Privacy Impact Assessment Summary
Athlete Assistance Program (AAP)
1. About
Sport and physical activity play an important role in the health, social, linguistic, economic, and cultural diversity of Canadians. The Athlete Assistance Program (AAP) is a federal grant program that provides direct financial assistance to high-performance athletes in Canada. This includes living and training allowances, and tuition and supplementary support in specific situations. The AAP is one of three Sport Canada programs administered by the Department of Canadian Heritage’s (PCH) Sport Canada branch to support the development of Canadian athletes and the improvement of Canada’s competitiveness in international sporting competitions.
2. Collection of Personal Information
In order to process an application for funding under the AAP, PCH must collect, use and share personal information from eligible athletes. Personal information is also used for program management and administration purposes. Personal information may be collected from eligible athletes and from the parents or guardians and coaches of athletes. Whereas PCH collects and uses personal information for ‘administrative’ purposes (i.e., to make a decision about an identifiable individual), it elected to perform a Privacy Impact Assessment (PIA) in relation to the AAP.
3. Scope of the Privacy Impact Assessment (PIA)
PCH is named in the Schedule to the Privacy Act and is subject to the privacy policies and directives of the Government of Canada. Under the Treasury Board of Canada Secretariat’s (TBS) Policy on Privacy Protection, all federal institutions subject to the Privacy Act are required to undertake an assessment of the privacy impacts associated with the development or design of new programs or services involving personal information. PIAs are also required when making significant changes to an existing program or service.
Although the AAP was established prior to the effective date of the Government of Canada’s Policy on Privacy Protection, in 2020 PCH planned to introduce a new management information system to support the Program. As such, and whereas PCH intends to continue collecting, using and disclosing personal information in the administration of the AAP, the Department elected to undertake a core PIA in order to ensure that privacy risks, if any, associated with the Program and its new supporting system are properly mitigated. It was management’s view that the performance of a PIA in relation to the new system –and more importantly the underlying activities of the AAP – offered an opportune time to review and assess how best to handle the personal information of program applicants and participants.
The PIA was completed under the direction of the Department’s Chief Information Officer Branch (Strategic Business Transformation), and in consultation with AAP program officials. The Department’s Access to Information and Privacy (ATIP), information technology, and information management groups were engaged as and when needed.
In keeping with its scope as a core PIA, the assessment included a high-level review of the AAP, as operating at the time this report was drafted. It included a review of the AAP applicant registration process, and an assessment of approved uses of personal information collected from eligible athletes. The review also included a review of the new AAP Management Information System (AAPMIS) in its earliest stages of design (i.e., a proof of concept). This included a review of business requirements, planned workflows, and core system functionality.
The PIA did not include an assessment of IT and general privacy controls relating to the new system. IT security matters related to AAPMIS and other supporting applications and databases were examined primarily through PCH’s Security Assessment and Authorization (SA&A) process. A separate PIA has been prepared by PCH for the My PCH On-line Portal
4. Privacy Analysis
Based on the PIA, privacy risks arising from the AAP and the first iteration of the new AAPMIS are considered to be moderate to low. The Program involves the collection of only a limited set of personal data, most of which is non-sensitive in nature. That data is collected directly from the individual to whom it belongs and is used exclusively for Program management and administration (i.e., there are no secondary uses of athlete information).
5. Risk Area Identification and Categorization
| A: Type of Program or Activity | Level of Risk to Privacy |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual. Personal information is used strictly for statistical / research or evaluations including mailing list where no decisions are made that directly have an impact on an identifiable individual. | No |
| Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…). | Yes |
| Personal information is used for purposes of detecting fraud or investigating possible abuses within programs where the consequences are administrative in nature (i.e., a fine, discontinuation of benefits, audit of personal income tax file or deportation in cases where national security and/or criminal enforcement is not an issue). | No |
| Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). | No |
| B: Type of Personal Information Involved and Context | Level of risk to privacy |
|---|---|
|
Only personal information provided by the individual – at the time of collection –- relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities. The context in which the personal information is collected is not particularly sensitive. For example: general licensing, or renewal of travel documents or identity documents. |
Yes |
| Personal information provided by the individual or personal information held by another source / with no contextual sensitivities after the time of collection. | No |
| Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. | No |
| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. | No |
| C: Program or Activity Partners and Private Sector Involvement | Level of risk to privacy |
|---|---|
| Within the department (amongst one or more programs within the department) | Yes |
| With other federal institutions | No |
| With other or a combination of federal/ provincial and/or municipal government(s) | Yes |
| Private sector organizations or international organizations or foreign governments | Yes |
| D: Duration of the Program or Activity | Level of risk to privacy |
|---|---|
| One time program or activity: Typically involves offering a one-time support measure in the form of a grant payment as a social support mechanism. | No |
| Short–term program: A program or an activity that supports a short-term goal with an established “sunset” date. | No |
| Long-term program: Existing program that has been modified or is established with no clear “sunset”. | Yes |
| E: Program Population | Level of risk to privacy |
|---|---|
| The program affects certain employees for internal administrative purposes. | No |
| The program affects all employees for internal administrative purposes. | No |
| The program affects certain individuals for external administrative purposes. | Yes |
| The program affects all individuals for external administrative purposes. | No |
| F: Technology and Privacy | Level of risk to privacy |
|---|---|
| Does the new or modified program or activity involve the use or implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? | Yes |
| Does the new or modified program or activity require substantial modifications to IT legacy systems and / or services? | No |
| The new or modified program or activity involves the implementation of potentially privacy invasive technologies? | No |
| G: Personal Information Transmission | Level of risk to privacy |
|---|---|
| The personal information is used within a closed system. No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled. | No |
| The personal information is used in system that has connections to at least one other system. | Yes |
| The personal information may be printed or transferred to an unencrypted portable device. | Yes |
| The personal information is transmitted using unsecured wireless technologies. | No |
| I: Risk Impact to the Individual or Employee | Level of risk to privacy |
|---|---|
| Inconvenience. | Yes |
| Reputation harm, embarrassment. | Yes |
| Financial harm. | Yes |
| Physical harm, including restrictions to an individual’s freedom of movement or association. | No |
| H: Risk Impact to the Department | Level of risk to privacy |
|---|---|
|
Managerial harm. Processes must be reviewed, tools must be changed, change in provider / partner. |
Yes |
|
Organizational harm. Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources. |
Yes |
|
Financial harm. Lawsuit, additional moneys required reallocation of financial resources. |
Yes |
|
Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, departmental strategic outcome compromised, government priority compromised, and impact on the Government of Canada Outcome areas. |
No |
Page details
- Date modified: