Identity and Access Management - Phase 2

Privacy Impact Assessment (PIA) summary – Administration Directorate, Finance and Administration Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency (CRA)

Government official responsible for the PIA

Mark Perlman 
A/ Assistant Commissioner, Finance and Administration Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name and description of program or activity of the government institution

Travel and Other Administrative Services:

The Canada Revenue Agency’s (CRA) PAA Internal Services includes sub-sub-program activity 7.6.9.2 Security and Internal Affairs

Description of the class of record and personal information bank

Standard class of record:
Security (Info Source Web Site)

Proposal for a new standard personal information bank:
Identity and Access Management

Legal authority for program or activity

Personal information is collected pursuant to paragraph 30(1)(a) of the Canada Revenue Agency Act, which grants responsibility to CRA for “general administrative policy in the Agency” .

The Canada Revenue Agency Act is supplemented with the Treasury Board Secretariat – Policy of Government Security, Directive on Identity Management, and CRA’s Access Accountability and Authentication to Agency Information Technology Systems Policy and Information Security and Information Technology Security Framework.

Summary of the project / initiative / change

The CRA’s Security and Internal Affairs Directorate is currently establishing an Identity and Access Management (IAM) Program, and concurrently managing a multi-phased, multi-year project to optimize IAM business processes.

Identity and Access Management will standardize and automate enforcement of the rules and business processes used to manage internal access to CRA data. This will improve monitoring, auditing, and reporting of identity and access provisioning to help ensure compliance with relevant legislation, security-related policies, standards, and best practices. The IAM solution will help the Agency address enterprise risks related to the protection of information and more easily satisfy audit, compliance, and legislative requirements for managing data.

The IAM project currently has four planned phases: (1) Information Resourcing: completed; (2) Identity Synchronization: in execution; (3) Password Management in: detailed planning; and (4) Access Management: undefined. As some aspects of the program are still being defined, the scope of the PIA will be limited to Phase 2 however, once other phases are determined, the PIA will be update as required.

Phase 2 - Identity Synchronization is the integration and synchronization of user identities (Authoritative Identity Store) from across all CRA computing infrastructure and applications to lay the foundation for improving the security and integrity of system access. Phase 2 addresses the following:

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

The Authoritative Identity Store (AIS) will populate an identity record for every CRA system user based on available information from current computing environments. The AIS and related tools will link user accounts to the identity record based on unique identifiers from each computing environment. The AIS will maintain a record of every Agency system user and their associated accounts. The decision to link accounts will be done mostly by automated technology but only when unique identifiers match. All other decisions and linking accounts will be done manually by identifying and confirming an owner.

Level of risk to privacy: 2

B) Type of personal information involved and context

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.

The information that will be used was collected directly from the individual by the CRA and is described in the standard personal information bank Employee Personnel Record PSE 901. The use of the personal information for the purpose of confirming the identity of individuals for access to government databases is identified as a consistent use of the information. There are no contextual sensitivities associated with the personal information.

Level of risk to privacy: 1

C) Program or activity partners and private sector involvement

With other federal institutions

Shared Services Canada (SSC) will support CRA infrastructure however, SSC employees will not have access to the AIS Database.

Level of risk to privacy: 2

D) Duration of the program or activity

Long-term program

The CRA is establishing a long-term Identity and Access Management Program to gain efficiencies and bring consistency in the overall management of identities and access to CRA systems. Projects are currently ongoing to make improvements to current processes and technology to enable the Program to attain its objectives.

Level of risk to privacy: 3

E) Program population

The program affects all employees for internal administrative purposes.

In Phase 2 Identity Synchronization, the goal is to positively identify all electronic User IDs with a civil identity. All employees including contractors, external partners and others who have a User ID on CRA systems should be in the AIS (Authoritative Identity Store). All external partners, for example are assigned a CAS User ID and Partner Organization Name within the CAS TEMP TABLE which is part of the CAS extract file which is pulled into AIS.

Level of risk to privacy: 2

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Use of Surveillance – The AIS system architecture includes a Log Server. The AIS Historical Log will log information such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc. The information is used to verify that the User ID or user account is positively linked to an individual. The monitoring of audit trails is limited to random “spot checks” to ensure compliance with policies and standards and on case by case basis in response to an individual’s complaint, in support of an investigation into allegations or suspicion of unauthorized access or in response to an ATIP request. Audit trail reports are considered Protected B information as defined by the Identifying Protected and Classified Information and Assets Policy. Consequently the communication of the request, the audit trail report, and results of its analysis must be restricted to individuals with "a need to know".

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - The AIS and related tools will link user accounts to the identity record based on unique identifiers from each computing environment. The AIS will maintain a record of every CRA system user and their associated accounts. The decision to link accounts will be done mostly by automated technology but only when unique identifiers match. All other decisions and linking accounts will be done manually by identifying and confirming an owner.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Select employees within the Information Security Division (ISD) will be able to print out reports from the AIS database. The circulation of these reports will be restricted to employees within ISD with a need to know.

There is no requirement to transfer these reports to removable media at this time.

Level of risk to privacy: 3

H) Risk impact to the individual or employee

Reputation harm, embarrassment.

The employee data stored in IAM phase 2 is classified as Protected “A”. Much of the information exchanged between IAM users and the associated applications is Designated Protected “B”, and has a direct impact on the confidentiality of information; therefore a MEDIUM sensitivity is assigned to the “Confidentiality” of IAM assets.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility.

There could be significant impacts due to a compromise of confidentiality of the data processed on the IAM platform, because of the “Protected” data stored on the servers.

Page details

Date modified: