Language selection

Government of Canada Gouvernement du Canada

Search

GCSurplus: Privacy impact assessment summary

On this page

Section 1: Privacy impact assessment overview

In this section

Government institution

Public Services and Procurement Canada (PSPC).

Head of institution or delegate for section 10 of the Privacy Act

Lorenzo Ieraci, Assistant Deputy Minister.
Lyne Roy, Senior Director, Access, Privacy and Transparency Directorate.

Senior official or executive for the new or substantially modified program or activity

Lucie Seguin, Assistant Deputy Minister, Receiver General and Pension Branch.

Name and description of the program or activity of the government institution

Crown Assets Distribution Directorate – GCSurplus.

The program provides a central and common fee for services to dispose of surplus inventory to reduce its physical, financial and environmental footprint. Through the GCSurplus program, PSPC supports the federal government in disposing of surplus and forfeited goods in a manner that is transparent, is financially sustainable and provides best value to the Canadian taxpayer.

The GCSurplus program (within the Specialized Services Sector of the Receiver General and Pension Branch) provides federal institutions and other client organizations with high-quality, timely and accessible specialized services and programs. Under this program, PSPC provides services to government clients, private sector organizations and the Canadian public. GCSurplus is delivered via a set of custom applications which are Internet hosted (Internet Data Center) directly with a Canadian third-party provider on a 5-year contract managed by the Procurement Branch of PSPC. GCSurplus’ activities involve the collection, use, disclosure and retention of personal information.

Legal authority for program or activity

Personal information is collected under the authority of the Department of Public Works and Government Services Act and the Surplus Crown Assets Act.

Personal information bank

This privacy impact assessment (PIA) includes a proposal to modify the following personal information bank:

Institution-specific Personal Information Bank PWGSC PPU 026 Buyer Information: Crown Assets

Summary of the project, initiative or change

GCSurplus has been in a long-standing Government of Canada program. An application modernization project is currently underway, while the program is expanding its client base by adding new public-sector institutions. However, the type of service will not change.

Section 2: Privacy impact assessment risk area identification and categorization

In this section

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included for each risk area. The numbered risk scale is presented in ascending order:

  • the first level represents the lowest level of potential risk for the risk area
  • the fourth level represents the highest level of potential risk for the given risk area

Please refer to Appendix C of the Treasury Board Secretariat Directive on Privacy Impact Assessment to learn more about the risk scale. The risk scale must be included for each classification.

Type of program or activity

Risk scale: 2 - Administration of program or activity and services

PSPC offers disposal services for sale, transfer, or recycling, on behalf of multiple types of clients (federal, provincial, territorial, and municipal).

Type of personal information involved and context

Risk scale: 1 - Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program

Risk scale: 2 - Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source

Personal information is used to determine eligibility to buy and to transfer ownership to the winning bidder. GCSurplus directly collects personal information from all users. Only the necessary information is collected with consent. Financial information is limited to the amount paid through a third-party service provider.

Program or activity partners and private sector involvement

Risk scale: 1 - Within the institution (among 1 or more programs within the same institution)

Risk scale: 2 - With other government institutions

Risk scale: 3 - With other institutions or a combination of federal, provincial or territorial, and municipal governments

Risk scale: 4 - Private sector organizations, international organizations or foreign governments

PSPC provides divestment services to federal institutions as mandated in the Treasury Board Directive on Disposal of Surplus Materiel. GCSurplus provides divestment services to federal institutions that are both mandatory and optional and divestment services to other levels of government, if requested. This client base may expand in the future to include foreign governments.

When a surplus asset is purchased or returned, GCSurplus shares minimal personal information internally with the Receiver General for Canada to process payments and receipts for goods divested and returned. The related financial transactions are completed by a Canadian third-party payment processor (for example, purchasers input their own credit card or Interac payment). With prior consent, GCSurplus shares purchaser name and contact information to a shipping service provider to ship a purchase to the buyer.

Duration of the program or activity

Risk scale: 3 - Long-term program or activity

GCSurplus is a long-term program that was established 75 years ago and is expected to continue operations into the future.

Program population

Risk scale: 1 - The program's use of personal information for internal administrative purposes affects certain employees

Risk scale: 3 - The program's use of personal information for external administrative purposes affects certain individuals

The program population consists of several classes of individuals including:

  • the public using the GCSurplus websites to view and purchase GCSurplus assets
  • GCSurplus staff
  • employees at client federal instructions who wish to divest their surplus Crown assets through the Government of Canada client interface
  • public-sector employees in non-federal jurisdictions (for example, client provincial programs)

Technology and privacy

A "yes" response to any of the following may indicate the potential for privacy concerns and risks that will need to be evaluated and mitigated.

Questions

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Answer: Yes

Does the new or modified program or activity require any modifications to information technology legacy systems and/or services?

Answer: No

Does the new or modified program or activity involve the implementation of 1 or more of the following technologies?

Answers:

  • enhanced identification methods: No
  • use of surveillance: No
  • use of automated personal information analysis, personal information matching and knowledge discovery techniques: Yes

Details: Routine data matching is conducted to ensure that GCSurplus accounts are not duplicated and that accounts are properly authenticated at user logon.

Personal information transmission

Risk scale: 3 - The personal information is transferred to a portable device (for instance, USB key, diskette, laptop computer), is transferred to a different medium or is printed

Risk scale: 4 - The personal information is transmitted using wireless technologies

Personal information is transmitted using various electronic means. All staff are provided with wireless notebooks for use in warehouse and operational environments, which are both password-protected and encrypted.

Risk impact to the institution

Risk scale: 2 - Organizational harm

Risk scale: 4 - Reputation harm, embarrassment, loss of credibility

As a central service provided by a federal government institution, any significant data breach would have a detrimental effect on the reputation of the program, the department and the Government of Canada, resulting in loss of trust by Canadians.

Risk impact to the individual or employee

Risk scale: 1 - Inconvenience

Risk scale: 3 - Financial harm

While only minimal personal information is collected on individuals conducting transactions with the GCSurplus program, there could be inconvenience to an individual in the unlikely event of a privacy breach. Personal financial information may be compromised resulting in potential fraud.

Page details

Date modified: