Electronic Monitoring Pilot II (EM-PII)

Privacy impact assessment (PIA) summary

Overview

In 2008, the Correctional Service of Canada (CSC) completed a privacy impact assessment (PIA) for the Electronic Monitoring Pilot Project which examined the capacity of CSC to use EM technology to monitor higher risk and/or needs of offenders on release in the community. The project ended in 2011 and, at the present time, (March 2013) EM services are not operational within CSC. However, with the coming into force of the Safe Streets and Communities Act, CSC can now demand an offender wear a monitoring device to monitor their compliance with a condition of a temporary absence, work release, parole, statutory release or long-term supervision that restricts their access to a person or geographical area or requires them to be in a geographical area.

In preparation for a future implementation and expansion of EM, a new PIA has been completed for Part II of the pilot in order to determine the extent to which the conclusions contained in the 2008 PIA are still valid and applicable and to identify the new privacy risks that may have to be addressed. This pilot will examine the effectiveness and efficiency of EM as a supervision tool, as well as determining cost efficiency. It is expected that Part II will be implemented sometime in December 2013 or January 2014 and the pilot will continue for a period of three to five years.

Phase II will implement EM as a supervision tool in all five CSC regions in order to test the EM technology and functionality in various geographical areas.

Two types of information will be collected specific to offenders on EM:

  1. EM location information including the offender's location/movement records, and
  2. EM project information which includes data related to the referral and device installation/removal

The following are the risks that have been identified and the recommendations for their mitigation:

Summary of risks and recommendations

Risk

The availability of EM will result in "net widening".

Recommendations for mitigation

EM will not be applied arbitrarily. It is a tool to be used to monitor a geographic condition. Offenders must meet CSC's high-risk selection criteria (based on actuarial risk measurements) and have a geographical condition imposed by Parole Board Canada/Institutional Head (whoever is the releasing authority) or a standard condition of release that EM will be used to monitor.

Risk

Information collected goes beyond what is necessary to monitor a geographical condition.

Recommendations for mitigation

While location data is captured and stored for each offender on EM, the monitoring done by CSC is exception based. CSC staff only respond to alerts (violations of the conditions being monitored) and do not track offender movement in the software. Any law enforcement agency request for EM data to investigate a criminal manner must be requested under section 8(2) if the Privacy Act.

Risk

The staff and the vendor who will be involved in the administration of the service may use the information for purposes for which it was not intended.

Recommendations for mitigation

Personal offender identifiers will not be entered into the EM software; rather, EM offenders will be assigned an EM reference number. CSC will conduct regular audits to confirm staff accessing the EM software has a need to know and those who have an active software account continue to require one. CSC will ensure the vendor contract stipulates that CSC retain the right to conduct audits/inspections with respect to the service provider's access to the EM software as well as privacy/confidentiality provisions.

Risk

Information may be accessible to foreign governments.

Recommendations for mitigation

No personal identifiers will be stored in the EM software. Even if the contract is awarded to a foreign government, they will be subject to the federal Canadian Privacy Act.

Risk

There is always the risk of unauthorized disclosure of personal information.

Recommendations for mitigation

EM staff will receive training sessions with CSC ATIP on how to report and prevent privacy breaches. The vendor contract will contain a clause requiring the vendor to report any breaches to CSC. Personal information will be limited to those individuals within the EM project who have a strict need to know. Requests under 8(2) of the Privacy Act must follow proper protocols including a review by EM project staff and ATIP.

Risk

Retention and disposal of EM data without the authority of CSC.

Recommendations for mitigation

CSC will ensure the contract sets out the requirements of retention and disposal of data in accordance with the federal Privacy Act, including a provision stipulating that all CSC information will be returned to CSC upon termination of the contract by the vendor/CSC or once the offender has completed EM.

Risk

A Threat Risk Assessment (TRA) has not been completed.

Recommendations for mitigation

As per CSC's standards for new services, a TRA will be completed once a service provider has been selected

Page details

Date modified: