Professional Networking Space (CRA Wiki)

Privacy impact assessment (PIA) summary - Advanced Internet Technologies, Best Practices and Architecture Solutions, Information Technology Branch

Overview & PIA Initiation

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Tammy Labelle
Director General, Best Practices, Architecture and Government On-line Directorate, Information Technology Branch

Head of the government institution / Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator

Name of program or activity of the government institution

CRA Wiki Professional Networking Space(s)

Description of the class of record and personal information bank

Standard or institution specific class of record:
Communications (PRN 939)

Standard or institution specific personal information bank:
Internal Communications (PSU 915)

Legal authority for program or activity

This activity supports the Communications function and personal information is collected under the authority of the Financial Administration Act, section 30(1)(a) of the Canada Revenue Agency Act and in accordance with the Communications Policy of the Government of Canada and the CRA Communications Policy.

Summary of the project / initiative / change

Professional Networking Wiki Space(s) is being developed, for CRA-internal engagement and consultation purposes, to allow CRA employees to better network and consult with each other on policies and initiatives of common-interest. The Wiki Space(s) will only be available to CRA employees, for CRA-internal use.

The Advanced Internet Technologies group in ITB provides ongoing support for the CRA Wiki.

Risk identification and categorization

A) Type of program or activity

Program or activity that does NOT involve a decision about an identifiable individual - the personal information would typically be identified in a "class of personal information."

This may include activities such as:  

• statistical / research or evaluation purposes where no decisions are being made.
• consultations with CRA peers as well as other community engagement activities on various topics that are related to CRA programs or activities in general terms. This does not include consultations on decisions related to a particular individual's involvement in a program or activity.
• maintaining a mailing list within the institution where no decisions are made that directly have an impact on an identifiable individual.

The Policy on Privacy Protection requires that government institutions establish an institutional privacy protocol for addressing non-administrative uses of personal information. If a protocol is not in place or the current protocol does not cover the proposed activity, then a decision must be made and documented with respect to the completion of a PIA.

Level of risk to privacy: 1

B) Type of personal information involved and context

Only personal information provided by the individual either directly or with consent (explicit or otherwise) at the time of collection / with no contextual sensitivities

The context in which the personal information is collected is not particularly sensitive. For example: general licensing, or renewal of travel documents or identity documents.

Level of risk to privacy: 1

C) Program or activity partners and private sector involvement

Within the institution (amongst one or more programs within the same institution). 

Level of risk to privacy: 1

D) Duration of the program or activity

Long-term program

Existing program that has been modified or a new program or activity is established with no clear "sunset."

Consultation and engagement is well established and it is anticipated that the use of collaborative software and tools will become part of the business processes related to the consultation and engagement activities. There is no "sunset date" for such activities.

Level of risk to privacy: 3

E) Program population

The program affects certain employees for internal administrative purposes.

Level of risk to privacy: 1

Training and understanding of privacy and personal information protection

A systematic privacy training and/or awareness plan is in place and sessions are provided and/or made available to employees and sectors or the government institution.

Level of risk to privacy: 2

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Is the new or modified program or activity a modification of a legacy IT systems and services?

Risk to privacy: No

The new or modified program or activity involves the implementation of one or more of the following technologies:

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices , RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Identify the applicable category(ies):

Although the Wiki itself is not a surveillance tool, it does contain features - such as the linking of users to their contributions - that allow for the tracking of those participating and contributing to the Wiki. The purpose of the Wiki is to allow for a transparent and collaborative work environment. Should there however be a need for intervention because of misuse of the Wiki, there are features that can assist in identifying the responsible party. This includes features that record participants' login information, date, time and contributor's input. 

Risk to privacy: Yes

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

A yes response to any of the above indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.

G) Personal information transmission

The personal information is used in system that has connections to at least one other system.

There is no systematic transfer to other mediums but information of business value would potentially be copied unto departmental records repositories. There is also the possibility of printing screens or input provided by users; however, this is not a standard or recommended practice - the idea of web 2.0 technologies is to facilitate networked communication between employees of government institutions.

Level of risk to privacy: 2

H) Risk impact to the individual or employee

Reputation harm, embarrassment.

Level of risk to privacy: 2

I) Risk impact to the institution

Managerial harm.

Processes must be reviewed, tools must be changed, change in provider / partner.

Level of risk to privacy: 1