Privacy Impact Assessment (PIA) Summary: Administration and Verification of Letters of Acceptance and Provincial or Territorial Attestation Letters

Lead Government Institution

Immigration, Refugees and Citizenship Canada (IRCC)

Name of the Program/Activity

Administration and Verification of Letters of Acceptance and Provincial or Territorial Attestation Letters

Legal Authority

Relevant authorities include:

Description of the program or activity

In late 2023 and early 2024, the Government of Canada announced new measures to support sustainable population growth and to better protect international students from bad actors. These measures aim to stabilize the number of international students arriving in Canada. To achieve this, the government established a cap on the intake of international student permit applications. It also introduced provincial attestation letters or territorial attestation letters (PAL/TAL) with related verification procedures, as well as verification requirements for letters of acceptance (LOAs) issued by designated learning institutions (DLIs).

To help ensure that PAL/TALs issued by provinces and territories (PTs) are valid and comply with federal caps, PAL/TALs submitted with study permit applications will be verified directly with the issuing PT. IRCC will also share limited information about study permit applications with PTs to support the proper tracking and management of intake caps. PAL/TAL information may also be used in aggregate for program reporting, evaluation, policy development, and quality assurance.

New measures will require all post‑secondary DLIs to verify the authenticity of every LOA before study permits are assessed. These measures also require IRCC to share limited information about study permit applicants with DLIs for the purpose of LOA verification. Under new information‑sharing arrangements, DLIs may in turn share limited information about student applicants with their respective provincial and territorial governments to support the administration and management of cap‑related spaces.

Personal Information Banks

International Students (PPU 051)

Summary of Risk Identification and Categorization

Below is the risk identification and categorization table corresponding to this initiative.

a) Type of program or activity	Risk scale
Program or activity that does not involve a decision about an identifiable individual	Checkbox: unchecked☐ 1
Administration of program or activity and services	Checkbox: unchecked☐ 2
Compliance or regulatory investigations and enforcement	Checkbox: checked☒ 3
Program or activity does involve a decision about an identifiable individuals	Checkbox: unchecked☐ 4
Criminal investigation and enforcement or national security	Checkbox: unchecked☐ 5

b) Type of personal information involved and context	Risk scale
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the individual's consent for disclosure under an authorized program	Checkbox: unchecked☐ 1
Personal information, with no contextual sensitivities after the collection, is provided by the individual with consent to use personal information held by another source	Checkbox: unchecked☐ 2
Personal information of minors, a legally incompetent individuals, or involving a representative acting on behalf of the individual	Checkbox: unchecked☐ 3
Social Insurance Number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive	Checkbox: checked☒ 4
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information, is particularly sensitive	Checkbox: unchecked☐ 5

c) Program or activity partners and private sector involvement	Risk scale
Within the institution (among one or more programs within the same institution)	Checkbox: unchecked☐ 1
With other government institutions	Checkbox: unchecked☐ 2
With other institutions or a combination of federal, provincial, territorial, and municipal governments	Checkbox: unchecked☐ 3
Private sector organizations	Checkbox: checked☒ 4
International organizations or foreign governments	Checkbox: unchecked☐ 5

d) Duration of the program or activity	Risk scale
One-time program or activity	Checkbox: unchecked☐ 1
Short–term program or activity	Checkbox: unchecked☐ 2
Long-term program or activity	Checkbox: checked☒ 5

e) Program population	Risk scale
The program's use of personal information for internal administrative purposes affects certain employees	Checkbox: unchecked☐ 1
The program's use of personal information for internal administrative purposes affects all employees	Checkbox: unchecked☐ 2
The program's use of personal information for external administrative purposes affects specific individuals	Checkbox: checked☒ 4
The program's use of personal information for external administrative purposes affects all individuals	Checkbox: unchecked☐ 5

f) Technology and privacy (A yes response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation).	Risk scale
Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in creating, collecting, or handling personal information?	Checkbox: unchecked☐ Yes Checkbox: checked☒ No
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? This modified activity requires changes to the following legacy systems: Student Permit application intake channels MyCIC Client Portal text changes for Study Permit Letter of Acceptance Verification expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered Authorized Paid Representatives Portal expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered IMM1294 - designated learning institute number on the IMM1294 study permit application should be mandatory for post-secondary education IRCC Portal: temporary resident e-application - changes to study permit application to support letter of acceptance validation GCMS processing Modification of the Study Permit verification activity Addition of study permit application field: student number Addition of study permit application field: verification due date Addition of study permit application field: validation status IRCC Portal - Designated Learning Institute channel for Letter of Acceptance validation New IRCC portal tenant for designated learning institutes 2 factor authentication Account profile: designated learning institution (DLI) user DLI number associated with the account User surname or last name User given name or first name Email address associated with the account Telephone number associated with the account Language preference associated with the account Download student information to be validated in Excel Upload Excel-validated student information Search student number and student name, date Of birth Provide letter of acceptance submitted by students Ability to add secondary designated learning institute users Account activity history Forgot password Ability to add secondary Designated Learning Institute users Account activity history Forgot password	Checkbox: checked☒ Yes Checkbox: unchecked☐ No
Specific technological issues and privacy Does the new or substantially modified program or activity involve implementing new technologies or one or more of the following activities? Checkbox: unchecked☐ enhanced identification and matching methods Checkbox: checked☒ enhanced data collection methods use or disclosure of personal information Checkbox: unchecked☐ surveillance inter-jurisdiction or trans-border sharing of personal information Checkbox: unchecked☐ use of artificial intelligence technology for automated personal information analysis Checkbox: unchecked☐ personal information matching, and knowledge discovery techniques	Checkbox: unchecked☐ Yes Checkbox: checked☒ No

f) Technology and privacy (A yes response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation).

Risk scale

Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in creating, collecting, or handling personal information?

Checkbox: unchecked☐ Yes
Checkbox: checked☒ No

Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?

This modified activity requires changes to the following legacy systems:

Student Permit application intake channels

MyCIC Client Portal
- text changes for Study Permit Letter of Acceptance Verification
- expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered
Authorized Paid Representatives Portal
- expand the supporting document requirements in MyCIC to ensure the Letter of Acceptance is always triggered
IMM1294 - designated learning institute number on the IMM1294 study permit application should be mandatory for post-secondary education
IRCC Portal: temporary resident e-application - changes to study permit application to support letter of acceptance validation

GCMS processing

Modification of the Study Permit verification activity
Addition of study permit application field: student number
Addition of study permit application field: verification due date
Addition of study permit application field: validation status

IRCC Portal - Designated Learning Institute channel for Letter of Acceptance validation

New IRCC portal tenant for designated learning institutes
2 factor authentication
Account profile: designated learning institution (DLI) user
- DLI number associated with the account
- User surname or last name
- User given name or first name
- Email address associated with the account
- Telephone number associated with the account
- Language preference associated with the account
Download student information to be validated in Excel
Upload Excel-validated student information
Search student number and student name, date Of birth
Provide letter of acceptance submitted by students
Ability to add secondary designated learning institute users
Account activity history
Forgot password
Ability to add secondary Designated Learning Institute users
Account activity history
Forgot password

Checkbox: checked☒ Yes
Checkbox: unchecked☐ No

Specific technological issues and privacy

Does the new or substantially modified program or activity involve implementing new technologies or one or more of the following activities?

Checkbox: unchecked☐ enhanced identification and matching methods

Checkbox: checked☒ enhanced data collection methods use or disclosure of personal information

Checkbox: unchecked☐ surveillance inter-jurisdiction or trans-border sharing of personal information

Checkbox: unchecked☐ use of artificial intelligence technology for automated personal information analysis

Checkbox: unchecked☐ personal information matching, and knowledge discovery techniques

Checkbox: unchecked☐ Yes
Checkbox: checked☒ No

g) Personal information transmission	Risk scale
The personal information is used within a closed system (i.e., no connections to the Internet, Intranet, or any other system, and the circulation of hardcopy documents is controlled)	Checkbox: unchecked☐ 1
The personal information is used in a system with connections to at least one other system	Checkbox: unchecked☐ 2
The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium, or printed	Checkbox: unchecked☐ 3
The personal information is transmitted using wireless technologies	Checkbox: unchecked☐ 4
The personal information is transmitted through a Cloud service	Checkbox: checked☒ 5

Summary of Risks and Mitigation Strategies

This PIA addresses the following 9 risks and provides the mitigation strategies.

Risks

The PIA identified the following risks related to the administration of LOAs and PAL/TAL for study permit applications:

A need for additional transparency regarding personal information handling
Unclear accountability and undefined limits on information sharing between IRCC and PTs
Incomplete terms and conditions for the LOA Portal and lack of comprehensive information sharing arrangements with DLIs
Storage of personal information outside standard record systems
Unencrypted email communications containing sensitive data
Potential disclosure of student information to incorrect DLIs
Overcollection of personal information from individuals who have not applied for study permits
Risk of reidentification through aggregate data shared with PTs
Limited scope of the PIA that may overlook other risk factors in the program

Mitigations

To address these risks, IRCC has implemented a comprehensive set of mitigation strategies. These include:

Updating the personal information bank (PIB) and privacy notices to improve transparency
Developing new information sharing arrangements with PTs to clarify accountability and establish limits on data handling
Updating terms and conditions for the LOA Portal and implementing new ISAs with DLIs
Reviewing and updating information management practices to ensure proper handling of data outside standard systems
Implementing encryption solutions for email communications that contain client information
Implementing policies and procedures that ensure accurate information sharing with DLIs and proper handling of potential breaches
Limiting use of collected information and including provisions in ISAs for notifying clients about information sharing
Applying data suppression techniques and including clauses in ISAs that prohibit reidentification attempts
Conducting a full PIA to cover all program activities

IRCC will enhance public communications about information use, rely on existing memoranda of understanding (MOU) until new arrangements are finalized and collaborate with the Privacy program management division (PPMD) for future privacy work. These measures aim to enhance transparency, strengthen data protection, improve accountability and ensure compliance with privacy regulations across all aspects of the program's operations.

Conclusion

The 9 privacy risks mentioned above were identified in the low to medium range, and mitigation strategies are ongoing to address them.

Page details

2026-04-09