Privacy Impact Assessment (PIA) Summary: Temporary Asylum Accommodations for COVID-19 Quarantine
Lead Government Institution
Immigration, Refugees and Citizenship Canada (IRCC)
Name of the Program/Activity
Temporary Asylum Accommodations for COVID-19 Quarantine
Legal Authority
- The Immigration and Refugee Protection Act - subsections 100(1) and 100(5)
- Order in Council - Subsections 20(2), 20(10) and article 25
- Quarantine Act: Quarantine facilities - section 58(1)
Description of the program/activity
In light of the federal response to the COVID-19 pandemic and the Orders in Council (OIC), IRCC agreed to provide temporary accommodations to unvaccinated asymptomatic asylum claimants without a suitable quarantine plan. In this context, IRCC began hotel operations in April 2020. In addition, due to commitments made at the political level to backstop Quebec provincial shelter capacity in November 2021, asylum claimants have remained at IRCC hotels beyond the 14-day quarantine period if the Regional Program for the Settlement and Integration of Asylum Seekers(PRAIDA), or other shelter facilities were full. In some instances, IRCC took in fully vaccinated claimants until PRAIDA or other shelter facilities could take these individuals in.
This PIA relates to the collection by IRCC of asylum claimants’ personal information, vaccination certification, and COVID-19 test results for the purposes of IRCC’s hotel operations. Documents/information were collected to establish quarantine requirements in the context of IRCC’s facilitation of providing temporary accommodations to asymptomatic asylum claimants.
This is a narrow and targeted PIA regarding collecting personal information within the IRCC hotel operations process and the involvement of IRCC and service provider organizations. This PIA does not review the privacy impacts of the asylum program overall. As such, RCMP and CBSA processes for arriving asylum claimants and procedures for processing asylum claims are out of scope. The role of PHAC in assessing the vaccination status, symptoms, and quarantine plans of asylum claimants is also out of the scope of this assessment.
Personal Information Banks
Summary of Risk Identification and Categorization
Below is the risk identification and categorization table corresponding to this initiative.
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does not involve a decision about an identifiable individual | Checkbox: unchecked ☐ 1 |
| Administration of program or activity and services | Checkbox: unchecked ☐ 2 |
| Compliance or regulatory investigations and enforcement | Checkbox: unchecked ☐ 3 |
| Program or activity does involve a decision about an identifiable individuals | Checkbox: checked ☒ 4 |
| Criminal investigation and enforcement or national security | Checkbox: unchecked ☐ 5 |
| b) Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the individual's consent for disclosure under an authorized program. | Checkbox: unchecked ☐ 1 |
| Personal information, with no contextual sensitivities after the time of collection, is provided by the individual with consent to use personal information held by another source. | Checkbox: unchecked ☐ 2 |
| Personal information of minors. legally incompetent individuals or involving a representative acting on behalf of the individual. | Checkbox: unchecked ☐ 3 |
| Social Insurance Number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive; | Checkbox: unchecked ☐ 4 |
| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information, is particularly sensitive | Checkbox: checked ☒ 5 |
| c) Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | Checkbox: unchecked ☐ 1 |
| With other government institutions | Checkbox: unchecked ☐ 2 |
| With other institutions or a combination of federal, provincial, territorial, and municipal governments | Checkbox: unchecked ☐ 3 |
| Private sector organizations | Checkbox: checked ☒ 4 |
| International organizations or foreign governments | Checkbox: unchecked ☐ 5 |
| d) Duration of the program or activity | Risk scale |
|---|---|
| One-time program or activity | Checkbox: unchecked ☐ 1 |
| Short–term program or activity | Checkbox: checked ☒ 2 |
| Long-term program or activity | Checkbox: unchecked ☐ 5 |
| e) Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | Checkbox: unchecked ☐ 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | Checkbox: unchecked ☐ 2 |
| The program's use of personal information for external administrative purposes affects specific individuals. | Checkbox: checked ☒ 4 |
| The program's use of personal information for external administrative purposes affects all individuals. | Checkbox: unchecked ☐ 5 |
| f) Technology and privacy (A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation). | Risk scale |
|---|---|
| Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in terms of creating, collecting, or handling personal information? | Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
| Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? | Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
Specific technological issues and privacy Does the new or substantially modified program or activity involve the implementation of new technologies or one or more of the following activities: enhanced identification and matching methods, enhanced data collection methods use or disclosure of personal information, surveillance interjurisdiction or trans-border sharing of personal information or use of Artificial Intelligence technology for automated personal information analysis, personal information matching, and knowledge discovery techniques. If Yes to any of the above, it indicates the potential for privacy concerns and risks, which will require consideration and possible mitigation. |
Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
| g) Personal information transmissionty | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet, or any other system, and the circulation of hardcopy documents is controlled). | Checkbox: unchecked ☐ 1 |
| The personal information is used in a system with connections to at least one other system. | Checkbox: unchecked ☐ 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium, or printed. | Checkbox: unchecked ☐ 3 |
| The personal information is transmitted using wireless technologies. | Checkbox: checked ☒ 4 |
| The personal information is transmitted through a Cloud service. | Checkbox: unchecked ☐ 5 |
Summary of Risks and Mitigation Strategies
This PIA addresses the following 7 risks and offers mitigation strategies.
Risk 1
Employees could collect, use, and disclose personal information for personal purposes beyond what is necessary and proportionate to the legal authority.
Mitigation
Departmental procedures that clearly articulate the appropriate collection, use, and disclosure of personal information are in place. As part of those procedures, employees know they are not to use or disclose personal information without first seeking written consent. ATIP and Values and Ethics training are provided to all staff and kept current.
On an ongoing basis, ATIP is consulted before using and disclosing personal information for a new purpose or to a new partner.
Risk 2
There is a risk that IRCC will retain information for longer than relevant and necessary.
Mitigation
A retention and disposition schedule for the personal information collected by IRCC for hoteling operations was established in November 2022.
Risk 3
The contracts with service providers do not include any privacy protection clauses. This could lead to more apparent roles, responsibilities, and accountability regarding the personal information they manage.
Mitigation
Upon signing any new contracts with service providers or renewing existing agreements, privacy protection clauses will be inserted into the contracts.
Risk 4
There is a risk that hotels inappropriately use or disclose personal information or retain personal information for longer than the agreed-upon period.
Mitigation
IRCC does not provide personal information to hotels. Personal information collected by hotels is minimal. Asylum claimants are known to hotels by room numbers only. Hotels have video surveillance in place that will sometimes collect images of asylum claimants along with other hotel guests who are members of the public.
Risk 5
Clients may not be informed of the purpose for collecting their personal information and are not provided a privacy notice informing of rights provided under the Privacy Act.
Mitigation
The interim housing agreement will be modified to include a privacy notice that covers the information collection and sharing by IRCC. The collections by PHAC, CBSA, and service providers have yet to be assessed.
Risk 6
There is a risk that personal information is compromised while in transit from CBSA to IRCC.
Mitigation
The Domestic Network is to explore the possibility of accepting encrypted emails from CBSA to their generic inbox.
Risk 7
The occupancy report is accessed by employees who do not need to access the personal information contained within.
Mitigation
Access is limited to employees in the Contingency Planning and Reporting (CPR) unit and the Domestic Network who require access to fulfill their responsibilities.
Conclusion
This PIA has identified several risks associated with the initiative regarding its collection, retention, and disposal of personal information, for which mitigation strategies have been identified and implemented.
Page details
- Date modified: