Insider Risk Management (Guardian) Program – Phase I
Security Services Directorate
Security Branch
On this page
- Overview & Privacy Impact Assessment Initiation (PIA)
- Summary of the project, initiative or change
- Risk identification and categorization
Overview & Privacy Impact Assessment Initiation (PIA)
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Harry Gill
Assistant Commissioner and Agency Security Officer
Security Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Steven Morgan
Director General
Access to Information and Privacy Directorate
Name of program or activity of the government institution
Travel and Other Administrative Services
Standard or institution specific class of record:
Security
PRN 931
Standard or institution specific personal information bank:
Insider Risk Management (Guardian) Program
TBS Registration Number: pending
Bank Number: CRA PPU 921
Legal authority for program or activity
Canada Revenue Agency Act
Matters over which Agency has authority
30(1) The Agency has authority over all matters relating to
- general administrative policy in the Agency;
- the organization of the Agency;
- Agency real property and Agency immovables as defined in section 73;
- human resources management, including the determination of the terms and conditions of employment of persons employed by the Agency; and
- internal audit in the Agency.
Human resources management
51(1) The Agency may, in the exercise of its responsibilities in relation to human resources management,
- determine requirements for the training and development of its personnel and fix the terms and conditions on which that training and development may be carried out;
- provide for the classification of Agency positions and employees;
- after consulting with the President of the Treasury Board, determine and regulate the pay to which persons employed by the Agency are entitled for services rendered, the hours of work and leave of those persons and any related matters;
- provide for the awards that may be made to persons employed by the Agency for outstanding performance of their duties, for other meritorious achievement in relation to those duties and for inventions or practical suggestions for improvements;
- establish standards of discipline for its employees and prescribe the financial and other penalties, including termination of employment and suspension, that may be applied for breaches of discipline or misconduct and the circumstances and manner in which and the authority by which or by whom those penalties may be applied or may be varied or rescinded in whole or in part;
- provide for the termination of employment or the demotion to a position at a lower maximum rate of pay, for reasons other than breaches of discipline or misconduct, of persons employed by the Agency and establish the circumstances and manner in which and the authority by which or by whom those measures may be taken or may be varied or rescinded in whole or in part;
- after consulting with the President of the Treasury Board, determine and regulate the payments that may be made to Agency employees by way of reimbursement for travel or other expenses and by way of allowances in respect of expenses and conditions arising out of their employment; and provide for any other matters that the Agency considers necessary for effective personnel management, including terms and conditions of employment not otherwise specifically provided for in this subsection.
Summary of the project, initiative or change
Overview of the Program or Activity
The legislative requirements to protect taxpayer information, commits the Canada Revenue Agency (CRA) and the Government of Canada (GC) at large to maintain public confidence in the Agency’s workforce’s ability to protect the information entrusted to the CRA.
The Guardian Program is managed by a new unit within the CRA’s Insider Risk Monitoring Section (IRMS), a unit under the Personnel Risk Assessment Division (PRAD). The PRAD sits under the Security Services Directorate (SSD), which is one of several directorates under the Agency’s Security Branch.
Our ongoing commitment to supporting our employees in building taxpayer confidence is the driving force behind the CRA’s Guardian Program, including:
- Severity and increasing frequency of public and private sector data breaches by current or former employees (e.g., Desjardin’s data breach in 2019).
- Priority to improve the protection of taxpayer information against internal activity risks (Minister’s Mandate Letter).
- Commitment to develop a program to enhance personnel security continuous assurance (Commissioner’s Performance Expectations 2020-2021 and 2021-22).
- Positioning the CRA to be fully compliant with the upcoming TBS policy requirements (still under development) on personnel security continuous assurance and placing the CRA at the forefront of GC organizations in this realm.
The goal of the Guardian Program is to create a holistic and comprehensive continuous assurance approach to mitigating insider risks. This will be accomplished by leveraging existing CRA capabilities and information, learning from the experience of other government departments and industry best practices, and assisting in the development of new security controls and processes.
An insider risk can be characterized by an individual with access to and/or knowledge of a company, organization, or enterprise that can exploit its vulnerabilities and misuse their access in a manner that negatively affects the company. This may involve espionage, sabotage or intellectual property theft. An insider can be anyone with access to specific resources, networks, systems, and operations and facilities, such as current or former employees, business partners, or contractors. An insider can also be acting on behalf of a foreign state actor, which could constitute a threat to Canada’s national security.
The Guardian program has three key objectives:
- Develop and implement a continuous assurance framework that leverages innovative technologies to identify and assess the risk of insider activities that could impact CRA’s security posture while respecting the privacy rights and civil liberties of individuals working for or with the CRA.
- Identify and address CRA policy and culture gaps, as well as related trends in non-compliance using a People First philosophy, that is, to better support service delivery and to make it easier for employees, contractors, and trusted partners to understand and comply with their security responsibilities.
- Develop and implement a mechanism that supports employees at all levels in consistently applying the CRA Integrity Framework.
The CRA’s approach to personnel security continuous assurance will look closely at both how security incidents related to insider activities happen and why they take place. The outcome will be establishing a framework / mechanism for identifying technical and behavioural indicators that can proactively identify potential risks. This converged approach involves centralizing the orchestration of security and other controls across various threat domains.
During Phase I of the Guardian Program, user information from various CRA systems will be collected and analyzed to identify alerts which are shared with CRA stakeholders, who, in turn, are responsible for further assessing/investigating those alerts.
The Guardian Program will aim to further protect the information, assets, systems and revenues entrusted to the CRA from insider risks by applying the People First philosophy, while continuing to respect the privacy rights of employees and individuals working for or with the CRA. The Agency’s development of the Guardian program is well aligned with the other continuous assurance initiatives currently underway in the Government of Canada.
Insider risk mitigation includes security controls that detect, prevent, and respond to insider activity by integrating and analyzing available technical information and anomalous behaviour to provide continuous assurance while respecting privacy requirements. Empowering employees to comply with security obligations through education, care, trust and support at the forefront, while verifying the effectiveness of our security controls, are the cornerstone of a robust Guardian Program.
For the purposes of this PIA, the term “Insider Risk” will be used to refer to the topic, in general and to describe more specific incidents involving inadvertent human error, as well as malicious actions.
Scope of the Privacy Impact Assessment
The PIA approach adopted by the Treasury Board Secretariat (TBS) is iterative in nature and advises that PIAs should be undertaken when personal information is used for or is intended to be used as part of a decision-making process that directly affects the individual, and for a new or substantially modified program or activity.
The methodology and approach outlined in the TBS’ Directive on Privacy Impact Assessment and the Office of the Privacy Commissioner’s (OPC) Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada were used as the basis for this document.
This PIA focuses on the implementation (April 1, 2023) of Phase I of the Guardian Program, which includes the description and analysis of the collection, use, disclosure, and retention of personal information.
Specifically, the scope of this PIA includes the following:
- Collection of personal information from internal stakeholders in order to create models;
- Storage, access, and use of the personal information collected by the Guardian Program;
- Business rules and procedures in creating and analyzing data/data models, as well as the creation of alerts;
- The thresholds and procedures utilized to create/not create an alert;
- Sharing an alert with internal stakeholders;
- Retention and disposition of Phase 1 records.
The development of this PIA included the following:
- Collaboration and consultations with CRA representatives/stakeholders, including ATIP – Privacy Policy, Legal Services, Information Management, Human resources/Labour relations and Security/IT Security;
- Review of TBS publications such as CRA’s submission to Information about Programs and Information Holdings (formerly Info Source): Sources of Federal Government Information;
- Review of legislation and policies pertaining to CRA’s programs; and
- Review of process documents pertaining to the Guardian and its implementation.
Out of Scope of this PIA
This iteration of the PIA does not include the full slate of detection models and does not include any new systems and/or IT-based tools. Updates to this PIA are anticipated as the CRA determines the scope and timelines of future phases of the Guardian Program.
Also out of scope are the investigative activities and disclosures of internal stakeholders who receive an alert from the Guardian Program, the investigative procedures of those internal stakeholders and the potential subsequent administrative actions (training/awareness, employee discipline, prosecution). This includes fraudulent actions contravening the Criminal Code of Canada or the Financial Administration Act and other corrective measures that may be taken by the Agency leading to criminal investigations and prosecution by other investigative bodies (i.e., RCMP). While the potential outcomes of these cases will be referred by CRA for investigation purposes, the actual investigations themselves are considered to be out of scope of this PIA.
Risk identification and categorization
A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3
Details:
In Phase I, the Guardian Program will create 2 manual-based detection models in order to provide a continuous assurance approach to identifying and mitigating insider risks. The results garnered from the detection models may be shared with internal stakeholders who have the discretion to use the information for training, awareness, and/or employee disciplinary action.
This will be accomplished by leveraging existing CRA capabilities and information, learning from the experience of other government departments, industry best practices and assisting in the development of new security controls and processes.
The Guardian program has three key objectives, which are to:
- Develop and implement a continuous assurance framework that leverages innovative technologies to identify and assess the risk of insider activities that could impact CRA’s security posture while respecting the privacy rights and civil liberties of individuals working for or with the CRA.
- Identify and address CRA policy and culture gaps, as well as related trends in non-compliance using a People First philosophy, that is, to better support service delivery and to make it easier for employees, contractors, and trusted partners to understand and comply with their security responsibilities.
- Develop and implement a mechanism that supports employees at all levels in consistently applying the CRA Integrity Framework.
B) Type of personal information involved and context
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.
Level of risk to privacy: 4
Details:
In order for the Guardian Program to provide the CRA with continuous assurance by way of the detection, deterrence and response to insider risks, personal information on CRA personnel (employees, students, and contractors) is collected and analyzed in order to identify potential issues of concern. The types of personal information indicators collected from CRA personnel consists of data falling into three categories:
- CRA network activity;
- Human Resources information; and
- Security Branch information.
These indicators are assessed by the Guardian Program and may result in an alert being created for issues of concern. The alerts will be shared internally with CRA stakeholders who are required to perform further assessment/investigation. At no time, does the CRA view a single indicator as confirmation of insider risk activity. Instead, the indicators are triggers requiring further assessment/investigation to confirm if insider risk activity has occurred or may be about to occur. The internal stakeholders who may receive indicator alerts from the Guardian Program include Internal Affairs, Personnel Security Screening, Security (incidents and breaches), Security Risk Assessment, IT Security/Cyber Security, Information Security, Internal/External Fraud, Human Resources, and Labour Relations.
C) Program or activity partners and private sector involvement
Within the institution (amongst one or more programs within the same institution)
Level of risk to privacy: 1
Details:
The Guardian Program is internal to the CRA and there are no external partners involved in the collection of personal information, the creation of data models, or the sharing of alerts. Alerts are only shared with internal stakeholders which is anticipated to be limited to the following CRA groups: Internal Affairs, Personnel Security Screening, Security (incidents and breaches), IT Security/Cyber Security, Information Security, Human Resources, and Labour Relations.
Once an alert is shared with an internal stakeholder, that stakeholder will follow their programs’ internal processes and procedures for resolution/investigation into the alert.
D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details:
The Guardian Program is a long-term program that seeks to further protect the information, assets, systems and revenues entrusted to the CRA from insider risks, while continuing to respect the privacy rights of CRA personnel.
E) Program population
The program affects certain employees for internal administrative purposes.
Level of risk to privacy: 1
Details:
The Guardian Program will impact all CRA personnel, which includes indeterminate employees, casual employees, term employees, students, and contractors. The impacts may include internal administrative purposes, such as training, awareness, and various types of employee discipline.
F) Technology & privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: No
- Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: No
- Does the new or modified program or activity involve the implementation of one or more of the following technologies?
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
G) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy: 2
Details:
Phase I of the Guardian Program will leverage existing Microsoft Office products including Microsoft Excel, Access, and Word, with manual data compilation and analysis. Microsoft Office products including Excel, Access, and Word will be used to ingest existing data from multiple sources - within the CRA and on CRA networks - containing personal information for the purpose of conducting further analysis.
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Details:
The sensitivity of information utilized through the Guardian Program is considered Protected B.
In the event of a privacy breach (unauthorized use/disclosure), the possible impacts to the individual or employee could include loss of privacy, moderate personal financial injury and or embarrassment to the employee.
Page details
- Date modified: