Privacy Impact Assessment Summary for the Online Regulatory Consultation System (ORCS)
Introduction
This document summarizes the results of a Privacy Impact Assessment (PIA) conducted for the Online Regulatory Consultation System (ORCS) for the Regulatory Affairs Sector, Treasury Board of Canada Secretariat (TBS).
Why the PIA was necessary
This PIA was conducted because the proposed new centralized solution for Government of Canada regulatory stakeholder engagement, ORCS, would collect personal information and would be used by all regulatory departments and agencies.
PIA objectives
This PIA had three objectives:
- To ensure the sound management of private information
- To ensure that the system does not collect more information than is necessary
- To ensure that proper policies and preventive measures are in place to protect the personal information that is collected
The scope of this PIA was to assess the comments from the Canada Gazette website to determine how they were processed by regulators within ORCS and how they were validated for public posting on the Canada Gazette website.
PIA risk summary
The PIA determined that:
- all personal information will be maintained in a Protected B environment
- the number of users of the system will be limited and closely monitored
- all users are required to attest that they have taken appropriate privacy-related training
- all stakeholders who submit comments are required to acknowledge that their comments will be published online before they submit them
In addition, the kind of personal information that is collected by ORCS is not high risk, being limited to, at most, names, contact information and some addresses.
In keeping with the Directive on Privacy Impact Assessment, the PIA included a completed Risk Area Identification and Categorization section.
The risks identified
The PIA identified eight risks: two Low, six Medium and zero High. It also identified nine risk mitigation strategies.
This is due to the combination of the kind of data that is being submitted, which is low risk, the storage of the data on Protected B environments and the controls over the users of the system and their training requirements.
The risks identified were:
- Risk that departments and agencies using ORCS would not use the system in a privacy conscious manner. The corresponding recommendation was to implement ORCS Terms of Use that all government employees using the system would agree to before being given accounts. The Terms of Use include a commitment to take privacy training, to be familiar with policies and to acknowledge their responsibility to protect the privacy of users.
- Risk that ORCS would be deployed before appropriate training and familiarization was completed. The recommendation was to develop training and policies before launch. Training and communications materials have been developed and deployed since the PIA was finalized in March 2021.
- Risk that users will publish personal information on the Canada Gazette. Regulators are given training and guidance on how to identify and redact personal information in comments that are submitted on ORCS. Stakeholders who submit comments on ORCS are required to acknowledge Terms of Use, which state that no personal information should be submitted.
- Risk that reports created in ORCS could contain identifying information and be extracted to other systems. The default extraction has been modified to no longer include personal information.
- Risk that supporting documents will not be matched with the appropriate comment. This risk has been mitigated by guidance to regulators to save supporting documents with the commenter ID in the file name.
- Risk that departments with access to the back-end of the system will retain information longer than is necessary to comply with privacy legislation. This risk has been mitigated by the development of a plan for disposition of comments from the system in consultation with departmental IM. Commitment to disposition of personal information also forms part of the ORCS user Terms of Use.
- Risk that ORCS would be deployed before a Security Assessment and Authorization was completed. The SA&A was completed before launch of the first regulation to use ORCS on March 31, 2021.
- Risk that the Privacy Notice on ORCS was not transparent and did not cite a Personal Information Bank (PIB). The Privacy Notice was updated to include a PIB before launch of the first regulation to use ORCS.
Description of regulatory stakeholder engagement process
Historically, regulatory departments and agencies use the Canada Gazette, the Government of Canada’s official newspaper, to post regulatory proposals for public comment.
After initial consultations with stakeholders and partners, regulations are drafted and published in Canada Gazette, Part I, at which time a notice goes out on the Canada Gazette website inviting further comments and supporting documents on those regulations.
Stakeholders and the public then voluntarily submit comments and supporting documents (on approximately 80 regulatory proposals a year) directly to regulators via email, mail and facsimile.
Lastly, regulators may publish a “What We Heard” report summarizing the comments received; however, regulators do not release verbatim comments.
This historical process lacks transparency as stakeholders are unable to see what comments were submitted. The United States, Mexico and several other jurisdictions allow comments to be posted online, which promotes greater transparency.
Consequently, the Government of Canada announced in Budget 2018 that it would pursue a “regulatory reform agenda to make the Canadian regulatory system more agile, transparent and responsive, so that businesses across the country can explore and act on new opportunities, resulting in benefits for all Canadians.” The announcement included an investment to develop “an online platform to engage Canadians on regulation in order to improve the transparency and efficiency of the overall rulemaking process.”
Furthermore, during the trilateral negotiations on the Canada–United States–Mexico Agreement (CUSMA), Canada agreed that the publication of regulatory comments would make the Canadian regulatory process more transparent, accountable and predictable. This would lay the foundation for compatible regulatory approaches and eliminate burdensome, duplicative or divergent regulatory requirements for citizens and businesses across North America. Therefore, as part of the CUSMA, Canada committed to developing a single, accessible website that supports the transparent development of regulations.
Consequently, the Regulatory Affairs Sector of the TBS and the Canada Gazette Directorate of Public Services and Procurement Canada (PSPC) have collaborated on a solution.
The solution
First, a “front-end” solution was built for the Canada Gazette website to allow individuals, industry and other stakeholders to submit comments directly to regulators through the website without a login or user account.
Second, once the comments are submitted, a back-end system, the Online Regulatory Consultation System (ORCS), will collect and organize comments for Canadian regulators. Comments will be reviewed to ensure that they conform to the Canada Gazette’s terms of use regarding personal information, hate speech and other concerns, which are based on the terms of use found on all Government of Canada websites. Access to comments will be restricted primarily to those employees working on the regulatory changes.
Finally, once comments are approved for publishing, ORCS pushes all comments to the Canada Gazette website for public review.
Comments posted on the website may be redacted and depersonalized. Stakeholders are required to acknowledge that their comments will be posted and that they are responsible for the content of their comments.
Individuals can remain anonymous when submitting comments. They may also opt to provide their contact details for regulators to follow up with them. However, regardless of the personal information disclosed with their comment, only the redacted comment and the date of the comment submission are posted on the Canada Gazette website. In contrast to individual users, the names of organizations will be published with their comments.
Regulators assess comments to ensure that sensitive information is not published, such as personal information, hate speech and confidential business information. When necessary, commenters may be notified by regulators when their comments are modified.
Page details
- Date modified: