Retail Payment Activities Act

Executive summary

Introduction

A privacy impact assessment has been conducted on the activities that are within the scope of the Department of Finance Canada’s (Department) operationalization of the Retail Payment Activities Act (the Act). A privacy impact assessment is required to support legislative compliance, identify the impacts of the operationalization on individuals’ privacy, assess potential privacy risks, identify opportunities to incorporate best practices, and provide recommendations on mitigating measures to minimize impacts.

Proposal Description

Under the Act, payment service providers that perform retail payment activities in Canada must apply to register with the Bank of Canada (the Bank). The Bank reviews registration applications for completeness and maintains a public registry of regulated payment service providers. The Minister of Finance (the Minister) has authorities to address risks related to national security posed by payment service providers including to issue a directive to the Bank to refuse to register an applicant. The Department may, on behalf of the Minister, review a registration application for reasons related to national security and advise the Minister on the use of ministerial authorities in the Act. The Department coordinates with security and intelligence partners (Partners) who identify and assess national security threats to support the Department’s advice to the Minister.

The Bank must share registration information that it collects from payment service providers with the Minister who will then consult with the Partners. The information collected by the Bank under the Act contains personal identifying information and includes properties such as a payment service provider’s business model, operations, and funds safeguarding practice. Information is collected from applicants within the Bank’s web-based application portal, PSP Connect. This information is shared with Department using an application programming interface that enables data exchange between two software systems. The information is routed by an automated process to the Department’s Retail Payments Application Review System (the Review System). The Review System was developed using a secure cloud-based computing platform with built-in security controls and threat intelligence, and the information stored in it is designated as Protected B.

Collection, Use, and Disclosure of Personal Information

The Act requires the collection of personal information relating to the payment service provider itself (if it is an individual and not an entity), and a payment service provider’s directors, senior management, certain creditors, agents and mandataries, affiliated entities, and controlling persons or entities. This personal information consists of legal name, date of birth, contact information, country of residence and citizenship.

Personal information that is collected directly from applicants within PSP Connect, which is accessible from the Bank’s website. PSP Connect was created by the Bank to facilitate the required collection of PSP registration information, and payment service providers are notified of the terms of use and privacy statement that outline how the information will be collected, used, and disclosed. The applicants must consent to the terms of use and privacy statement to complete the registration application.

The Partners will access and use the registration information, including personal information, in the Review System to support the Minister’s national security responsibilities under the Act in accordance with their respective mandates.

As part of its due diligence activities with regards to privacy and protection of personal information, the Department is responsible for ensuring that information it receives is utilized only for the intended purpose and disclosed only as permitted by the Act. This includes ensuring processes and systems have been designed and implemented with the appropriate controls.

Summary of Analysis and Recommendations:

The privacy impact assessment analyzed the personal information that will be collected and used by the Department pursuant to the Act, as well as related processes, to identify potential impacts to individuals’ privacy. The sensitive nature of the personal information that will be collected, and the financial and reputational harm that would result from a privacy breach involving this information increase the risk severity.

The privacy impact assessment identified risks related to the Department’s activities and recommended mitigation activities that the Department is implementing to ensure that personal information is securely collected, used and retained in conjunction with applicable laws, regulations and policies. Certain risks will be monitored on an ongoing basis to ensure that the controls implemented further to the recommendations are functioning as intended and in line with the Department’s risks appetite.