Language selection

Government of Canada / Gouvernement du Canada

Search

Privacy impact assessment: Access card reader system, FCAC’s Ottawa office

From: Financial Consumer Agency of Canada

Privacy Impact Assessments (PIA) help to ensure sound management and decision making as well as careful consideration of privacy risks with respect to the creation, collection and handling of personal information as part of government programs or activities.

This PIA has been developed in regards to the Access Card Reader System used at FCAC’s Ottawa office.

This includes input from HR, IT and ATIP teams within FCAC, and provides evidence that FCAC has considered and addressed privacy concerns.

Completion of the sections below with the information requested fulfills the minimum content requirements of the core PIA.

Section I–Overview and PIA Initiation

  1. Financial Consumer Agency of Canada
  2. Judith Robertson, Commissioner – head of institution
  3. Werner Liedtke, Assistant Commissioner, Corporate Services – senior executive for the new or substantially modified activity
  4. Access Card Reader System
    • The Access Card reader system is used to implement physical security in our workplace. The system provides credentials for employees & contractors and allows them to unlock specific doors gaining entry to the workplace.
  5. Legal authority for the program or activity
    • Section 11 of the FCAC Act
  6. Identification of whether the proposal is related to a PIB. Existing PIBs are to be identified by their title, registration number and bank number
  7. Short description of the project, initiative or change
    • Although a similar system previously existed, this is a new software suite, and it has more functionality such as providing mobile credentials (e.g., 2-factor authentication) and accurate, real-time reporting. The system allows FCAC security to dictate what specific employees have access to in our physical space.

Section II–Risk Area Identification and Categorization

The core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.

The initial step of the analysis consists of evaluating each risk area independently. The second step consists of grouping the individual results to determine if a more in-depth analysis is required. The greater the number of risk areas identified as level 3 or 4, the more likely it is that specific risk areas will need to be addressed in a more comprehensive manner.

a) Type of program or activity

Administration of program or activity and services

Level of risk to privacy: 2

b) Type of personal information involved and context

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.

Level of risk to privacy: 1

c) Program or activity partners and private sector involvement

Within the institution (among one or more programs within the same institution)

Level of risk to privacy: 1

d) Duration of the program or activity

Long-term program or activity

Level or risk to privacy: 3

e) Program population

The program's use of personal information for internal administrative purposes affects all employees.

Level or risk to privacy: 2

f) Technology and privacy

Specific technological issues and privacy

A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.

g) Personal information transmission

The personal information is used in a system that has connections to at least one other system.

Level or risk to privacy: 2

h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

Low / Medium / High – This initiative deals with the collection of access entry information – who tapped their access card (what info is transferred?) and when.

i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.

Low / Medium / High – FCAC has been transparent about the initiative and its purpose.

For items h) and i), guidance was obtained from the ATIP Privacy Breach Risk Impact Instrument

As a result of a LOW risk profile (per responses above), a core PIA can be completed – responses to required information are listed below.

Section III–Analysis of Personal Information Elements for the Program or Activity

  1. Identify each element of personal information collected (for example: 1) name, 2) address).
    • First Name, Last name
    • Card identification number
    • Phone number
  2. Identify sub-elements associated with each element of personal information collected:
    1. NA
  3. Identify how the personal information will be recorded:
    • electronically

Section IV–Flow of Personal Information for the Program or Activity

  1. Identify the source(s) of the personal information collected and / or how the personal information will be created.
    • Administrative Services team will create a mobile credential account for each FCAC employee which will include the employee’s name, phone number and their card identification number (not their PRI).
  2. Identify both internal and external sources for the personal information's use and disclosure, that is, identify the areas, groups and individuals who have access to or handle the personal information and to whom it is provided or disclosed.
    • Use – the collected information will only be accessed as necessary (for security or health and safety reasons) and used by sources internal to FCAC
      • Administrative Services Team (Security and Health and Safety team members)
    • Disclosure
      • Internal
        1. Potentially HR
      • External – there is unlikely to be any requirements to report externally; if reporting to the following groups is required, the information provided would be at the Agency/aggregate level.
        1. Central Agencies (e.g., PSPC; TBS)
  3. Identify where the personal information will transit and will be stored or retained.
    • No information will transit outside FCAC.
  4. Identify where areas, groups and individuals can access the personal information.
    • Individual employees will be able to access their own personal information via Privacy request to the FCAC ATIP Coordinator.
    • FCAC IT Network Administrators will be able to access the personal information, by virtue of the fact they administer the network; but they will be advised not to access the information.
    • FCAC IM Division staff will be able to access the personal information, by virtue of the fact they can access all Agency documents on the network; but they will be advised not to access the information.
    • FCAC Administrative Services Division team members with access to the Access Card Reader System will be able to see the original information (employee name, phone number and card identification number) as well as the entry information (who tapped their access card on the reader and when).

Section V–Privacy Compliance Analysis

At a minimum, the privacy compliance analysis must cover the following areas and identify specific compliance actions taken or to be taken to meet with each area's requirements:

  1. Collection authority (section 4 of the Privacy Act)
    • FCAC is collecting personal information directly related to Section 11 of the FCAC Act.
  2. Direct collection, notification and consent, as appropriate (section 5 of the Privacy Act)
    • FCAC will be collecting personal information that is intended to be used for administrative purposes (related to security and health and safety).
  3. Retention (section 6 of the Privacy Act)
    • Personal information that has been used by FCAC for an administrative purpose shall be retained by FCAC for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.
    • FCAC shall dispose of personal information under its control in accordance with the regulations and in accordance with any directives or guidelines issued by the deputy head in relation to the disposal of that information.
  4. Accuracy (section 6(2) of the Privacy Act)
    • FCAC shall take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date and complete as possible.
  5. Use (section 7 of the Privacy Act)
    • The personal information under the control of FCAC will only be used for the purpose for which the information was obtained or for a use consistent with that purpose.
  6. Disclosure (section 8 of the Privacy Act)
    • Personal information under the control of FCAC shall not, without the consent of the individual to whom it relates, be disclosed by FCAC with the exception of reasons listed in Section 8(2) of the Privacy Act.
    • It is anticipated that there may be reporting requirements to Treasury Board Secretariat or Other Government Departments (OGD), but reporting is expected to be done at an aggregate level (i.e., not revealing any personal information).
  7. Administrative, physical and technical safeguards
    • Only the Administrative Services team members who have access to the Access Card Reader System will have access to the personal information on a detailed basis.
    • IT is ensuring that the IT network is Protected B and that access is limited to only those who require it for administrative purposes.
    • IT and IM staff will be advised against accessing any related personal information.
  8. Technology and privacy issues
    • Indicate any changes to the business requirements that have an impact on the system, software or program application and, consequently, may affect the current access controls and privacy practices related to the creation, collection, retention, use, disclosure and disposition of personal information.
      • The Access Card Reader System is being used to provide FCAC employees with access into FCAC’s workspace; IT will ensure safeguards to protect access controls and privacy practices related to the creation, collection, retention, use, disclosure and disposition of personal information.
    • Determine whether the current IT legacy systems and services that will be retained or those that will be substantially modified are compliant with privacy requirements.
      • N/A
    • Identify any awareness activities related to protection of privacy requirements in the new electronic environment.
      • N/A

Section VI–Summary of Analysis and Recommendations

Document the conclusion drawn or recommendations resulting from the risk identification and categorization in a manner that is commensurate with the risk identified.

  1. This is a low risk requirement based on the analysis/info listed above. Privacy concerns have been considered and addressed in the initiatives architecture.

Section VII–Supplementary Documents List

List any additional documents that were used or are related to the core PIA; these documents do not need to be appended to the core PIA.

  1. FCAC Act
  2. Privacy Act
  3. ATIP Privacy Breach Risk Impact Instrument
  4. Guidelines for Privacy Breaches
  5. Standard personal information banks

Section VIII–Formal Approval

The signature below indicates that this PIA has been formally approved in accordance with the FCAC's approval process.

Werner Liedtke, AC, Corporates Services

Date

Page details

Date modified: