Privacy Impact Assessment (PIA) Summary: International Student Program – Letter of Acceptance (LOA) Verification Tool

Lead Government Institution

Immigration, Refugees and Citizenship Canada (IRCC)

Name of the Program/Activity

International Student Program – Letter of Acceptance (LOA) Verification Tool

Legal Authority

The legal authority for the International Student Program (ISP) is identified in section 30 of the Immigration and Refugee Protection Act (IRPA), which states:

30(1) A foreign national may not work or study in Canada unless authorized to do so under this Act.
An officer may, on application, authorize a foreign national to work or study in Canada if the foreign national meets the conditions set out in the regulations.

Examination activities in support of the ISP are established in sections 15-16, 32(d), and 32(d.1)-(d.3) of IRPA.

15-16 authorize IRCC to collect personal information from a foreign national who makes a study permit application.
30, 32(d), 32(d.1)-(d.3) provide the authorities for the international student program, conditions that may be imposed for the purpose of study, and the verification of documents.

Various sections of the Immigration and Refugee Protection Regulations (IRPR) support the activities of IRCC in the processing of study permit applications and the decision-making process; see sections 210-216, 219 and 220.1, 220.1(4).

210-216 outline the requirements for the issuance of study permits, which includes that the foreign national be accepted at a designated learning institution (216(1)(e)), for which the documentary evidence is a valid Letter of Acceptance.
219 and 220.1 set out the specific requirements around studying at a designated learning institution, including that “a study permit shall not be issued to a foreign national unless they have written documentation from the designated learning institution where they intend to study that states that they have been accepted to study there” (219(1)).
220.1(4) also provides authority for officers to request evidence that the study permit holder will enroll at a designated learning institution if the officer has reason to believe that the permit holder is not complying or has not complied with one or more of the conditions of their study permit, or as part of a random assessment of the overall level of compliance with conditions by study permit holder.

Disclosure of personal information contained on letters of acceptance to designated learning institutions for the purpose of verification is authorized pursuant to sub-sections 8(1) and 8(2)(a) of the Privacy Act.

8(1) and 8(2)(a) provide respectively for disclosure of personal information under the control of a government institution on consent of the individual as well as for the purpose for which the information was obtained or for a use consistent with that purpose.

Description of the program or activity

This Privacy Impact Assessment (PIA) serves as a follow-up to the 2014 PIA on the International Student Program (ISP), and will focus on the shift from case-by-case to systematic sharing of personal information with all post-secondary designated learning institutions (DLIs), including sharing through the portal, and for applications submitted via online and paper channels.

As Canada becomes a more popular choice for international students, the frequency of sophisticated scams involving fraudulent documents is apparent. The ISP has become a target of these fraud cases, having IRCC, the media and other organization discovering trends of fraudulent letters of acceptance (LOAs).

LOA fraud is a significant issue that increases application complexity, adds to the resources that must be invested in decision making, and may lead to non-genuine students obtaining study permits on the basis of fraudulent documents. It has also led to genuine students, targets of unscrupulous actors abroad, coming to Canada with fraudulent LOAs unbeknownst to them and facing hardships, vulnerability and uncertain immigration status as a result.

In an effort to avoid disingenuous applications, mandatory upfront LOA verification will help strengthen Canada’s ISP and better protect genuine students from fraud. LOA verification is only one example of the verification that the Department regularly does in the processing of all immigration applications regardless of business line. To help ensure the integrity of Canada’s immigration system, officials routinely validate a variety of documentation that has been provided by applicants with third parties, for example bank documents, language test results, and proof of employment.

As of December 1, 2023, all post-secondary DLIs will be required to verify LOAs submitted with study permit applications from outside Canada. IRCC has sent emails directly to “primary users” in each DLI, which have been identified using an existing list of DLI primary users for IRCC compliance reporting purposes, as well as new users. The primary user of the validation tool is the “super user” for that DLI. This primary user list is updated by IRCC based on information from Provinces and Territories on an ad-hoc basis. There is also a new process in place for applications submitted via online and paper channels. This initiative triggers the need for a new or modified PIA because the program is shifting from case-by case to systematic information sharing with DLIs to verify the LOAs of international student applicants. It involves changes to existing technology to support DLIs verifying the LOA through an existing portal. The information exchange is used in support of the administrative decision about accepting or rejecting international student applicants.

Personal Information Banks

International Students (PPU 051)

Summary of Risk Identification and Categorization

Below is the risk identification and categorization table corresponding to this initiative.

a) Type of program or activity	Risk scale
Program or activity that does not involve a decision about an identifiable individual	Checkbox: unchecked ☐ 1
Administration of program or activity and services	Checkbox: unchecked ☐ 2
Compliance or regulatory investigations and enforcement	Checkbox: checked ☒ 3
Program or activity does involve a decision about an identifiable individuals	Checkbox: unchecked ☐ 4
Criminal investigation and enforcement or national security	Checkbox: unchecked ☐ 5

b) Type of personal information involved and context	Risk scale
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the individual's consent for disclosure under an authorized program.	Checkbox: unchecked ☐ 1
Personal information, with no contextual sensitivities after the time of collection, is provided by the individual with consent to use personal information held by another source.	Checkbox: unchecked ☐ 2
Personal information of minors. legally incompetent individuals or involving a representative acting on behalf of the individual.	Checkbox: unchecked ☐ 3
Social Insurance Number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive;	Checkbox: checked ☒ 4
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information, is particularly sensitive	Checkbox: unchecked ☐ 5

c) Program or activity partners and private sector involvement	Risk scale
Within the institution (among one or more programs within the same institution)	Checkbox: unchecked ☐ 1
With other government institutions	Checkbox: unchecked ☐ 2
With other institutions or a combination of federal, provincial, territorial, and municipal governments	Checkbox: unchecked ☐ 3
Private sector organizations	Checkbox: checked ☒ 4
International organizations or foreign governments	Checkbox: unchecked ☐ 5

d) Duration of the program or activity	Risk scale
One-time program or activity	Checkbox: unchecked ☐ 1
Short–term program or activity	Checkbox: unchecked ☐ 2
Long-term program or activity	Checkbox: checked ☒ 5

e) Program population	Risk scale
The program's use of personal information for internal administrative purposes affects certain employees.	Checkbox: unchecked ☐ 1
The program's use of personal information for internal administrative purposes affects all employees.	Checkbox: unchecked ☐ 2
The program's use of personal information for external administrative purposes affects specific individuals.	Checkbox: checked ☒ 4
The program's use of personal information for external administrative purposes affects all individuals.	Checkbox: unchecked ☐ 5

f) Technology and privacy (A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation).	Risk scale
Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in terms of creating, collecting, or handling personal information?	Checkbox: unchecked ☐ Yes Checkbox: unchecked ☒ No
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? This modified activity requires changes to the following legacy systems: Student Permit application intake channels MyCIC Client Portal text changes for Study Permit Letter of Acceptance Verification expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered Authorized Paid Representatives Portal expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered IMM1294 - Designated Learning Institute # on the IMM1294 Study Permit application should be mandatory for post-secondary education IRCC Portal – Temporary Resident eApplication - Changes to Study Permit application to support Letter of Acceptance validation GCMS processing Modification of the Study Permit verification activity Addition of Study Permit application field - Student number Addition of Study Permit application field - Verification Due Date Addition of Study Permit application field - Validation Status IRCC Portal - Designated Learning Institute channel for Letter of Acceptance validation New IRCC Portal tenant for Designated Learning Institutes 2 factor authentication Account Profile – DLI user DLI number associated to the account User surname or last name User given name or first name Email address associated with the account Telephone number associated with the account Language preference associated with the account Download student information to be validated in Excel Upload Excel validated student information Search student number/student name, Date Of Birth Provide Letter of Acceptance submitted by student Ability to add secondary Designated Learning Institute users Account activity history Forgot password	Checkbox: checked ☒ Yes Checkbox: unchecked ☐ No
Specific technological issues and privacy Does the new or substantially modified program or activity involve the implementation of new technologies or one or more of the following activities: ☐ enhanced identification and matching methods ☒ enhanced data collection methods use or disclosure of personal information ☐ surveillance interjurisdiction or trans-border sharing of personal information ☐ use of Artificial Intelligence technology for automated personal information analysis ☐ personal information matching, and knowledge discovery techniques. The Letter of Acceptance portal (LOA) was implemented in December 2023 for overseas Study Permit (SP) applications, as well as for in-Canada SP extension applications in January 2024. Designated learning institutions (DLI) receive a notification that there are LOAs to be verified. The DLI must log into the LOA portal and downloads an excel spreadsheet that contains a list of students to be validated. The information on the document discloses the first name, last name, DOB, and student ID number (if applicable). These details are divulged by the DLIs when they issue an LOA. Additionally, these details are provided by students when they apply for a study permit. The DLI verifies the authenticity of the LOA by selecting a validation status on the Excel spreadsheet. The DLI subsequently uploads the document with the new validation status into the LOA portal. The information is then transferred to the IRCC processing system.	Checkbox: checked ☒ Yes Checkbox: unchecked ☐ No

f) Technology and privacy (A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation).

Risk scale

Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in terms of creating, collecting, or handling personal information?

Checkbox: unchecked ☐ Yes
Checkbox: unchecked ☒ No

Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?

This modified activity requires changes to the following legacy systems:

Student Permit application intake channels

MyCIC Client Portal
- text changes for Study Permit Letter of Acceptance Verification
- expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered
Authorized Paid Representatives Portal
- expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered
IMM1294 - Designated Learning Institute # on the IMM1294 Study Permit application should be mandatory for post-secondary education
IRCC Portal – Temporary Resident eApplication - Changes to Study Permit application to support Letter of Acceptance validation

GCMS processing

Modification of the Study Permit verification activity
Addition of Study Permit application field - Student number
Addition of Study Permit application field - Verification Due Date
Addition of Study Permit application field - Validation Status

IRCC Portal - Designated Learning Institute channel for Letter of Acceptance validation

New IRCC Portal tenant for Designated Learning Institutes
2 factor authentication
Account Profile – DLI user
- DLI number associated to the account
- User surname or last name
- User given name or first name
- Email address associated with the account
- Telephone number associated with the account
- Language preference associated with the account
Download student information to be validated in Excel
Upload Excel validated student information
Search student number/student name, Date Of Birth
Provide Letter of Acceptance submitted by student
Ability to add secondary Designated Learning Institute users
Account activity history
Forgot password

Checkbox: checked ☒ Yes
Checkbox: unchecked ☐ No

Specific technological issues and privacy

Does the new or substantially modified program or activity involve the implementation of new technologies or one or more of the following activities:
☐ enhanced identification and matching methods
☒ enhanced data collection methods use or disclosure of personal information
☐ surveillance interjurisdiction or trans-border sharing of personal information
☐ use of Artificial Intelligence technology for automated personal information analysis
☐ personal information matching, and knowledge discovery techniques.

The Letter of Acceptance portal (LOA) was implemented in December 2023 for overseas Study Permit (SP) applications, as well as for in-Canada SP extension applications in January 2024. Designated learning institutions (DLI) receive a notification that there are LOAs to be verified.

The DLI must log into the LOA portal and downloads an excel spreadsheet that contains a list of students to be validated.

The information on the document discloses the first name, last name, DOB, and student ID number (if applicable). These details are divulged by the DLIs when they issue an LOA. Additionally, these details are provided by students when they apply for a study permit.

The DLI verifies the authenticity of the LOA by selecting a validation status on the Excel spreadsheet. The DLI subsequently uploads the document with the new validation status into the LOA portal. The information is then transferred to the IRCC processing system.

Checkbox: checked ☒ Yes
Checkbox: unchecked ☐ No

g) Personal information transmissionty	Risk scale
The personal information is used within a closed system (i.e., no connections to the Internet, Intranet, or any other system, and the circulation of hardcopy documents is controlled).	Checkbox: unchecked ☐ 1
The personal information is used in a system with connections to at least one other system.	Checkbox: unchecked ☐ 2
The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium, or printed.	Checkbox: checked ☒ 3
The personal information is transmitted using wireless technologies.	Checkbox: unchecked ☐ 4
The personal information is transmitted through a Cloud service.	Checkbox: unchecked ☐ 5

Summary of Risks and Mitigation Strategies

This PIA identified several risks concerning: an outdated personal information bank (PIB), unclear language and missing Government of Canada requirements in the consent statement, IRCC and DLIs adhering to the retention and disposition standards, improper disclosure to the wrong DLI, unauthorized access of client personal information, lack of information sharing agreements (ISAs) between DLIs and IRCC, and unauthorized access to the IRCC portal. Mitigation strategies include: updating the PIB to include UCI and DLI user information, reviewing forms and updating them to meet requirements, conducting usability testing and client surveys to make sure the product meets client needs, implementing detailed guidance on retention and disposal standards based on information type, ensuring DLIs have secure storage of personal information through safeguards, sharing personal information with DLIs securely through the IRCC portal, regularly reviewing employees’ access to determine what is necessary, identifying the Terms of Use with DLIs covering agreements normally seen in ISAs, and monitoring user-lists to clean up, and audit information maintaining DLIs accountability for access control.

Conclusion

A majority of the mitigation strategies identified in the PIA are ongoing and are being monitored in response to the risks associated with the program. The remaining mitigation strategies are scheduled to be implemented in Q2 2024-2025.

Page details

Date modified:: 2024-08-27