Privacy Impact Reports 2024 to 2025

On this page

• May
  • Canadian Dental Care Plan (CDCP) - Phase 2
  • Integrated Labour System: Federal Mediation and Conciliation Service
• June
  • Canada-Ukraine Transitional Assistance Initiative
  • Canada Pension Plan Program Return to Work Pilot
  • Secure Portal for Verified Partners in Children Services Annex to the Electronic Social Insurance Number
• September
  • Cúram (Privacy Analysis for IT Solutions – September 2023)
• October
  • Assault-Style Firearms Compensation Program Phase 1 - Business
• November
• Emergency Management Application System
• Integrated Service Strategy and Operations’ Pensions Trusted Digital Repository
• Prescribed Presence in the Workplace - Low Onsite Connectivity Monitoring
• January
• Enhancement to the fraud monitoring capacity as part of the modernization of ECAS
• March
• Social Insurance Number on My Service Canada Account (SINOM)-Release 2 and 3

May

Canadian Dental Care Plan (CDCP) - Phase 2

Description of Program

The 2023 Federal Budget proposes providing $13 billion over five years, starting in 2023-24, and $4.4 billion ongoing, to Health Canada to implement the new Canadian Dental Care Plan (CDCP). The CDCP will provide dental coverage for uninsured Canadians with an annual family income of less than $90,000. Employment and Social Development Canada (ESDC) is a service delivery partner with one of its roles being an assessor of eligibility.

Need for privacy impact assessment

The assessment examines the privacy risks and strategies related to the management and protection of personal information collected in the form of online CDCP applications.

More Information

The PIA identified 2 medium risks. There were no compliance issues. The risks are in process of being mitigated.

To have access to this privacy product, please contact:

Integrated Labour System: Federal Mediation and Conciliation Service

Description of Program/Activity

The Integrated Labour System (ILS) was a modernization initiative within Labour Program to consolidate existing electronic systems, tools and data of various business lines into one central system.

Need for privacy impact assessment

This PIA was completed to identify the privacy risks related to Federal Mediation Conciliation Service's collection, use, disclosure, and safeguarding of personal information.

More Information

The PIA identified 5 medium risks, 2 low risks, and 3 compliance issues. The mitigation strategies to address these risks and issues are in process of being mitigated.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

June

Canada-Ukraine Transitional Assistance Initiative

Description of program

The Canada-Ukraine Transitional Assistance Initiative (CUTAI) is a service delivery managed by Service Canada on behalf of Immigration, Refugees and Citizenship Canada (IRCC). The CUTAI provides Ukrainian nationals fleeing the war in Ukraine with a one-time payment (3000 CAD for adults or 1500 CAD for minors) to assist them during their stay in Canada. The CUTAI expires on June 30, 2024.

Need for privacy impact assessment

This initiative involves collecting information from IRCC on potential applicants and managing payments. The assessment examines the privacy risks and strategies related to the management and protection of personal information handled by the CUTAI.

More Information

The PIA identified 1 medium risk and 1 insignificant risk. There is also 1 compliance issue. The strategies to address the risks and issue are in process of being mitigated.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Canada Pension Plan Program Return to Work Pilot

Description of activity

Canada Pension Plan's Disability Benefits (CPPD) program's suite of return-to-work (RTW) supports are intended to facilitate the transition for beneficiaries who wish to attempt to return to work.

The Pilot will run until March 2026 and is expected to engage approximately 750 CPPD RTW clients.

The personal information collected will also be used for non-administrative purposes to evaluate outcomes and to inform policy.

Need for privacy impact assessment

To identify the privacy risks associated with the collection and use of personal information in the CPPD RTW Pilot which involves a decision-making process that affects certain individuals.

More information

There are no privacy risks or privacy-related compliance issues.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

Secure Portal for Verified Partners in Children Services Annex to the Electronic Social Insurance Number

Description of Program/Activity

The Secure Portal for Verified Partners in Children Services under Employment and Social Development Canada (ESDC) will allow authorized and verified Children and Family Services delegated staff across Canada to apply or request confirmation of a Social Insurance Number, on behalf of children in their care.

Need for privacy analysis for IT solutions

This PAITS ensure privacy protection measures were considered in the collection of personal information.

More Information

The analysis focused on the enhancement of the web-based portal for CSF Delegated Staff.

The PAITS identified 1 medium risk and 1 compliance issue. The risks are in process of being mitigated.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

September

Cúram

Description of program/activity

The Benefits Delivery Modernization (BDM) Programme was created by ESDC to transform and modernize the service delivery of benefits and services to Canadians. The Old Age Security (OAS) Release 1 Foreign Benefits (FB) and Liaisons is the first to onboard on the BDM Cúram platform. Foreign Benefits and Liaisons form will transfer client information between Canada and foreign country.

Need for privacy analysis for IT solutions

This privacy analysis for IT solutions identifies the privacy risks associated with the implementation of the core benefit platform, Cúram, to support the onboarding of OAS R1 FB and liaisons.

More Information

The PAITS identified a total of 4 medium risks. In addition, the PAITS identified 1 compliance issue. The risks are in the process of being mitigated.

For access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request (apps.gc.ca)

October

Assault-Style Firearms Compensation Program Phase 1 - Business

Description of program/activity

The "Assault-Style Firearms Compensation Program Phase 1 - Business" is a multi-institutional Privacy Impact Assessment (PIA) led by Public Safety Canada and supported by its partners, the Royal Canadian Mounted Police (RCMP) and Employment and Social Development Canada (ESDC)/Service Canada. This PIA aims to facilitate the self-declaration of ASF owners; the collection, validation, and destruction of ASFs; and issuing compensation.

To learn more about the "Assault-Style Firearms Compensation Program Phase 1 - Business" Privacy Impact Assessment (PIA), you can visit the Public Safety Canada Privacy Impact Assessments section on their official website.

November

Emergency Management Application System

Description of program/activity

The Emergency Management Application System (EMAS) serves to support Employment Social Development Canada’s (ESDC) emergency management and business continuity activities. The EMAS solution will operate as a cloud-based Software as a Service (SaaS) that is accessible across ESDC. A copy of employee personal contact information will be transmitted from ESDC’s primary system for digital Human Resources services (PeopleSoft) to EMAS.

Need for privacy assessment

The assessment examines the privacy risks related to the management and protection of personal information that will be transmitted to and stored in the cloud-based EMAS solution hosted by a third party.

More information

The Privacy Analysis for IT Solutions identified 1 compliance issue. The issue has been resolved.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request

Integrated Service Strategy and Operations’ Pensions Trusted Digital Repository (ISSO PTDR)

Description of program/activity

The Integrated Service Strategy and Operations’ (ISSO) Pensions Trusted Digital Repository (PTDR)

project will replace the current digital pensions file storage solution - shared drives - with Microsoft 365  SharePoint Online.

Need for privacy assessment (PAITS)

The Privacy Management Division helped complete this Privacy Analysis for IT Solutions (PAITS) to identify the privacy risks related to the PTDR, which will involve the configuration of a third-party cloud-based solution to collect and store pensions application information.

More Information

This PAITS focused on the PTDR that will provide secure storage for the digitized applications

and support documents. The PAITS identified 2 medium privacy risks and 1 low privacy risk. The strategies to address these risks are being mitigated.

In order to have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request

Prescribed Presence in the Workplace – Low Onsite Connectivity Monitoring

Description of program/activity

Employment Social Development Canada (ESDC) will be implementing individual-level, low onsite connectivity monitoring of employees. Using existing ESDC systems, this activity is designed to support managers in verifying employee compliance with the TBS Direction on Prescribed Presence in the Workplace.

Need for Privacy Impact Assessment

The assessment examines the privacy risks and strategies related to the management and

protection of personal information.

More Information

The PIA identified 2 medium risks and 1 low risk. In addition, there was one compliance issue. The strategies to address these risks and issues are planned for completion in conjunction with the start of the program.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request

January

Enhancement to the fraud monitoring capacity as part of the modernization of the Enterprise Cyber Authentication Solution (ECAS)

Description of program/activity

The Innovation Information and Technology Branch (IITB) is modernizing the Enterprise Cyber Authentication Solution (ECAS) through the Tech Debt initiative. This initiative addresses the gap between current and required technology, mitigating service delivery risks by upgrading network capacity and updating hardware and software. It ensures ESDC’s technology supports existing systems and the new Benefits Delivery Modernization (BDM) platform, while establishing disaster recovery solutions to minimize service disruptions for Canadians.

The Integrity Services Branch (ISB) seeks authorization to collect and store IP addresses to enhance protection against fraudulent activities. This will help identify the source of online transactions and logins. The goal is to improve IP address storage for accurate data analysis, better tracking, detailed reporting, and real-time activity representation for My Service Canada Account (MSCA) users.

Need for privacy assessment (PIA/PAITS/PA)

The assessment examines the privacy risks and strategies related to the management and protection of personal information associated with specific activities, including authentication, account creation, mapping, remapping, etc.; the collection of the telemetry data (IP address, session ID, User Agent, time & date and the user’s windows size); and the safeguarding of the telemetry data.

More Information

The PIA identified 1 low risk. The strategies to address are in process of being mitigated.

In order to have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request

March

Social Insurance Number on My Service Canada Account (SINOM) – Release 2 and 3

Description of program/activity

The Social Insurance Number on My Service Canada Account (SINOM) project provides real-time SIN confirmation to clients. SINOM expanded the current SIN-based registration requirements to enable clients who do not have a SIN to register for My Service Canada Account using their Birth Registration Number or Unique Client Identifier.

SINOM is using a phased implementation approach. In August 2023, it launched its first minimum viable product (MVP 1), allowing digital viewing of SINs on MSCA while still mailing SIN Confirmation Letters. Release 2, in January 2024, offered clients the option of a digital-only SIN during eSIN applications, removing the automatic mailing of confirmation letters. Release 3, planned for May 2025, will provide the SIN Confirmation Letter on MSCA, along with security enhancements and system upgrades.

Need for privacy assessment (PAITS addendum)

In line with the Treasury Board Secretariat's Directive on Privacy Impact Assessment, the original PAITS for MVP 1 was completed to identify privacy risks related to SINOM's use of personal information in the MSCA registration and authentication process. An addendum was created to document activities for Releases 2 and 3 and to assess any new privacy risks or issues.

More Information

The PAITS addendum identified 1 medium risk in relation to Release 3. The strategies to address this risk are being mitigated.

To have access to this privacy product, please contact:

Access to Information and Privacy (ATIP) Online Request