Personnel Security Screening - Reliability Status +

Privacy Impact Assessment (PIA) summary – Security and Internal Affairs Directorate, Finance and Administration Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Roch Huppé
Chief Financial Officer and Assistant Commissioner, Finance and Administration Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

Travel and Other Administrative Services

Description of the class of record and personal information bank

Standard or institution specific class of record:
Security Class of Record (PRN 931)

Standard or institution specific personal information bank:
Personnel Security Screening (CRA PPU 917)

Legal authority for program or activity

The Canada Revenue Agency is designated as a separate Agency under Schedule II of the Financial Administration Act and as such has overall responsibility over its administration, contracts and human resources management. The CRA has been granted responsibility for “general administrative policy in the Agency” under paragraph 30(1) (a) of the Canada Revenue Agency Act. This includes the responsibility for determining conditions of employment, and subsequently the security requirements for personnel security screening.

The Agency is responsible for the protection of its information and assets in accordance with the Treasury Board Secretariat (TBS) Policy on Government Security (PGS) and its related standards. To that end, an MOU between the CRA and TBS was signed providing the Agency with a degree of flexibility to implement our own personnel security screening standards when it is warranted.

Summary of the project / initiative / change

Personnel Security Screening plays a vital role within the Canada Revenue Agency’s (CRA) security program by ascertaining that all employees are appropriately screened based on the access to information and CRA premises required for the performance of their duties. All CRA employees must undergo security screening and must meet the security requirements of their position prior to being hired. Currently, there are 2 types of personnel screening: an assessment of reliability (which results in a Reliability Status), and an assessment of loyalty to Canada (which results in a security clearance at the Secret or Top Secret level).

While the CRA’s security screening program is robust and in line with all applicable legislation and Government of Canada policies and standards, an opportunity has been identified to further strengthen the program. As such, in addition to the current reliability status, the CRA’s Security and Internal Affairs Directorate is putting improvements into place through the development of a new level of security screening, Reliability Status +.

Reliability Status +, would apply to designated positions, as approved by the Commissioner, demanding a high level of public trust and/or providing significant authority to make decisions or rulings that could impact on the efficiency or integrity of Agency operations and regulation, such as those that involve the performance of duties that relate to the administration or enforcement of tax related legislation (e.g. Income Tax Act) and for contracts that require access to information relating to the administration or enforcement of tax related legislation.

A valid Reliability Status would be a pre-requisite to Reliability Status +. The additional verifications are as follows:

• Mandatory Fingerprinting
• Mandatory Credit Check
• Mandatory Law Enforcement Records Check
• Mandatory Tax Compliance Verifications
• Subject Interview, “for cause” in the case that the verifications uncover adverse information

In accordance with Treasury Board Secretariat policy instruments, the CRA initiated this privacy impact assessment (PIA) for the Reliability Status + security screening as its implementation will result in a substantial modification to CRA’s current security screening process.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Level of risk to privacy: 2

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: 4

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: No

Is the new or modified program or activity a modification of a legacy IT systems and services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: Yes

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Identify the applicable category (ies): N/A

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

A yes response to any of the above indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.

G) Personal information transmission

The personal information is used in system that has connections to at least one other system.

Level of risk to privacy: 2

H) Risk impact to the individual or employee

Financial harm.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility.