Privacy Impact Reports 2020 to 2021

On this page

Government of Canada Telephone General Enquiries Services Program, 1 800 O-Canada business model review and procurement project (Privacy Analysis, November 2020)

Description of program

The Government of Canada Telephone General Enquiries Services Program consists of a 1 800 O-Canada primary toll-free service for general information on the Government of Canada (GC).

As of November 2020, the contractor for the program changed to Gladstone. The call centres, facilities, workstations, telephones and printers will be contractor-provided.

ESDC retains full control using Shared Services Canada (SSC) infrastructure.

Need for privacy assessment (PA)

Privacy Management Division completed this PA to identify privacy risks related to the access, use, and handling of personal information within the program. The PA also provides advice and an action plan to eliminate or reduce identified privacy risks.

More information

The PA reviewed the Privacy Management Plan, the security assessments, and equipment connecting to the SSC infrastructure.

The PA identified 2 medium privacy risks. The strategies to address these risks are scheduled for completion by June 2021.  

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

British Columbia Trusted Digital Identity Project with the Department of Employment and Social Development Canada (Privacy Impact Assessment, August 2020)

Description of activity

The British Columbia Trusted Digital Identity (BC TDI) Project will give BC residents the opportunity to streamline their access to their My Service Canada Account (MSCA). They can do this using the provincially approved credential known as the Trusted Digital Identity (TDI).

Need for privacy impact assessment (PIA)

Privacy Management Division completed this PIA because:

  • the British Columbia TDI Project introduces changes to MSCA processes including new collection, use, retention, and disposal of personal information
  • it introduces new technology to ESDC to support the Department’s collection and use of British Columbia’s TDI
  • the British Columbia TDI Project is a new partnership with the Government of BC

The assessment looked at the privacy risks and mitigations related to the management and protection of personal information. British Columbia TDI will give access to programs and services available on MSCA. It will also allow access to information through the Canada Revenue Agency’s My Account for Individuals.

More information

The PIA looked at the use of British Columbia TDI for MSCA client registration, return use, or substitution from existing login solutions. The assessment focused on identifying privacy risks related to the handling of personal information.

The PIA identified 2 medium risks and 1 compliance issue. The strategies to address these risks are scheduled for completion by the end of the March 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Canada Emergency Response Benefit (Privacy Impact Assessment, January 2021)

Description of program/activity

The Canada Emergency Response Benefit (CERB) was established by the government to provide financial support to workers whose income was affected by the COVID-19 pandemic.

This assessment is a multi-institutional Privacy Impact Assessment (PIA) developed in collaboration with the Canada Revenue Agency (CRA). CERB is a program under ESDC, and is administered by the CRA.

Need for privacy impact assessment (PIA)

This PIA identified privacy risks associated with the collection and use applicants’ personal information as part of a decision-making process (or administrative process) that directly affects those applicants.

More Information

The assessment examines the privacy risks related to the management and protection of personal information collected by the CERB Program.

The PIA identified 3 medium risks. The strategies to address these risks are scheduled for completion by the December 31, 2020. 

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Canada Pension Plan Service Improvement Strategy, Enhanced Death Notification, Proof of Concept (Privacy Analysis for IT Solutions, September 2020)

Description of activity

The Canada Pension Plan Service Improvement Strategy (CPP SIS) Enhanced Death Notification (EDN) Proof of Concept (POC) is an initiative that will create an opportunity for funeral services providers to submit domestic death notifications through a secure/online portal.

This will eliminate the need to fax death notifications to Service Canada. The funeral services providers will collect the beneficiary’s personal information from the family and/or estate. Then they will complete an online version of the Death Notification Web form via Data Gateway.

This initiative introduces a more secure online transmission than the current method.

Need for privacy assessment for IT solutions (PAITS)

Privacy Management Division completed this PAITS to identify the privacy risks with the CPP SIS EDN POC initiative.

The assessment examines the privacy risks related to the management and protection of personal information in the EDN POC.

More information

The scope of the PAITS is limited to client information from the electronic death notification form submitted through the Data Gateway. Personal information of clients via Data Gateway remains the same as the personal information via the fax process. This initiative allows the funeral services provider to submit the notification on behalf of the executor and/or family.

The PAITS identified 1 low risk. The strategy to address this risk will be determined in 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Electronic Social Insurance (eSIN) Application (Privacy Analysis for IT Solutions, March 2021)

Description of program

The Electronic Social Insurance Number Application (eSIN Application) initiative under Employment and Social Development Canada (ESDC) was created in response to the COVID-19 pandemic to provide Canadians with a self-service online SIN application form.

This service is to replace in-person processes by providing clients with the ability to submit information electronically through the eSIN Application platform. This replaces the in-person, paper-based process.

The online process allows applicants to do most actions online that in-person services would provide with respect to their SIN. The eSIN Application may become permanent even as Service Canada Centers begin to reopen.

Need for privacy analysis for IT Solutions (PAITS)

Privacy Management Division completed this PAITS to identify privacy risks associated with the collection, use and handling of personal information when clients submit their documents to the eSIN Application platform.

In addition, this PAITS analyses the use of a third-party cloud services platform for ESDC to collect new personal information and confirm the identity of clients applying for a SIN.

More information

The PAITS identified 2 low risks as well as 3 medium risks. In addition, there were 3 compliance issues. The strategies to address these risks are scheduled for completion by March 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Employment Insurance Emergency Response Benefit (Privacy Compliance Evaluation, December 2020)

Description of program

Employment and Social Development Canada (ESDC) created the Employment Insurance Emergency Response Benefit (EI ERB) Program in response to the Canada Emergency Response Benefit Act passed on March 25, 2020, to support workers during the COVID-19 pandemic.

Clients received available income support through the Act by applying for CERB through the Canada Revenue Agency (CRA) or the equivalent benefit, EI ERB, through Service Canada. Under the Service Canada benefit (EI ERB), clients applied if they were eligible using the existing online application for EI Benefits.

Benefits were available for a total of 28 weeks ending October 3, 2020. The eligibility process included a check of weekly data to avoid duplication of benefits, which was not permitted.

Need for privacy compliance evaluation (PCE)

Privacy Management Division (PMD) completed the Privacy Compliance Evaluation (PCE) to make sure that privacy was considered during the launch of COVID-related measures.

The PCE examines the privacy risks and strategies related to managing and protecting personal information involved in the collection, use and data matching activities used to run the EI ERB program.

More information

The PCE identified 2 medium level risks. The strategies to address these risks are scheduled for completion by March 31, 2021. 

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Enterprise Document Upload Solution (Privacy Analysis for IT Solutions, November 2020)

Description of program

The Enterprise Wide Document Upload Service (Enterprise DUS) is an initiative under Employment and Social Development Canada (ESDC).

Clients will be able to submit their documents electronically through My Service Canada Account (MSCA). This is better than having to mail in their documents or providing them in person.

ESDC programs or services within the Department will be able to use the service to collect documents using a consistent and standard method.

Need for a privacy analysis for IT solutions (PAITS)

Privacy Management Division completed this PAITS to identify privacy risks associated with the collection of personal information from clients who upload documentation to the solution in order to process their requests.

This analysis shows that privacy was considered in the use of the Enterprise DUS by various ESDC programs.

More information

The PAITS identified 1 medium risk. The strategy to address this risk is scheduled for completion by the end of the December 2020.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Service Delivery Arrangement for the Grant Program to Support Self-Employed Fish Harvesters in Canada Affected by COVID-19 (Privacy Impact Assessment, November 2020)

Description of program

On May 14, 2020, the Prime Minister announced up to $469.4 million in new measures to support Canada’s fish harvesters who are affected financially by the pandemic, but who cannot access other federal benefits.

There are 2 distinct but complementary streams to the Program:

  1. the Fish Harvester Benefit, and
  2. the Fish Harvester Grant

The Program’s benefit calculations will be based on the applicants’ higher fishing income from the 2018 or 2019 tax years.

Need for privacy impact assessment (PIA)

Privacy Management Division completed this PIA to identify the privacy risks associated with the business process for the Grant Program to Support Self-employed Fish Harvesters in Canada Affected by COVID-19. ESDC will be handling sensitive personal information as part of the service delivery.

More Information

The PIA identified 5 low risks as well as 6 medium risks. The strategies to address these risks are scheduled for completion by December 2020.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Mental Health Peer Support Program (Privacy Impact Assessment, August 2020)

Description of program

The Peer Support Program is a mental health program under Employment and Social Development Canada (ESDC).

The program provides mental health related social support where existing ESDC employee volunteers (“Peer Supporters”) share their mental health challenges to support ESDC employees (“Peer Supports”) also experiencing mental health issues or challenges.

Need for a privacy impact assessment (PIA)

Privacy Management Division helped complete this PIA to identify privacy risks associated with the collection of personal information from ESDC employees (who apply to become Peer Supporters).

More information

The PIA focused on the privacy risks and strategies to address the management and protection of personal information collected by the Peer Support Program. This involves the protection of personal information of Peer Supporters who provide peer counselling and Peer Supports who share their personal information.

The PIA identified 4 risks; 1 medium and 3 low risks. The strategies to address these risks are scheduled for completion by March 31, 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

OAS/CPP Personal Information Exchange between the Service Canada International Operations and International Social Security Agreement Foreign Partners using Canada Post, epost Connect (Privacy Impact Assessment, July 2020)

Description of activity

The Minister of Families, Children and Social Development is permitted under the Old Age Security (OAS) Act and Canada Pension Plan (CPP) to enter into social security agreements (SSA) with foreign partners to exchange personal information for the administration of CPP and OAS benefits.

This process affects people who have lived and/or worked in another country, and allows them to obtain a foreign pension from a country they have lived and/or worked in.

Service Canada sends hundreds of paper-based requests for information daily, as well as responses to requests for information to agreement partners in 59 countries. As the situation with the COVID-19 pandemic continues, many International Postal Operators have started using temporary measures regarding mail operations and delivery.

These changes result in big delays or suspensions of mail service, international mail and parcel. The proposed approach is to start using Canada Post’s epost Connect by Service Canada in order to continue exchanging personal information with foreign partners.

Need for a privacy impact assessment (PIA)

A PIA is necessary as Service Canada is using personal information as part of a process that directly affects people. Service Canada is changing its sharing of personal information with countries under an International Social Security Agreement (ISSA Country) from a paper-based method to an electronic method using epost Connect services from Canada Post.

The assessment examines the privacy risks and proposes strategies to manage and protect personal information associated with epost Connect.

More Information

The PIA identified 3 medium risks. The strategies to address these risks are scheduled for completion by September 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

The Disclosure of Canada Pension Plan and Old Age Security Personal Information with the Office of the Chief Actuary and Canada Revenue Agency for Statutory Valuations and to Prepare Actuarial Reports (Privacy Analysis, May 2020)

Description of activity

Employment and Social Development Canada (ESDC) is sharing personal information on Canada Pension Plan (CPP) and Old Age Security (OAS) recipients to the Office of the Chief Actuary (OCA), which forms part of the Office of the Superintendent of Financial Institutions (OSFI).

OFSI uses the personal information to conduct statutory valuations and prepare actuarial reports of the CPP/OAS Acts.

Need for privacy analysis (PA)

Privacy Management Division helped complete this PA since ESDC is sharing personal information with OSFI.

A Privacy Impact Assessment was not required, as the personal information is not used for an administrative purpose (reporting).

More Information

This PA provides an assessment of the privacy risks associated with ESDC providing personal information to OSFI to prepare actuarial reports of the Canada Pension Planand the OAS Act.

The PA identified 1 low as well as 2 medium risks. In addition, there were 3 compliance issues. The strategies to address these risks and issues are scheduled for completion by 2024.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Passport Program Modernization Initiative (Privacy Analysis, May 2020)

Description of program

The Passport Program is making a change to deliver on the government’s promise to improve the process of issuing passports.

Part of this initiative is the Passport Program Modernization Initiative (PPMI). PPMI involves changes in the functions carried out by Service Canada as it delivers services for the Passport Program.

Service Canada will use the Global Case Management System (GCMS) to replace an outdated system through a gradual approach.

Need for privacy analysis (PA)

Privacy Management Division completed this PA to identify privacy risks and impacts of the PPMI on the access, use, and handling of personal passport information. The PA also provides advice and an action plan to reduce, or resolve, these privacy risks.

More information

This PA focused on the risks associated with the Passport Program Modernisation Initiative, as well as new risks in the current Passport Service Delivery.

The PA identified 1 low risk as well as 1 medium risk. In addition, there were 3 compliance issues, and 3 observations for consideration. The strategies to address these risks are scheduled for completion by April 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Pension Process Automation (Privacy Analysis for IT Solutions, March 2021)

Description of program

Employment and Social Development Canada launched an initiative in 2018 to improve its pension process operations.

Robotic Process Automation (RPA) is a software tool that uses business rules and sequences of actions to automatically complete processes the same way a human would. This RPA meets the Government of Canada Standards.

Personal Information is received from clients for Canada Pension Plan and Old Age Security-related applications and enquiries through different channels. In this initiative, information that is received is automatically processed using RPA to replace manual processing by an agent.

Need for privacy analysis for IT solutions (PAITS)

A large number of files will be processed through this new software, all of which are administrative decisions that affect individuals directly.

Sensitive personal information will be housed in the server, and the automation process will have access to personal information from the applications. This privacy analysis assessed the automation process to make sure that personal information is handled safely.

More information

The PAITS identified no risks or compliance issues.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Quarantine Call Centre (Privacy Compliance Evaluation, May 2020)

Description of program

Due to COVID-19, the Government of Canada introduced mandatory requirements for travellers arriving into the country on April 14, 2020.

The Public Health Agency of Canada (PHAC) contacted travellers with COVID-19 symptoms who were entering Canada to make sure they were complying with the Mandatory Isolation Order. PHAC Designated Screening Officers (DSOs) called travellers and asked a series of questions to determine if they were following the guidelines for self-isolation.

Given the amendments to the Quarantine Act, PHAC needs asymptomatic (showing no symptoms) travellers to follow the same isolation guidelines. Since PHAC does not have the capacity or expertise to manage such high call volumes, Service Canada Call Centres will assume this activity.

Need for privacy compliance evaluation (PCE)

Privacy Management Division helped complete this PCE because Service Canada will be collecting and using travellers’ personal information.

The assessment examines the privacy-related risks of using personal information and proposes methods to address these risks.

More Information

The PCE focused on the privacy risks and strategies used manage and protect personal information.

The PIA identified 5 low and 6 medium risks. In addition, there were 3 compliance issues. The strategies to address these risks and issues are scheduled for completion by June 30, 2020.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Receipt of Entry-Exit Data from the Canada Border services Agency by the Old Age Security Program (Privacy Impact Assessment, July 2020)

Description of program

The Old Age Security (OAS) Program is the Government of Canada's largest pension program. The program consists of the OAS pension and 3 types of OAS Benefits: Guaranteed Income Supplement (GIS), Allowance (ALW), Allowance for the Survivor (ALWS).

In order to pay pensions and benefits under the Old Age Security Act (OAS Act), ESDC must make sure that the residence, age and legal status requirements have been met at the time of application. In addition, the recipient’s residence and time away from Canada may affect the pension/benefit paid. Generally, payments are suspended for anyone who is absent from Canada for more than 6 consecutive months unless that person is receiving a ‘portable’ pensionFootnote 1.

Service Canada is responsible for investigating fraud and abuse of the OAS Program including, but not limited to, individuals who received pension and/or benefits while absent from Canada.

To assist in delivering those responsibilities, Service Canada will begin receiving traveller information from the Canada Border Services Agency (Entry-Exit (E/E) data). This information is matched against OAS clients to ensure that they meet the requirements relating to their absence from Canada.

Need for a privacy impact assessment (PIA)

This PIA identified the privacy risks associated with the collection of entry/exit data from CBSA in accordance with the Customs Act. This act allows the disclosure of traveller information to administer and enforce the Employment Insurance Program and the Old Age Security Program.

The assessment examines the privacy risks and strategies to manage and protect personal information used in entry/exit data.

More Information

This PIA focused on the handling of the entry and exit data.

The PIA identified 1 low risk and 4 medium risks. The strategies to address these risks are scheduled for completion by the end of March 2022

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Service Canada Compliance Verification Service for the Public Health Agency of Canada during COVID-19 Pandemic 2.0 and 3.0 (Privacy Compliance Evaluation, July 2020)

Description of program/activity

The Service Canada Compliance Verification Service for the Public Health Agency of Canada (PHAC) during COVID-19 Pandemic was expanded to allow for the implementation of the PHAC COVID-19 Inbound Dial Campaign for Quarantine Confirmation (PHAC 2.0) and Symptom Reporting (PHAC 3.0) with the objective of supporting the enforcement of the Quarantine Act.

As the volume of travellers increases, PHAC (PHAC 2.0) aims to encourage travellers to verify their identity and provide their quarantine confirmation through multiple channels. In addition, PHAC (PHAC 3.0) is going to be asking travellers to report on their symptoms daily via their channel of choice.

Need for a privacy compliance evaluation (PCE)

Privacy Management Division helped complete this PCE because Employment and Social Development Canada will be collecting and handling travellers’ personal information.

More Information

The assessment examines the privacy-related risks due to the handling of travellers’ personal information and proposes methods to address these risks.

The Checklist identified 5 low and 2 medium risks. In addition, there were 4 compliance issues. The strategies to address these risks and issues are scheduled for completion by March 31, 2021. 

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Unauthorized Access Program (Privacy Impact Assessment, November 2020)

Description of program

Employment and Social Development Canada’s (ESDC) started the Unauthorized Access Program.

This program will monitor application logs to determine whether employees have accessed files containing sensitive and/or personal information without authorization. Log monitoring will help the department identify incidents of internal “snooping”, fraud, and misuse of personal information entrusted to ESDC.

Need for a privacy impact assessment (PIA)

Privacy Management Division helped complete this PIA to identify privacy risks associated with collecting personal information from ESDC employees and clients who provide personal information for ESDC services.

Personal information about ESDC employees and clients is necessary to investigate suspicious and unusual activity. The personal information collected by the Program may be used for purposes such as identifying and confirming the identity, and for investigating unauthorized access.

The use of this information through this program may result in actions that directly affect employees who have accessed information without authorization (for example, disciplinary measures).

The assessment examines the privacy risks and strategies related to handling personal information involved in the collection, use and data matching activities conducted by ESDC to detect unauthorized access to personal information by employees.

More information

The PIA identified 1 low and 1 medium risk. The strategies to address these risks are scheduled for completion by September 30, 2020. 

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

VidCruiter Hiring Platform PIA (Privacy Impact Assessment, November 2020)

Description of activity

Employment and Social Development Canada (ESDC) will pilot the use of pre-recorded, non-simultaneous video, and audio interview technology in staffing services using cloud-based technology.

This initiative will make staffing selection processes more efficient and cost-effective. It will reduce the time and costs of traditional methods of interviewing for employers as well as for applicants.

With COVID-19, the use of a video interview platform has become essential.

Need for a privacy impact assessment (PIA)

Privacy Management Division helped complete this PIA to identify the privacy risks and mitigations related to the collection and management of personal information of applicants who participate in the interview process via video interview technology.

The use of video and audio recordings as part of the staffing interview process involves a new collection of sensitive personal information that will be used for a decision-making purpose that directly affects the individual (that is, whether an applicant will be hired or not).

In addition, this project involves a real change to the way personal information is collected from candidates. This change means using pre-recorded video or audio interviews submitted by job applicants/candidates.

More information

The PIA focussed on the collection, use, disclosure, retention and disposal of pre-recorded video and audio-only interviews in ESDC’s staffing process and activities. These interviews are collected through VidCruiter, a new third party cloud-based software solution and platform.

The focus of this PIA was to identify risks associated with the collection and use of personal information obtained from such interviews. The PIA reviewed ESDC’s changes to its staffing processes specific to the use of VidCruiter rather than holding in-person interviews.

The PIA identified 3 medium and 2 high risks. The strategies to address these risks are scheduled for completion by March 31, 2021.

In order to have access to this privacy product, please contact:
Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Page details

Date modified: