Privacy Impact Assessment Update Summary for Access to Information and Privacy (ATIP) Online


This document summarizes the results of a Privacy Impact Assessment (PIA) that has been conducted on Access to Information and Privacy Online (ATIP Online), Office of the Chief Information Officer, Treasury Board Secretariat, which was formerly known as the ATIP Online Request Service (AORS).


ATIP Online provides a centralized, secure, publicly facing website for Canadians to submit access to information and personal information requests to participating Government of Canada institutions. New functionalities of this website assessed in this PIA enable the Canadian public to:

Why the Privacy Impact Assessment was necessary

This PIA builds upon the Privacy Impact Assessment for Access to Information and Privacy (ATIP) Online Request Service Project to include a further assessment of the service enhancements described above.

Privacy Impact Assessment objectives

To ensure sound management and decision-making, as well as careful consideration of privacy risks with respect to the creation, collection, and handling of personal information as part of government programs or activities.

Privacy Impact Assessment findings, risk summary and action plan

ATIP Online demonstrates a broad suite of technical, operational, and administrative security and privacy safeguards to protect personal information throughout the information lifecycle.

Risk summary

This PIA has identified 13 potential risks to the privacy of personal information that may be collected, used, disclosed, or retained by ATIP Online and its enhancements. These risks include the following:

Action plan

TBS has reviewed all risks and established a Privacy Risk Mitigation Plan to further mitigate the risks mentioned above as the project moves forward to production. As a result of this mitigation plan, the residual risk levels are low or very low for each previously identified risk. The client institution remains responsible for the assessment of privacy risks related to the implementation of custom request questions, and, as such, TBS mitigates the risk of over collection by requiring institutions to either provide a completed PIA for the additional collection of personal information or documentation confirming that a PIA is not required. TBS has also obtained approval to collect the SIN for the purposes of identifying information or records in response to ATIP requests as part of the custom questions requested by institutions, in accordance with the process and requirements defined in the Directive on Social Insurance Number. TBS will also be updating the Privacy Notice in consultations with its ATIP Office to ensure full compliance with the requirements of the Directive on Privacy Practices and is registering a new Personal Information Bank for the ATIP Online platform that accurately defines the personal information collected by ATIP Online and how it is used. Additionally, a full Threat and Risk Assessment and Security Assessment and Authorisation processes will be conducted before launching the new system.

Page details

Date modified: