Privacy Impact Assessment (PIA) Summary: Canada-Ukraine Transitional Assistance Initiative (CUTAI)
Lead Government Institution
Immigration, Refugees and Citizenship Canada (IRCC)
Name of the Program/Activity
Canada-Ukraine Transitional Assistance Initiative (CUTAI)
Legal Authority
Personal information used to administer the Canada-Ukraine Transitional Assistance Initiative (CUTAI), which is an initiative under IRCC’s Resettlement Assistance Program, is derived from paragraphs 3(2)(b) and 3(1)(a) and (e) of the Immigration and Refugee Protection Act (IRPA). The authority for the collection, use, and disclosure of information is provided in sections 4 and 5 of the Department of Citizenship and Immigration Act (DCIA).
Description of the program/activity
As part of the Government of Canada’s response to Russia’s full-scale invasion of Ukraine, in early 2022, IRCC introduced the Canada-Ukraine Authorization for Emergency Travel (CUAET) to ensure that Ukrainian foreign nationals and their family members who are fleeing the conflict can come to Canada temporarily. Through the CUAET, eligible persons may be allowed to stay in Canada for three years, as opposed to the standard six months authorized for regular visitors.
CUAET is available for Ukrainians who are outside of Canada, as well as those who are currently in Canada as a visitor. For those already in Canada, under CUAET, they can extend their visitor visa up to three additional years. Those applying for CUAET may also apply for an open work permit (WP) or study permit (SP).
In April 2022, the Prime Minister announced an additional measure for Ukrainians – the Canada-Ukraine Transitional Assistance Initiative (CUTAI) – a program to provide short-term income support for Ukrainians and their family members to ensure their basic needs are met upon arrival in Canada. For those persons approved under CUAET, the CUTAI provides a one-time (non-taxable) payment of up to $3,000 for transitional financial support.
CUAET clients apply for the CUTAI financial assistance with Service Canada. In turn, Service Canada matches applicant data with CUAET data provided by IRCC. IRCC discloses minimal information – sufficient to perform a data match and confirm a CUTAI applicant is eligible or the financial assistance.
This Privacy Impact Assessment (PIA) has been authored to analyze the information exchange between IRCC and Service Canada in support of the CUTAI. The risks identified in the PIA have been reviewed by IRCC senior management. In response, appropriate risk mitigation activities have been approved and an Action Plan was developed to ensure those mitigation measures are completed in a timely fashion.
Personal Information Banks
Summary of Risk Identification and Categorization
Below is the risk identification and categorization table corresponding to this initiative.
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does not involve a decision about an identifiable individual | Checkbox: unchecked ☐ 1 |
| Administration of program or activity and services | Checkbox: checked ☒ 2 |
| Compliance or regulatory investigations and enforcement | Checkbox: unchecked ☐ 3 |
| Program or activity does involve a decision about an identifiable individuals | Checkbox: unchecked ☐ 4 |
| Criminal investigation and enforcement or national security | Checkbox: unchecked ☐ 5 |
| b) Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the individual's consent for disclosure under an authorized program. | Checkbox: checked ☒ 1 |
| Personal information, with no contextual sensitivities after the time of collection, is provided by the individual with consent to use personal information held by another source. | Checkbox: unchecked ☐ 2 |
| Personal information of minors, legally incompetent individuals or involving a representative acting on behalf of the individual | Checkbox: unchecked ☐ 3 |
| Social Insurance Number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive | Checkbox: unchecked ☐ 4 |
| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information, is particularly sensitive | Checkbox: unchecked ☐ 5 |
| c) Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | Checkbox: unchecked ☐ 1 |
| With other government institutions | Checkbox: checked ☒ 2 |
| With other institutions or a combination of federal, provincial, territorial, and municipal governments | Checkbox: unchecked ☐ 3 |
| Private sector organizations | Checkbox: unchecked ☐ 4 |
| International organizations or foreign governments | Checkbox: unchecked ☐ 5 |
| d) Duration of the program or activity | Risk scale |
|---|---|
| One-time program or activity | Checkbox: unchecked ☐ 1 |
| Short–term program or activity | Checkbox: checked ☒ 2 |
| Long-term program or activity | Checkbox: unchecked ☐ 5 |
| e) Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | Checkbox: unchecked ☐ 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | Checkbox: unchecked ☐ 2 |
| The program's use of personal information for external administrative purposes affects specific individuals. | Checkbox: checked ☒ 4 |
| The program's use of personal information for external administrative purposes affects all individuals. | Checkbox: unchecked ☐ 5 |
| f) Technology and privacy (A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation). | Risk scale |
|---|---|
Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in creating, collecting, or handling personal information? Note: Limited to the use of Managed Secure File Transfer (MSFT) managed by Shared Services Canada (SSC) for data sharing purposes with Employment and Social Development Canada/Service Canada (ESDC/SC). |
Checkbox: checked ☒ Yes Checkbox: unchecked ☐ No |
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? Note: System changes to the Global Case Management System (GCMS) are limited to data elements added to list of values for certain data fields (Special Program Code, Remarks |
Checkbox: checked ☒ Yes Checkbox: unchecked ☐ No |
Specific technological issues and privacy Does the new or substantially modified program or activity involve the implementation of new technologies or one or more of the following activities: ☐ enhanced identification and matching methods Note: IRCC discloses data to ESDC/SC for data matching purposes in their CUTAI application process. |
Checkbox: checked ☒ Yes Checkbox: unchecked ☐ No |
| g) Personal information transmissionty | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet, or any other system, and the circulation of hardcopy documents is controlled). | Checkbox: unchecked ☐ 1 |
| The personal information is used in a system with connections to at least one other system. | Checkbox: checked ☒ 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium, or printed. | Checkbox: unchecked ☐ 3 |
| The personal information is transmitted using wireless technologies. | Checkbox: unchecked ☐ 4 |
| The personal information is transmitted through a Cloud service. | Checkbox: unchecked ☐ 5 |
Summary of Risks and Mitigation Strategies
This PIA addresses the following 4 risks and offers mitigation strategies.
Risk 1
There is a risk that IRCC and Employment and Social Development Canada/Service Canada (ESDC/SC) are not providing proper notice, as required by s. 5 of the Privacy Act and s. 6.2.9 of the TBS Directive on Privacy Practices, regarding IRCC’s disclosure of the Unique Client Identifier (UCI), Date of Birth (DOB), and IMM1442 number to ESDC/SC for use in determining CUTAI eligibility. The IRCC-managed CUAET online application portal does not provide notice of this disclosure; nor does the ESDC/SC managed CUTAI online application portal provide notice of this indirect collection by ESDC/SC.
Note: in the review of this PIA (Draft), ESDC/SC committed to making amendments to their Privacy Notice Statement (PNS) to reflect information is collected from IRCC.
Mitigation
It is recommended that IRCC consider this low risk and determine if amending their respective Privacy Notice Statement is necessary. Assuming ESDC/SC makes the intended changes to the PNS on their CUTAI online portal, it is recommended that IRCC not make any changes to its CUAET PNS.
Risk 2
There is a risk that IRCC contravenes the Immigration and Refugee Protection Act (IRPA), Department of Citizenship and Immigration Act (DCIA), and the Privacy Act by disclosing to ESDC/SC the UCI number, DOB, and IMM1442 number of individuals who have not yet applied to ESDC/SC for CUTAI financial assistance, and who may never apply. This represents a risk of over-disclosure by IRCC and a risk of over-collection by ESDC/SC.
Mitigation
The ability to identify a non-applicant based on the data elements shared by IRCC was assessed as low. Given that CUTAI intends to provide urgent financial assistance, the department assessed the risk of over-disclosure against the urgency to deliver benefits to help inform the decision. It is recommended that IRCC accept the risk based on the following factors: alternative data matching solutions requiring ESDC/SC to seek a data match after each person applies were considered, IRCC has committed to disclosing the least amount of personal information possible to reduce the legal risk, identifying a specific client would not be possible unless the individual receiving the information already has this information linked to a specific client, and the department has committed to purging all non-matched data by December 2024. ESDC/SC will determine which persons have not yet applied for CUTAI (by June 2024) and for those who did not, their UCI#, DOB, and IMM1442 number will be purged. It is recommended that IRCC obtain confirmation from ESDC/SC when all non-CUTAI applicant data is deleted.
Risk 3
Although the data is transmitted securely between parties, the volume and frequency of personal information transferred to ESDC for the delivery of CUTAI presents a risk of a security and privacy breach should there be interference with the system.
Mitigation
It is recommended that IRCC accept this risk as low considering all necessary security assessments for each system involved in the delivery of CUTAI were completed when the systems were first introduced by their responsible department. Additionally, the personal information contained within the file makes the identification of a specific client not possible unless the individual receiving the information already has this information linked to a specific client.
Risk 4
There is a risk that PIB CIC PPU 065 (Resettlement Assistance) and CIC PPU 068 (Migration Control and Security Management) will not be updated.
Mitigation
It is recommended that IRCC review and update the PIBs to account for the personal information that may be collected from or disclosed to Service Provider Organizations (SPOs) and/or federal institutions to support program objectives.
Conclusion
IRCC has accepted the risks identified in this PIA. Some of the mitigation strategies have been implemented while others are scheduled to be implemented by June 2024.
Page details
- Date modified: