Privacy Impact Assessment Update Summary for Access to Information and Privacy (ATIP) Online
Introduction
This document summarizes the results of a Privacy Impact Assessment (PIA) that has been conducted on Access to Information and Privacy Online (ATIP Online), Office of the Chief Information Officer, Treasury Board Secretariat, which was formerly known as the ATIP Online Request Service (AORS).
Description
ATIP Online provides a centralized, secure, publicly facing website for Canadians to submit access to information and personal information requests to participating Government of Canada institutions. New functionalities of this website assessed in this PIA enable the Canadian public to:
- create a secure profile to log in as a named user, or log in as a guest user
- submit ATIP requests as either a guest user or a securely authenticated user
- attach and upload documents to support ATIP requests in a secure manner
- pay applicable fees for access to information requests in a secure manner
- receive institution-specific guidance to provide customized information and supporting documentation when submitting requests
- leverage functionality to create a secure profile, track the status of requests, and receive responses to requests electronically through a secure channel
Why the Privacy Impact Assessment was necessary
This PIA builds upon the Privacy Impact Assessment for Access to Information and Privacy (ATIP) Online Request Service Project to include a further assessment of the service enhancements described above.
Privacy Impact Assessment objectives
To ensure sound management and decision-making, as well as careful consideration of privacy risks with respect to the creation, collection, and handling of personal information as part of government programs or activities.
Privacy Impact Assessment findings, risk summary and action plan
ATIP Online demonstrates a broad suite of technical, operational, and administrative security and privacy safeguards to protect personal information throughout the information lifecycle.
Risk summary
This PIA has identified 13 potential risks to the privacy of personal information that may be collected, used, disclosed, or retained by ATIP Online and its enhancements. These risks include the following:
- The collection of additional personal information in customized forms by institutions where it is not necessary may result in over-collection of personal information without an identifiable purpose
- The collection of SIN without relevant policy authority may result in over-collection of personal information
- Partial descriptions in relevant Personal Information Bank entries may mean that individuals are not made aware of their personal information contained with GC information records
- Partially complete IT Security risk assessment activities may mean that assets, potential threats and vulnerabilities, current safeguards and current risks may not be well understood by the project—this may result in the unintentional omission of security safeguards that can protect personal information from unauthorized access, use, modification, removal, or destruction.
Action plan
TBS has reviewed all risks and established a Privacy Risk Mitigation Plan to further mitigate the risks mentioned above as the project moves forward to production. As a result of this mitigation plan, the residual risk levels are low or very low for each previously identified risk. The client institution remains responsible for the assessment of privacy risks related to the implementation of custom request questions, and, as such, TBS mitigates the risk of over collection by requiring institutions to either provide a completed PIA for the additional collection of personal information or documentation confirming that a PIA is not required. TBS has also obtained approval to collect the SIN for the purposes of identifying information or records in response to ATIP requests as part of the custom questions requested by institutions, in accordance with the process and requirements defined in the Directive on Social Insurance Number. TBS will also be updating the Privacy Notice in consultations with its ATIP Office to ensure full compliance with the requirements of the Directive on Privacy Practices and is registering a new Personal Information Bank for the ATIP Online platform that accurately defines the personal information collected by ATIP Online and how it is used. Additionally, a full Threat and Risk Assessment and Security Assessment and Authorisation processes will be conducted before launching the new system.
Page details
- Date modified: