Polygraph Examination

Government Institution

Department of National Defence

Government official responsible for the PIA

Robin Lessard
Director, Directorate of Personal Security and Identity Management (DPSIM)
Director General Defence Security (DGDS)

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Bank, Executive Director
Directorate Access to Information and Privacy

Description of Program or Activity (from Departmental Results Framework):

Ready Forces
Field combat ready forces able to succeed in an unpredictable and complex security environment in the conduct of concurrent operations associated with all mandated missions.

Standard or institution specific class of record:

DND CSA 520 (Careers)
DND MIS 085 (CAF Security and Investigations)

Standard or institution specific personal information bank:

DND PPU 834 (Personnel Security Investigation File)

Legislated authority for activity:

Pursuant to paragraph 7(1)(a) of the Financial Administration Act (FAA), Treasury Board (TB) may act for the Queen’s Privy Council for Canada on all matters relating to general administrative policy in the federal public administration. In addition, TB has the authority under paragraphs 7(1) (e) and (e.1) of the FAA to determine the terms and conditions of employment of persons employed in the federal public administration and persons appointed by the Governor in Council where those terms have not been established under an Act of Parliament or order in council or by any other means. Both the SSS and the Policy on Government Security are issued pursuant to section 7 of the FAA.

Furthermore, as it relates to members, under the authority of the National Defence Act, the Governor-in-Council and the Minister of National Defence (MND) make regulations and orders governing the organization, training, discipline, efficiency, administration and good governance of the CAF, carrying the purposes and provisions of the National Defence Act into effect. Consequently, as it relates to CAF members and DGDS’s security screening activities, the National Defence Act provides the legal authority similar to s. 7 of the FAA (establishing terms and conditions of employment).

The authority to conduct security screening in relation to government contractors rests in the authority of Ministers and departmental corporations to enter into contracts to fulfil the mandate of their respective institutions. It also adheres to the requirements of the SSS and PSPC’s Contract Security Program.

Summary of the project / initiative/ change:

This PIA has been developed to assess the manner in which the Director General Defence Security (DGDS) utilizes polygraph examinations within the security screening processes of CAF members, DND employees, and DND/CAF contractors.

This PIA is limited to the privacy implications of performing the polygraph examinations, including the collection, use, disclosure, storage, safeguarding, and retention of the personal information.

The risks and recommendations identified in this PIA have been assessed by senior leadership within DGDS. After careful consideration, a risk mitigation strategy was developed which will result in a reduction of risk to an acceptable level within an acceptable timeframe.

Risk Area Identification and Categorization

In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings. A risk rating must be assigned to each risk areas named and described in Appendix C of the Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order:

• the first level (1) represents the lowest level of potential risk for the risk area;
• the fourth level (4) represents the highest level of potential risk for the given risk area.

For this PIA the risk areas and associated risk levels are as follows:

Risk Area Identification and Categorization

Risk Area	Risk Level
Type of Program or Activity	Risk Level
Administration of Programs / Activity and Services Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.	2
Type of Information Involved and Context	Risk Level
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives.	4
Program or Activity Partners and Privacy Sector Involvement	Risk Level
Within the institution (amongst one or more programs within the same institution)	1
Duration of the Program	Risk Level
Long-term program Existing program that has been modified or is established with no clear “sunset”.	3
Program Population	Risk Level
The program affects certain employees for internal administrative purposes.	1
Technology and Privacy
There are dedicated laptops, A/V recorders, and polygraph software which comprises a polygraph examination system. That system is managed in accordance with the security classification of the contents to ensure appropriate administrative and technical safeguards are in place.
Information Transmission	Risk Level
The personal information is used within a closed system. No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled.	1
In the Event of a Privacy Breach Impacting the Individual
In the event that a privacy breach, there are potentially significant and lasting negative impacts on the reputation of polygraph examinees. The records collected during the examination can be extremely sensitive.  For some persons, the breach would have minimal to no impact, such as those persons who have no prior issues with the question areas asked in the polygraph examination. However, for others, the breach of their data could have significant impacts on career and relationships.