modified along with a viewable version of the unmodified folder.

When personal information is collected, the department is required to complete a Privacy Impact Assessment (PIA), or a Preliminary Privacy Impact Assessment (PPIA) depending on the scope of the project and the information collected, to identify any privacy issues at the onset of the development cycle and can be reevaluated at any time. The purpose of the exercise is to ensure that the personal information which is being collected is used appropriately within the boundaries of the Privacy Act and limit the collection of personal information. The EAS will collect personal information and as such INAC has initiated a Privacy Impact Assessment accordingly.

The PIA methodology and approach outlined in the Treasury Board of Canada Secretariat' (TBS) Privacy Impact Assessment Guidelines document are used as the basis for this privacy assessment of the EAS. The scope of this PIA is limited to INAC's collection, use, retention and possible disclosure of personal information in the context of the Executive Appointment System.

In conducting interviews and reviewing the documentation provided for the PIA, it became apparent that departmental officials wish to incorporate privacy as a core element at the early design stage of the project. Mitigating the following privacy issues that have been identified will greatly contribute to designing a privacy-friendly Executive Appointment System.

Treaty Payment System (TPS)

The Government of Canada (GoC) and the courts understand treaties between the Crown and Aboriginal people to be solemn agreements that set out promises, obligations and benefits for both parties. Starting in 1701, in what was eventually Canada, the British Crown entered into solemn treaties to encourage peaceful relations between First Nations and non-Aboriginal people. Over the next several centuries, treaties were signed to define, among other things, the respective rights of Aboriginal people and governments to use and enjoy lands that Aboriginal people traditionally occupied.

In order to manage data resulting from the fulfillment of Canada's treaty payment obligations, the Treaty Payment System (TPS) was deployed under the authority of Lands and Trust Services Sector (LTS) in 1995. The treaty payment process is a unique blend of treaty obligation and tradition, which shapes the practice and procedure of treaty payment. The TPS has been re-developed by Indian and Northern Affairs Canada (INAC) - Indian Monies, Estates and Treaty Annuities Directorate (IMETA) in May 2005 and is fully supported by INAC, Chief Financial Office (CFO). The new TPS application is a web-enable system that will completely replace the current TPS, including functionality and data. The new system will be accessible via the Internet through Indian and Northern Affairs Canada secured Intranet. The TPS will maintain personal information collected by INAC. INAC has initiated a Privacy Impact Assessment (PIA) to investigate the privacy implications of the TPS and to ensure that privacy issues are identified at the early stages of the project development cycle and appropriately addressed in future phases of the project.

The TPS web application complies with the Common Look and Feel (CLF) standards set out by the Treasury Board Secretariat (TBS).

The Privacy Impact Assessment (PIA) methodology and approach outlined in the Treasury Board of Canada Secretariat's Privacy Impact Assessment Guidelines document are used as the basis for this privacy assessment of the TPS. The scope of this PIA is limited to INAC's collection, use, retention and possible disclosure of personal information in the context of the Treaty Payment System.

In conducting interviews and reviewing the documentation provided for the PIA purpose, it became apparent that the INAC Treaty Payment System services officials wish to incorporate privacy as a core element of the projects' design. Mitigating the following privacy issues that have been identified will greatly contribute to designing a privacy-friendly Treaty Payment System.

National Post Secondary Education

Indian and Northern Affairs Canada (INAC), through its Post-Secondary Education (PSE) Program, promotes the post-secondary education of Indians, Inuit and Innu. INAC is in the process of developing a Web-enabled PSE Program management tool, called the National Post-Secondary Education system (NPSES), that will automate and streamline the post-secondary education update process and provide a system that Administering Organizations can use to better update and access their own information and to improve management of their respective post-secondary education programs.

The NPSES will maintain personal information collected by Administering Organizations. Consequently, INAC has initiated a Privacy Impact Assessment (PIA) to investigate the privacy implications of the NPSES and to ensure that privacy issues are identified at the early stages of the project development cycle and appropriately addressed in future phases of the project.

The Privacy Impact Assessment (PIA) methodology and approach outlined in the Treasury Board of Canada Secretariat (TBS') Privacy Impact Assessment Guidelines document are used as the basis for this privacy assessment of the PSE Program/NPSES. The scope of this PIA is limited to INAC's collection, use, retention and possible disclosure of personal information in the context of the NPSES, it does not address privacy issues related to the management of personal information by individual Administering Organization or their delegates.

In conducting interviews and reviewing the documentation provided for PIA purposes, it became apparent that the NPSES officials wish to incorporate privacy as a core element of the programs' design.

Web-Based Inquiries

Indian and Northern Affairs Canada (INAC) has responsibility for meeting the federal government's constitutional, treaty, political, and legal responsibilities to First Nations, Inuit and Northerners.

The INAC Departmental Library has responsibilities not only for library services but also for administering the Public Enquiries services. To fulfill this responsibility, the Departmental Library has been utilizing a supporting database called Callbase to record the enquiries. To improve the services offered through the Public Enquiries process, the Departmental Library is initiating a project to create a web-based version of the database to enable sharing of the database among the regional and headquarters Public Enquiries staff. In hand with this change will be an increase in the number of staff tasked with responding to public enquiries. On average, the existing Public Enquiries service receives 24,000 enquiries per year.

The web-based database and the public enquiries services will collect personal information that is mainly considered not to be particularly sensitive, and designated as Protected "A" under the Government Security Policy. Consequently, INAC has a requirement to conduct a Privacy Impact Assessment (PIA) on the Web-based Public Enquiries service to ensure that privacy issues are identified and that appropriate mitigation strategies are identified. The Privacy Impact Assessment (PIA) methodology and approach outlined in the Treasury Board of Canada Secretariat (TBS)' Privacy Impact Assessment Guidelines document are used as the basis for this privacy assessment. The scope of this PIA is restricted to the business process and basic data flows of personal information associated with the Web-based Public Enquiries System.

In conducting interviews and reviewing the documentation provided for PIA purposes, it became apparent that INAC Public Enquiry services officials wish to incorporate privacy as a core element of the projects' design.

Human Resources Management System (HRMS)

Indian and Northern Affairs Canada (INAC) has responsibility for meeting the Federal Government's constitutional, treaty, political, and legal responsibilities to First Nations, Inuit and Northerners. To fulfill this mandate, the Department must work collaboratively with First Nations, Inuit and Northerners, as well as with other federal departments and agencies, provinces and territories.

Indian and Northern Affairs Canada has utilized the PeopleSoft Human Resources Management System (HRMS) product since 1995. The GoC has created a PeopleSoft cluster group which is tasked with customizing the PeopleSoft Human Resources Management System on an ongoing basis for the GoC environment (i.e. the PeopleSoft GoC edition), and which serves as the contact point for Departments for PeopleSoft-related issues. Indian and Northern Affairs Canada is one of 20 Departments utilizing the GoC edition of the PeopleSoft Human Resources Management System. The GoC PeopleSoft cluster group decided to leverage the maximum amount of the commercial edition of the PeopleSoft Human Resources Management System into the GoC edition. As such, customizations of the product are limited to the extent possible. The following modules are currently in use at Indian and Northern Affairs Canada:

This report examines the privacy-related impact of the Government of Canada Human Resources Management System in use at Indian and Northern Affairs, and proposes appropriate mitigation strategies for the identified privacy risks.

In conducting interviews and reviewing the documentation provided for the purposes of this Privacy Impact Assessment, it became apparent that INAC Human Resources Management system officials wish to incorporate privacy as a core element of the system's design.

Indian Registration System / Certificate of Indian Status (IRS-CIS)

This report contains a Privacy Impact Assessment (PIA) for the Indian Registration System / Certificate of Indian Status (IRS/CIS) Project. The purpose of this PIA is to provide recommendations on measures to mitigate any privacy issues or risks that may be identified with the IRS/CIS Project.

The Indian Act Indian Act sets out the criteria a person must meet in order to be registered as an Indian and identifies the Registrar as the Indian and Northern Affairs Canada (INAC) officer responsible for maintaining the Indian Register. The Indian Act, section 87, confers certain rights and privileges to status Indians living on reserve. The rights apply to benefits such as tax exemptions for goods purchased on, or delivered to, reserves, and to health care taxes.

The Registrar is responsible for determining who is entitled to be registered as an Indian and to enter the names into the Indian Register. As a result, all persons seeking to be registered must apply to the Registrar in Ottawa. Once an applicant has been registered, however, all subsequent administration of their record (including births to registered parent[s]) is normally delegated to First Nation-employed Indian Registry Administrators (IRAs).

INAC provides Registered Indians with a card certifying their registration as an Indian. The Certificate of Indian Status (CIS), commonly referred to as a Status Card or Treaty Card, is issued both by INAC (HQ/Regions) and by IRAs after the Registrar has determined that an individual is entitled to have Indian status.

The Indian Register is currently contained within the Indian Registration System (IRS), a legacy database that is over ten years old. Very few of the several hundred IRA offices have remote access to the system and the capability to input data. The present dial-up method of connecting First Nation offices is cumbersome and costly.

Currently most IRAs manually record life events, such as marriage, batch them and send the information to INAC Regional Offices. Regions are responsible for training and monitoring the work of IRAs and for entering data from the batched forms into the IRS.

The Business Case for IRS/CIS describes the need for a re-engineered system and a new and secure CIS. The risk is that the IRS - a mission-critical system - will begin to experience significant downtime and higher maintenance costs if it is not re-engineered.

Among the deliverables, the IRS/CIS Project seeks to accomplish the following by March 2005:

The original project proposal for the CIS included an integrated circuit on the front of the card as a security measure. For both business and privacy reasons, a computer chip on the card and the machine-readable zone were eliminated from the IRS/CIS proposal in Spring 2002. The card being used in the CIS pilot contains a digital photograph and a digital signature. In addition to the digital photo, the front of the card displays name, alias, registry number, sex and date of birth. On the back of the card, the digital signature is displayed, as well as the date of issuance and date for renewal of the card. The back of the card also has a magnetic strip that contains name, registry number and the serial number of the card.

Estates Reporting System (ERS)

The Privacy Act, the Treasury Board Secretariat (TBS) Privacy Impact Assessment Policy Guidelines, and Privacy and Data Protection Policy provide an information management régime for the protection of personal information used by the government. The Department of Indian and Northern Affairs Canada (INAC) as a government department is subject to the Privacy Act as well as TBS policies on PIAs and the Privacy and Data Protection Policy. The Estates Reporting System (ERS), which is a program created under the authority of the Minister granted in Section 42 and Section 43 of the Indian Act that uses personal information for administrative purposes, must comply with the departmental and TBS policies related to privacy and the electronic services to Canadians. To comply with the Privacy Act and the Treasury Board Policy, TBS has instituted a policy that departments and agencies conduct Privacy Impact Assessments for all new programs and services that raise privacy issues and involve the protection of personal information. For programs and services implemented prior to this policy, institutions must undertake assessments if they are substantially re-designing them or their delivery channels, or are transforming them for electronic service delivery.

A PIA refers to a comprehensive process for determining the effects of program and service delivery initiatives on individual privacy. The PIA process is a useful methodology to ensure that privacy is built in at the outset of any new program or service and to assure the public that their privacy is safeguarded.

The purpose of the new ERS Project is to modernize and replace the existing legacy system known as the Estate Reporting System, which consists of Estate-related information from deceased members of the aboriginal community in Canada. ERS is a 30-50 user system created to support Estate Officers in the administration of estates of Indians from the moment INAC is notified of the death of an individual until the Department closes the file. ERS is a web based application that is accessible only on INAC's internal network and available only to authorized INAC employees. ERS is not accessible from the Internet.

This report offers recommendations founded on the 10 Privacy Principles noted in the Treasury Board Secretariat's Privacy Impact Assessment Guidelines: A framework to Manage Privacy Risks which include:

First Nations Inuit Transfer Payment System (FNITP)

This Report is a Privacy Impact Assessment (PIA) for the First Nations & Inuit Transfer Payment (FNITP) System of Indian and Northern Affairs Canada (INAC). The objectives of this PIA are to determine if there are privacy risks associated with the FNITP System, and if so, to provide recommendations on the mitigation or elimination of the risks.

The scope of the PIA Report starts with the collection of personal information from Administering Organizations or from INAC regional offices (Individual Agreements) when an authorized user logs into the FNITP System on the Virtual Private Network (VPN).

Transfer payments are made to First Nations governments / Inuit communities and their Administering Organizations to enable the delivery of essential services to their respective community members in accordance with Treasury Board's Policy on Transfer Payments and INAC's internal accountability, performance reporting and evaluation requirements. Transfer payments are also available to specific individuals through Individual Agreements.

Overall INAC program and financial reporting requirements are respectively set out in the First Nations National Reporting Guide (FNNRG) and the Year End Reporting Handbook. INAC regional offices provide region-specific versions of FNNRGs to First Nations. Currently the collection of data for these reporting requirements is paper-based and enabled through the various regional offices, which are responsible for entering the data into various regional and national databases (expert systems).

The FNITP System is intended to apply technology in order to modernize business processes. Business transformation is necessary to effect a reduction in the reporting burden associated with the current management process for funding arrangements.

The major business components or modules of the FNITP System are:

Trust Fund Management System (TFMS)

The Trust Fund Management System (TFMS) is an application used to manage Indian Moneys in Trust. The responsibilities and authorities as outlined by the Indian Act allow the Minister to manage the Indian Moneys as a fiduciary (Statutory obligation of the Minister's fiduciary responsibilities to collect, receive and hold moneys for the use and benefit of Indians or bands and to manage and expend Indian Moneys in accordance with the Indian Act.) The TFMS is a sub-ledger of Oasis, the departmental financial system. The System maintains all the detailed financial information for trust accounts which arise from the Crown's fiduciary obligations towards First Nations. The system supports the Resolution and Individual Affairs Sector in fulfilling their responsibilities to safeguard over $1 billion in trust funds for First Nations and individuals.

This financial information is maintained within various types (classes) of accounts for the owners of the moneys being held. There are four classes of accounts within TFMS: Band Accounts; Individual Accounts; Indian Moneys Suspense Accounts; and Special Accounts. The easiest way to picture TFMS is to think of it like a banking system. It contains both financial and non-financial (account) information.

TFMS Account Information

The personal information collected and used by the TFMS may include contact information, financial information, financial institution information, and signature.

TFMS Financial Information

Refers to the financial transactions that are processed in TFMS against the accounts.

The project scope can be simply described as converting current business requirements into a new application. Effort will also be made to reduce work-around and 'Black Book systems' currently in place as a result of the inability of the system to fully support some current user requirements and finally, it will integrate, when applicable, new legislative requirements. The new system will not only save money from a support and maintenance perspective, the re-development will also result in a streamlining of existing business.

The application database tracks who has affected any information and the date it is modified. It records what the previous information was, what it was changed to and which 'End User' affected the change.

An audit file is kept which logs the user ID, date and time associated with each transaction completed in TFMS. The TFMS audit functionality does not permit tracking of users who simply view populated screens.

Real Time Identification System (RTID)

This Privacy Impact Assessment (PIA) analyses the potential privacy issues and risks associated with the Real Time Identification System (RTID) and establishes processes to avoid, control and/or mitigate these privacy issues and risks for Indian and Northern Affairs Canada (INAC).

All personal information collected is strictly related to security check and security clearance purposes for Indian and Northern Affairs Canada employees (including temporary and contractual employees). Personal information is necessary to perform reliability checks, security clearances and criminal records verifications. This is necessary to give the employee the access to the work area and the appropriate security clearance for the work to be performed.

RTID is the proposed solution to address challenges in the current fingerprint identification and criminal record system by re-engineering and automating current processes. Transforming the current paper-based infrastructure into a seamless paperless electronic system will allow INAC Security to do work in only hours and days that now takes weeks and months.

The electronic processes planned for RTID are primarily a re-engineering of existing services, meaning that the information sent by INAC Security will change only slightly. Therefore, the PIA focuses on two program elements: changes to the processes and/or systems that affect the physical or logical separation of personal information, and the security mechanisms used to manage and control access to personal information once received by the RTID.

When personal information is collected the department is required to complete a PIA, or a Preliminary Privacy Impact Assessment (PPIA), depending on the scope of the project and the information collected; to identify any privacy issues at the onset of the development cycle and can be reevaluated at any time. The purpose of the exercise is to ensure that the personal information which is being collected is used appropriately within the boundaries of the Privacy Act and that the privilege of collecting such information is not abused. The RTID will collect/use personal information and as such INAC has initiated a Privacy Impact Assessment accordingly.

The PIA methodology and approach outlined in the Treasury Board of Canada Secretariat' (TBS) Privacy Impact Assessment Guidelines document are used as the basis for the privacy assessment of the RTID.

In conducting interviews and reviewing the documentation provided for the PIA, it became apparent that departmental officials wish to incorporate privacy as a core element at the early design stage of the project. Mitigating the following privacy issues that have been identified will greatly contribute to designing a privacy-friendly RTID.

Nominal Roll System

The Indian and Northern Affairs Canada (INAC) department is responsible for two mandates, Indian and Inuit Affairs and Northern Development, which together support Canada's Aboriginal and northern peoples in the pursuit of healthy and sustainable communities and broader economic and social development objectives. INAC produces a wide range of reports and publications related to its mandate and responsibilities.The Nominal Roll System (NRS) is one specific report used for co-ordination of programs relevant to the education of First Nations and Inuit students.

The Nominal Roll System currently gathers data elements used to track students and their eligibility for funding. It also tracks the number of high-cost special First Nation education students that live on reserve, the schools they attend (provincial, band-operated, private, federal) and their community. The Nominal Roll application will be modified to include the following fields which are:

The system is used by INAC's Headquarters and Regions employees, who need the information either to enter data or perform reports. When a record is entered, modified or deleted, the system tracks the name of the user, date and time. The system will not be used by external clients.

PrivaSoft Access Pro Case Management and Redaction

This report contains a Privacy Impact Assessment (PIA) for the AccessPro Case Management (APCM) and AccessPro Redaction systems (APR). The purpose of this PIA is to provide recommendations on measures to mitigate any privacy issues or risks that may be identified with the Access to Information and Privacy (ATIP) APCM-APR project.

The Access to Information Act provides any Canadian citizen, permanent resident or corporation present in Canada the right to examine or obtain copies of records of a federal government institution. This information is subject to limited and specific exceptions (exemptions and exclusions ).

The Privacy Act provides any Canadian citizen or permanent resident in Canada with a right to request access to, correct or attach a correction request to his/her personal information that is under the control of a federal government institution. The information is subject to limited and specific exceptions (exemptions and exclusions ).

The ATIP Division for Indian and Northern Affairs Canada (INAC) administers both acts and ensures the Institution's compliance with the legislation.

The Act imposes a 30-calendar day deadline to respond to requests. As a result, the department has approximately 20 working days to process a request, i.e. provide information or inform the requester the information is not accessible as it qualifies for exemption under provisions of the Act. In most cases, the Office of Primary Interest (OPI) must provide the ATIP Coordinator all relevant records that respond to a request within seven days of receipt of a retrieval notice, in order to accommodate timelines for Senior Management sign-off prior to submission to the ATIP Division at Headquarters. Due to the deadlines imposed by the Access to Information Act, ATIP requests are considered high priority; therefore, immediate action must be taken.

The Corporate Secretariat has created a Privacy Policy Division, which is under the umbrella of ATIP, to enhance the management and coordination of privacy issues across the Corporate Secretariat. The Privacy Policy Division does not collect personal information but some documents might contain personal information. It creates a formal structure to improve our personal information management, develop better privacy practices and tools, monitor privacy practices and issues, resolve or mitigate identified privacy risks, and provide accountability and consistency. The benefits for INAC are to ensure better privacy practices, increase accountability along with mitigating privacy breaches, and increase compliance with Treasury Board policies such as the Privacy Impact Assessment, Info Source and Information Sharing Agreement between institutions and internal programs.

The Privacy Policy Division is also responsible for the ongoing maintenance of the ATIP Division's internal and external websites. The internal (Intranet) website assists INAC employees in understanding ATIP legislative and policy issues and provides advice and guidance on processing ATIP requests. The INAC external (Internet) website provides information to the Public and their description of their right under both Acts. The result of the Privacy Impact Assessment is also available on the INAC - ATIP website.

The ATIP Division also provides and manages distribution of promotional messages, workshop presentations, training courses, and awareness sessions to increase the knowledge and understanding of ATIP across the Department.

Government organizations are facing an exponential increase in the demand for their information. The Access to Information Actand Privacy Act regulations (ATIP) demand fast capture, retrieval and sharing of information, and many institutions are implementing electronic imaging and document management technology to manage their information more efficiently.

The Access Pro Case Management (APCM) system from Privasoft Corporation is an automated case management solution that gives institutions a flexible and easy-to-use system for managing requests for information and project details while demonstrating accountability and maintaining employee productivity in a secure environment.

The Access Pro Redaction (APR) is imaging software that is designed specifically for information disclosure which provides severing tools in the electronic redaction process.

The personal information is collected under the authority of the Act.

The APCM will capture the requester's personal information such as first name, last name, source (Academia, Business, Consultant, Other Department, Other Government, Political Party, Lawyer, Media, Organization or Public), home address, telephone number and email address. Requests made under both acts may include other personal information. The APR will capture requested documents made under the Access to Information Act and Privacy Act, in order to respond to the requester. The ATIP Advisor will review and apply the exemptions and exclusions as per both Acts. The system which contains Privacy Policy documents such as Memorandum of Understanding, Preliminary Privacy Impact Assessment, Privacy Impact Assessment, Business Case, Legal Opinion, and Statement of Sensitivity. All documents saved in the APR system database are Protected B and below as per the designated classification. The system has an audit trail that records the user's actions, and all system users have secret level security clearance. The personal information will be kept for a period of two years and will then be destroyed.

First Nations and Inuit Transfer Payment System (FNITP) - Guaranteed Loan Management System (GLMS)

This is a Privacy Impact Assessment (PIA) Update Report for the First Nations & Inuit Transfer Payment (FNITP) System of Indian and Northern Affairs Canada (INAC) for the inclusion of the Guaranteed Loan Management System (GLMS) in the FNITP System. The objectives of this PIA Update Report are to determine if there are privacy risks associated with the GLMS inclusion, and if so, to provide recommendations on the mitigation or elimination of the risks.

The scope of the PIA Update Report is the GLMS within the FNITP System. This Update Report adds to the FNITP PIA Report Version 6 dated December 2005. INAC has responded to the Office of the Privacy Commissioner (OPC) in a letter dated August 8, 2008 on how the recommendations (including additional recommendations made by the OPC) in the PIA Report will or have been implemented.

Historically, First Nations (FN) have had difficulty securing loans for housing. Lenders do not have the same rights for forfeiture for properties on Indian Land as they do for non-Indian properties (the Indian Act protects Indian property from being seized by Non-Indians). INAC currently has an authority of $1.7 billion with which to provide lenders with MLGs.

INAC undertakes the guaranteeing of loans to lenders for both First Nations and First Nation Members for the purpose of home acquisition, new home construction or home renovations on Indian Lands. These guarantees are made through an MLG Authority and are made in accordance with Treasury Board's Policy on Loans and INAC's internal accountability, performance reporting and evaluation requirements.

The GLMS project will provide an integrated corporate system within the FNITP System that will provide the capability to manage both the program (Housing and Economical Development) and financial components that make up the MLG Business Process.

Arrival and SendSuite Systems/ Logiciel Arrival XE Extended Edition

Arrival XE Extended Edition is the internal tracking and delivery management system from Pitney Bowes that performs application tracking functionality to manage the C3 Application workload.

The Arrival System automates the tracking of mail and packages after they reach the Winnipeg processing centre. Arrival also simplifies delivery logging, reporting and prioritization for mail-center staff, and it gives a variety of options for checking delivery status and location.

The SendSuite system enables the Call Centre to view application processing history and status to support McIvor-related enquiries.

National Litigation Inventory and Reporting System

The National Litigation Inventory Reporting System (NLIRS) project was initiated to establish a single integrated system for tracking and reporting on INAC's inventory of litigation cases. The system is to be based on a commercial off-the-shelf (COTS) product with full case management support. It will replace a variety of existing tools and databases used by teams and individuals in the branch.

The introduction of a new system will include the move to standardized processes for case management and information management across the branch. Litigation Management and Resolution Branch (LMRB) management will be able to substantially reduce risks related to case and information management by harmonizing its processes, consolidating its information and eliminating the wide array of current tracking tools.

Indian Lands Registry System

The Indian Lands Registry System publishes personal information necessary to confirm the rights of a First Nation individual to a parcel or parcels of Reserve land. The Government, under several pieces of legislation, is obligated to provide such a registry.

The Indian Lands Registry Upgrade Project (ILRUP) is a re-development of the existing Indian Lands Registry system. The first and primary objective of ILRUP is a technical infrastructure replacement of the existing land registries. This will involve "recoding" the current land registry system.

Second, the project provides all registry clients with access to electronic maps using Geographic Information System (GIS) technology. The project provides a Secured user web application for authorized users to enter and update information in the Land Registries. As well, the project will provide a public site for read-only users.

Executive summaries of all Preliminary Privacy Impact Assessments

Secure Certificate of Indian Status (SCIS)

This report contains a Preliminary Privacy Impact Assessment (PPIA) for the Indian Secure Certificate of Indian Status (SCIS) project. The purpose of this PPIA is to provide recommendations to mitigate any privacy issues or risks that may be identified with the SCIS project. A Privacy Impact Assessment (PIA) was conducted in November 2002 on Indian Registry System / Secure Certificate of Indian Status (IRS/SCIS). This PPIA will update the information evaluated during the initial PIA.

The Indian Act sets out the criteria that a person must meet in order to be registered as an Indian and identifies the Registrar as the Indian and Northern Affairs Canada (INAC) officer responsible for maintaining the Indian Register. The Indian Act, section 87, confers certain rights and privileges to status Indians living on reserve. The rights apply to benefits such as tax exemptions for goods purchased on, or delivered to reserves and to health care benefits.

The Registrar is responsible for determining who is entitled to be registered as an Indian and to enter the names into the Indian Register. As a result, all persons seeking to be registered must apply to the Registrar in Ottawa. Once an applicant has been registered, however, all subsequent administration of their record (including births to registered parent[s]) is normally delegated to the regions or First Nations employed Indian Registry Administrators (IRAs).

After the Registrar has determined that an individual is registered as an Indian the individual may apply for the Secure Certificate of Indian Status (SCIS), commonly referred to as a Status Card or Treaty Card. The application is processed and distributed both by INAC, districts offices and by Indian Registry Systems (IRSs). The SCIS is issued by one centralized National Print Center.

A stand alone system, known as the Mobile Application Centre (MAC), will provide the capability to process SCIS applications at major events such as Treaty days or Powwows (First Nations cultural events), or for First Nation communities without Indian Registration Administrator (IRA) functions. There are approximately 120,000 life events (births, marriages, etc.) entered annually into the IRS/SCIS.

The corporate policy at INAC specifies that system events are logged on all servers and all logs are backed up on a daily basis, as part of the regular backup strategy.

1-800 Activate and Validate Lines

The telephone "activation" product is where individuals who have had their card mailed to them will use a 1-800 number to call in to in order to activate their card. Security features are being employed and include the requirement for the individual to enter in to the 1-800 line, the card's serial number and activation code that was provided by the applicant at time of application processing. These requirements for activation assist to ensure that only the correct individual is activating the SCIS.

A telephone "validation" product will provide a 1-800 number where service providers will be able to call and enter via a touch tone keypad a SCIS's serial number, cardholder's registry number and obtain information as to whether the SCIS is valid or not. Service providers can check a card's validity by verifying the serial number with registry number against a secure database of valid card serial numbers and registry numbers. The service will indicate whether the IRS has the noted SCIS as either 1) valid or 2) invalid. If the SCIS is noted as invalid, the service provider should not accept the card and the cardholder should be told to contact his/her local Indian Registration Administrator or nearest INAC office.

There is a possibility that SCIS may be used to cross the Canada-United states of America border, therefore validating the individual's identity to Homeland Security. The data that Homeland Security - via the Canadian Border Services Agency (CBSA) - will receive is the First Name, Surname, Date of Birth (DOB), Gender, Issuing Country, Document Serial Number, Renewal Date and Photo.

CBSA guidelines require its officers to accept the SCIS as evidence of entitlement. The new SCIS, as proposed, will afford status Indians greater ease of border transit into Canada in the future, in particular because CBSA regards the new design for the SCIS as meeting current document integrity standards.

A direct link from INAC's IRS database to CBSA systems could be developed. This process will provide CBSA with the necessary data to support electronic validation of the SCIS at time of border crossing using the Machine Readable Zone.

Canadian Security Intelligence Services (CSIS) Government Screening Requests (GSR)

Security screenings are required for new employees, as well as upgrades and updates of the security levels of current employees.

Security screening requests to obtain either Confidential, Secret, or Top Secret security clearance levels are currently completed by using hard copy forms between Indian and Northern Affairs Canada (INAC) and Canadian Security Intelligence Services (CSIS).CSIS has requested that INAC begin to use the electronic data collection and transmitting by means of their Government Screening Requests (GSR) software. This request was made in an effort to decrease the back log at CSIS and in turn improve the response time for security screening requests.

CSIS GSR is a Microsoft Access 97 database used to compile personal information for the purpose of security screening requests into an electronic format. The data may then be transmitted electronically to CSIS for processing.

The data being captured and entered into GSR is some of the information being supplied on paper when the client completes the Government of Canada Security Screening form which is also kept on the client's personal screening file. All the information being collected on the form is collected directly from the individual. This form includes a privacy statement; which advises the individual at the point of collection of the purpose, uses, disclosure and retention of his/her personal information.

The personal information being collected on the form, which remains on the individual's security screening file, is any information related to administrative, biographical, security screening, marital status/common-law partnership, immediate relatives, criminal convictions in and outside of Canada, information related to persons born outside Canada or born in Canada holding dual citizenship, previous residence, employment, foreign employment, travel, foreign assets, character references in Canada, education, military service and certification.

The personal information being entered in the CSIS GSR system may include the full names, surname at birth, date of birth, sex, place of birth, country of birth, relation, deceased, address, dates residing at the address, telephone number, employer information, aliases, information, clearance level, country of citizenship, criminal record name check and department position number. The information will be used by the INAC Corporate Security Staff for security screening purposes. The information is very sensitive and access is very limited. Only four employees of the INAC Corporate Security will have access to the information. Two of those employees have Secret security level and two have Top Secret security level.

The personal information is being collected under the authority of subsection 7(1) of the Financial Administration Act and the Government Security Policy and is being protected by the provision of the Privacy Act. Personal information can be modified at the request of the client when errors are found or changes are necessary by going to the security office.

There is no audit trail to identify access and modifications to the information. The hard copy files are kept for a period of two years once they are declared "Struck Off Strength" (SOS or gone) and the electronic files are kept for a period of 5 years. The hard copy files are then sent to Records Office to be destroyed and the electronic files are then deleted from the system.

Royalty Management System (RMS)

The Royalty Management System (RMS) to be developed is an automated system that will serve to facilitate royalty administration, assessment, and audit, ensuring royalty accountability and royalty assurance. Fulfilling these tasks will require: administration, receipt, and processing of prescribed forms from oil and gas companies; audit and assessment of the complex royalty submissions; recording of the receipt of royalty payments, and any associated penalties and interest; reporting to provide analytical and fiscal policy information. The system is intended to support the Oil and Gas Management Directorate (OGMD) in fulfilling its obligations related to the royalty regime under the Canada Petroleum Resources Act (CPRA).

The RMS database contains a minimal amount of personal information in the forms it receives. The name of the contact, the name of the individual certifying the report, as well as their position title, e-mail address, telephone number, company name and address are provided to Indian and Northern Affairs Canada (INAC) and entered into the system by the royalties' officer. Access to the RMS will be controlled by the Corporate Applications Security Controller (CASC), a login server which administers, manages, and ensures security of user accounts. A login account for all users will be created and entered into the CASC along with the individual's name and business e-mail address. The system will track the user login and failed login attempts, as well stamp every database insertion, update, or deletion with a date, time and user ID.

The system allows users to upload copies of National Energy Board approval documents, which do not contain personal information. Although the information gathered for access rights, contact and certification purposes is not considered to be sensitive personal information, it is still personal information and should be protected appropriately.

A Preliminary Privacy Impact Assessment (PPIA) for the new system is being completed to identify the type of personal information being collected and used, and to determine if the new system introduces any new privacy risks.

A full Privacy Impact Assessment (PIA) is not considered to be necessary because of a number of factors. The RMS does not provide any new programs or services, or collect any new information, or change who has access to the information. In addition, the amount of personal information managed by RMS is very minimal, the personal information is not sensitive and the access to this information is also very limited.

Building Access Control Visitor Registration System (BACVRS)

The key function of the new Web Intranet application is to provide departmental employees with an easy method of alerting the commissionaires in the lobby that they will be expecting visitor(s). Upon the receipt of the request from the sponsor, the commissionaire will then grant access and allow the visitor access to the building to attend a meeting.

The personal information is being collected directly from individual and will be disclosed to the commissionaires at the reception under the authority of the Government Security Policy (GSP). The individual who will request and be granted access to the building for non-governmental purposes will complete a separate visitors' log. This log will include a privacy statement which will advise the individual at the point of collection of the purpose, uses, disclosure and retention of their personal information. This log is attached to this Preliminary Privacy Impact Assessment (PPIA) as Appendix C.

The personal information being collected, involved with the program or service initiative and managed by the Building Access Control Visitor Registration System is visitor's name, first name, department or company, sponsor name, sponsor telephone number, room number, valid on, and posted by. The information will be retained in the Security office for one year and will then be destroyed by the Records Office.

The personal information collected will be used to announce visitor(s) for a meeting and will be used by the commissionaires and Indian and Northern Affairs Canada (INAC) employees at reception desk.

No audit trail to identify access to the information.

Public Service Resourcing System (PSRS)

On behalf of Parliament, the Public Service Commission safeguards the integrity of staffing and the non-partisan nature of the public service. In this respect, the PSC works closely with government but is independent from ministerial direction and is accountable to Parliament. The PSC's mandate is threefold.

First, the PSC is mandated to appoint, or provide for the appointment of, persons to or from within the public service. The PSC provides staffing and assessment functions and services to support staffing in the public service.

Second, the PSC is mandated to oversee the integrity of the staffing system and ensure non-partisanship. This oversight role includes maintaining and interpreting data on the public service, carrying out audits that provide assurance and make recommendations for improvements and conducting investigations that can lead to corrective action in the case of errors or problems.

Third, the PSC is mandated to administer provisions of the Public Service Employment Act (PSEA) related to the political activities of employees and deputy heads.

The Public Service Resourcing System (PSRS) is an on-line application and screening process that introduced, on a pilot basis, by the Public Service Commission (PSC) in selected regions, for specified job categories. The primary purpose of PSRS is to improve the process of recruiting outside of the Public Service. The PSRS allows hiring agents to create customized job applications and advertisements for positions that need to be filled. The Canadian public can, in turn, view and apply for these postings and the system will use its automated screening functionality to provide departmental hiring managers with a filtered set of referrals.

The PSRS is authorized to use personal information in accordance with section 9, 11(a), 29(1) of the Public Service Employment Actto provide for the maintenance of inventories of candidates who have applied for employment to the Public Service of Canada. The personal information is collected directly from the individual by the PSR system. The individual will need to open an account to have access to the system. In this account, the applicant must provide personal and contact information necessary to identify the applicant and their area of residence and work. If the applicant wants to apply to a job advertisement or use the system's automated search, the applicant will have to fill out the account profile with his personal information. All the information the user will enter in the system will be used and disclosed by Indian and Northern Affairs Canada to determine his suitability for employment and for statistical purposes.

The personal information that are being collected are: name, Personal Record Identified number (PRI), partial birth date, citizenship, home address, telephone number, education information and employment information such as a résumé and information about employment.

The personal information within PSR system may be used by the Investigations Branch of PSC in order to conduct investigations on inappropriate staffing practices, or the Audit Branch of PSC conduct of staffing-related audits. While PSC derives its authority to conduct investigations and audits from the Public Service Employment Act, INAC's authority to collect such personal information indirectly and non-consensually is documented in the Standard Personal Information Bank Applications for Employment, INA PSU 911. Prior their application, the applicant is required to provide a declaration confirming that the information provided is true and complete. The declaration also contains a privacy statement that notices the applicant of PSC's and INAC's authority to collect and use personal information. The applicant and/or candidate must confirm before starting any applications on PSRS that they have read and understood the content of the Notice to Applicants and the Privacy Notice Statement. The INAC SuperUser's security clearance level is Reliability.

For the personal information concerning retention period, mechanisms to comply with these retention and disposal rules, according to the Standard Personal Information Bank INA PSU 911, records will be retained for two (2) years following the expiry of the eligibility list for a staffing action or for two (2) years after the last administration action, whichever is later.

Date modified: