Privacy Impact Assessment Summary: Deployment of GCMS and TEMPO

Legal Authority

According to the Canadian Passport Order (as amended, July 2, 2013), IRCC, ESDC, and GAC are authorized to collect, use, and disclose information for the purpose of supporting the program, including but not limited to:

1. Under Section 3, the Minister of Citizenship and Immigration is able to issue passports according to his or her preferred format.
2. In section 6, the Minister has the authority to require the submission of a passport application.
3. According to subsection 13(1), the Minister may authorize the Minister of Foreign Affairs to handle passport applications made abroad in accordance with subsection 12(1).
4. In Section 12, the Minister may authorize the Minister of Human Resources and Skills Development to exercise a variety of administrative powers, as specified in subsections 12(a) to 12(m).

Description of the program/activity

IRCC’s current passport issuance system provides basic case management functionality but lacks robust, modern business intelligence capabilities. An independent diagnostic was conducted as a result of the need to modernize the way the Passport Program conducts its business to support service improvement. The assessment concluded that GCMS was the most effective platform and value for passport systems renewal.

The Global Case Management System (GCMS) is an integrated, web-based system used for processing applications for immigration, citizenship and passport services. It contains personal information of clients who have applied for such services.

GCMS facilitates the sharing of personal information between the IRCC, the Canada Border Services Agency (CBSA), the Canadian Security Intelligence Service (CSIS), GAC, the Royal Canadian Mounted Police (RCMP), the Department of Justice (DOJ), Correctional Service Canada (CSC), and the Immigration, and Refugee Board (IRB) through Memoranda of Understanding (MOUs.)

This PIA represents the 3rd iteration of the Passport Program. It assesses the deployment of GCMS and the new front-end application intake tool called TEMPO (Tactical, Efficient, Modern, Passport, Optimal), which has been developed to support passport application intake while not granting user access to GCMS. Through TEMPO, officers across Canada can validate passport applicants' information at the counter, examine applications for completeness, scan accompanying documents, and transfer the information electronically into GCMS.

Personal Information Banks

IRCC PPU 081 – Regular and Official Passports
IRCC PPU 082 – Security and Intelligence Case Management

Summary of Risks and Mitigation Strategies

This PIA addresses the following four residual risks stemming from the previous PIA (2017) and offers mitigation strategies.

Risk 1
There is a need to make minor updates to the MOUs with ESDC, DOJ and CSIS, which was identified as low risk.

Risk 2
The Passport Program’s investigative body designation in the Privacy Regulations requires an update to properly reflect the units/divisions with the department that replaced the Security Bureau of Passport Canada. Once the Privacy Regulations are in place, this risk is removed.

Risk 3
There is a need to monitor GCMS user’s accessibility of passport records in GCMS, as well as other records (immigration and citizenship). In the 2017 PIA, this risk was considered high, but is now medium due to several mitigation measures that have been put in place.

Risk 4
The privacy awareness presentation which advises users of system monitoring, as well as appropriate and inappropriate access to personal information, is not being delivered in an effective manner, thus, there is a risk that some users will never view the presentation. To mitigate this risk, an online training module which is mandatory has been identified.
This PIA presents new risks regarding TEMPO.

The following two new privacy risk were identified.

Risk 1
There is a need to monitor user access to the TEMPO feature that pushes GCMS data to the intake tool. Specifically, when a renewal application is processed in TEMPO, the Passport Number Validation feature queries the Central Index of the GCMS (CI/GCMS) and displays expired passport details. Through that feature, Service Canada Centres (SCCs) can check if a passport is valid. As a result of granting SCCs TEMPO access, GCMS no longer needs to be provided direct access to the SCC network. Although this passport validation feature is useful in the renewal application workflow, it must be monitored to identify any 'fishing expeditions'.

Mitigation strategy
For the passport validation feature in TEMPO to be utilized effectively, it is recommended that monitoring software be implemented as soon as possible. As part of the overall GCMS monitoring solution, IRCC may consider integrating the Passport Number (PN) and Stock Control Number (SCN) validation features of TEMPO. It is unknown if the upcoming monitoring solution can perform TEMPO monitoring features, in addition to GCMS. However, if it can, adding TEMPO to that scope should be considered. Without an integrated monitoring solution, the potential future use of TEMPO by GAC would exacerbate this risk. Audit logs would be reviewed regularly.

Risk 2
There is a risk that the audit logs will be maintained longer than necessary given that an automatic mechanism for destroying the audit logs has not been identified.

Mitigation strategy
It is recommended that a TEMPO audit log retention period and purging procedure is approved and operationalized. A change request (CR) addressing this risk was approved and was scheduled for June 2020.

Conclusion

The above mentioned privacy risks were identified as low and mitigation strategies are ongoing to address them.