Privacy impact assessment - Site-Secure - 2017

Summary

Canadian Heritage is implementing Site-Secure software, a security management solution that provides a common source of documenting incidents, occurrences, the registration of guests, assets, service calls, etc.

The software is bundled in multiple modules.  Not all of the modules being implemented involve the collection of personal information.  However, some of them do and it was determined that a privacy impact assessment (PIA) was required to mitigate any privacy risk associated with the implementation of those modules.

The personal information that is collected and used in Site-Secure is described in the following Standard Personal Information Banks:

PSE 917 - Identification Cards and Access Badges
PSU 917 - Personnel Security Screening
PSU 939 - Security Incidents and Privacy Breaches
PSU 907 - Security Video Surveillance and Temporary Visitor Access Control Logs and Access Badges

Privacy risk mitigation

The privacy impact assessment has been prepared and the analysis of the risks was made against the ten universal privacy and fair information practice principles of the Canadian Standards Association Model Code for the Protection of Personal Information.
 
Canadian Heritage takes the protection of Canadians’ information very seriously and is committed to taking further action to mitigate the privacy risks that were identified in the process.

The following are the privacy risks identified through the PIA process that pertain to the installation of four specific modules of the Site-Secure software and the mechanisms to mitigate these risks: 

1. Nature of risk: at the time where personal information is collected, there is not always a privacy notice informing individuals about the purposes of the collection and their rights with respect thereof.
   Mitigation mechanism: privacy notice statements will be drafted and will appear on all forms and modules that involved the collection of personal information.
2. Nature of risk: some modules have the capacity to collect additional pieces of personal information that are not needed.
   Mitigation mechanism:  the Site-Secure modules will be re-programmed to ensure Canadian Heritage will only collect the information that is requested on current TBS forms.
3. Nature of risk:  there is no activity log attached to the personal information record to record the purposes of disclosure not listed in the Index of Standard Personal Information Banks (PIBs).
   Mitigation mechanism: access to information and privacy will be consulted every time a use or disclosure of personal is proposed from Site-Secure that is not currently described in the relevant Standard PIBs.