Addendum to the Privacy Impact Assessment (PIA) related to the Automated Access Control System (August 2022)

Section 1: Overview

StatsCan Office of Privacy Management and Information Coordination (OPMIC) is providing privacy advice and support in relation the occupancy proposal in a phased approach:

  • Phase 1: This phase covers the non-administrative use of the personal information to report to senior management on aggregated counts of employees working from StatCan offices in the National Capital Region. The present addendum is included in this phase.
  • Phase 2: During this phase, the Agency will continue to assess and articulate the use of personal information from FEENICS as well as HR databases to allow to filter counts by fields and financial responsibility centers, as well as to make administrative decisions on cases of non-compliance in relation to personnel management. Central to this phase will be to ensure the proper notification of employees before the personal information is collected and used to make decisions in relation to attendance and personnel management thus ensuring compliance with subsection 5(2) of the Privacy Act as well as 6.2.9 of the Directive on Privacy Practices.

The following is an addendum to the PIA related to the Automated Access Control System (AACS) that was originally approved in 2009 and updated in 2016.

1.1 Description of the activity covered by the addendum

Personal information from the access control system database (FEENICS) containing data from the use of identification cards at the security terminals at the entrance of the Statistics Canada (StatCan) NCR facilities will be used to count the number of employees who are working from the Statistics Canada offices in the National Capital Region (NCR). Summary reports will be generated with aggregated numbers of on-site visits by day, week and month.

  1. A dataset containing four variables (employee name, card type1, card ID number, and date of use of the card at Stats Can NCR facilities) will be made available internally by Security and Facilities Division (SFD) to the agency's Human Resources Business Intelligence (HRBI). Only data about StatCan employees will be made available to HRBI and will be used only for that purpose.
  2. The number of unique swipe card uses will be aggregated by HRBI to create a summary report for senior management. This summary report will only include aggregated number of building occupancy by day, week, and month. There will be no individual data in the summary report.

With more employees returning to the office, and the implementation of a minimum two days/week hybrid environment effective in September 2022, it is important for Statistics Canada to monitor the occupancy trends of the agency's offices in the NCR. This information is required by HR and Facilities to plan and make data-driven decisions about occupational health and safety by ensuring adequate levelsFootnote 1 of office and collaborative spaces (e.g., hybrid-enabled rooms) that are fully equipped to meet growing needs. For example, on-site occupancy levels will allow to make decisions on the number of fully equipped workstations (e.g. Two monitors per station, ergonomic chair, sit-stand desk and other supporting technology) that are required to meet the needs. These decisions aid in the promotion of a safe and healthy workplace for employees.

1.2 Reason for the addendum

This addendum assesses a use of personal information from the Access control system database (FEENICS) that was not originally accounted for in the PIA. In the context of the hybrid return to the workplace, and especially in light of Covid-19, Statistics Canada needs to have information on counts of employees coming to the workplace in order to assess capacity and ensure the security and safety of its employees. Personal information from FEENICS will therefore now be used to count the number of employees present at Statistics Canada NCR buildings.

1.3 Scope of the analysis

The scope of the privacy analysis included in this addendum is limited to the additional use of the information as described in section 1.1 above, and does not cover elements and information already assessed in the PIA. Please refer to the PIA for these considerations.

Section 2: Personal Information Flow

2.1 Personal Information Elements table

The table below lists the personal information elements that will be involved in this activity as well as additional details that will be taken in consideration in the privacy analysis.

Personal information cluster Personal information Element Dataset Source Use of personal information Disclosure of personal information Justification
Daily Swipe Card data Employee Full Name

A list of daily swipes which includes the four variables listed and does not include any further personal information that is collected at the time that the security pass is used at the security terminals of the StatCan NCR buildings.

In regards to the use of temporary passes; only the number of the card and the date will be made available to HRBI.

Facilities daily swipe card data (FEENICS)

To measure the number of employees who are working from the StatCan offices in the National Capital Region (NCR) and produce summary aggregate reports for senior management on the total count of employees who entered the NCR offices by day, week, and month.

Reports will be accessed by HRBI and senior management only. The reports will not contain identifiable information. The information will not and could not be used to track individuals or used for administrative purposes.

There will be no disclosure of personal information outside of the organization. The reports will be used for planning purposes. They will be used to monitor the occupancy trends of the offices in the NCR. This information is necessary to plan and make data- driven decisions about occupational health and safety, accommodations, and to ensure the planned level of office and collaborative space (e.g., hybrid- enabled rooms) are sufficient to meet the growing demand.
Card ID Number

Card Type

Statistics Canada employee passes as well as temporary passesFootnote 2 for Statistics Canada employees will be used.

Other types of cards such as visitorsFootnote 3 and cleaners will be removed from the data before it is made available by SFD to HRBI.

Use of the cards at Stats Can NCR facilities.

2.2 List of individuals having access to the personal information

The table below lists the position of employees involved in this activity who will have access to the personal information, described in section 2.1.

Title of the position Number of individuals having access to the personal information Justification – Need to know
Unit Head (HRBI) 1 Reviewing the process and sometimes receiving the data, cleaning the records, running the summary reports.
Subject Matter Analyst (HRBI) 3 Receiving the data, cleaning the records, running the summary reports.

2.3 Description of the handling of the personal information

Employee name and date of access are required as part of the internal data transfer from SFD to HRBI in order to produce summary statistics. Two measures of occupancy are required:

  1. total occupancy in a given time period (ex. by day or week);
  2. total number of unique employees who worked from the office in a given time period (ex. by week or month).

2 The card number and the date that are collected through the security terminals when a card is used are the only elements that will be made available to HRBI in relation to a StatCan employee temporary pass.
3 Visitors are considered to be non-StatCan employees requiring access to the StatCan facilities. The personal information that is provided to the front desk to complete a paper-based document, in relation to the issuance of temporary passes to visitors as well as for the issuance of employee's temporary passes, will not be made available by SFD to HRBI or used. It is outside the scope of this activity. No data will be made available or used in regards to visitors.

Once the data has been cleaned, the individual records will be aggregated by date. Once aggregated, the information will not be used to re-identify individuals. This process will be done prior to the creation of the summary reports. There will be no individual data included in the summary report, meaning that no individual could be identified or tracked using the summary report. The report will contain the following counts:

  1. total occupancy by day, week, and month;
  2. unique number of visitors by week and month;
  3. average occupancy by day of the week.

The individual level data will be stored in a secured folder. Access will be limited to the list of individuals in section 2.2. Neither the identifiable information or the aggregated data will be used by HRBI for any administrative purpose as part of this activity. The individual level data will be retained for one year for validation purposes, after which point it will be disposed of securely.

Section 3: Necessity and Proportionality

  1. Necessity

With more employees returning to the office, and the implementation of a minimum two days/week hybrid environment effective in September 2022, it is important to monitor the occupancy trends of the offices in the NCR. These figures are necessary for HR and Facilities to plan and make data-driven decisions about occupational health and safety, accommodations, and to ensure the planned level of office and collaborative space (e.g., hybrid-enabled rooms) are fully equipped to meet the growing demand. For example, on-site occupancy levels will allow to make decisions on the number of fully equipped workstations (e.g. Two monitors per station, ergonomic chair, sit-stand desk and other supporting tech) that are required to meet the needs. These decisions aid in the promotion of a safe and healthy workplace for employees.

The date variable will be used to aggregate the individual records by day, week and month. This variable is necessary to determine the total occupancy for a given time frame. This is required to ensure that the level of office space available meets the demand. For example, on a given day, if there are 3,500 employees who visit the office, Statistics Canada must ensure there are, at a minimum, 3,500 work stations available.

The name variable is required to clean the data (ex. removing duplicates) and to determine the number of unique employees who worked from the office in a given time frame. It is important to measure the aggregate count of employees who are attending the office more than twice a week/month, and to measure unique visits in a given time period. This metric may be used to determine the level of fixed office space required. If there are a certain number of employees who visit the office more than X days in a month, permanent office space may be required.

This metric will also be used to measure, at an organizational level, the proportion of employees who are using the office in a given time period (ex. in a week or in a month). If there are a small number of employees who are using the office frequently, less office space will be required than if there are a large number of unique employees are using the office space less frequently. This metric is at the aggregate level, meaning no individuals can be tracked.

  1. Effectiveness - Working assumptions

The summary statistics that are produced with this data will provide HR and Facilities with the necessary information to plan and make data-driven decisions about occupational health and safety, accommodations, and office space requirements.

  1. Proportionality

There is a need for building occupancy statistics by day, as outlined in section 3.1 (Necessity). The potential impact on privacy is assessed as low given the safeguards in place which include:

  • The individual level data will be shared with only a small limited group of individuals in HRBI who will clean, deidentify and aggregate the data before it is included in the summary reports.
  • The summary reports will have no individual data and the information will not be disclosed or used for an administrative purpose.
  1. Alternatives

Alternatives have been explored and no feasible less privacy intrusive options were identified.

HRBI considered using the 'Return to Work' booking application data to measure the on-site occupancy. This data source did not meet the needs of the project because of poor data quality. Employees are not required to use the application in order to come in to the office, and employees who do book in the application may not actually come in to the office.

HRBI consulted with IT to determine if the number of employees accessing the server on-site could be measured. This was determined not to be feasible.

Section 4: Privacy Analysis

The following privacy analysis is based on the information included in sections 1 to 3 by HRBI as of August 15, 2022. Refer to the Automated Access Control System (AACS) PIA in regards to the principles that are not covered in this addendum.

Accountability

The AACS PIA states that "Statistics Canada is responsible for all personal information under its control". For the activity assessed in this addendum, the Assistant Chief Statistician of Corporate Strategy and Management is accountable for the personal information of employees collected through the AACS and stored in FEENICS that will be used by HRBI for the purpose described in this addendum.

Purpose

The original PIA in 2009 covered and assessed a limited use of the personal information collected using the AACS. The update to the PIA made in 2016 included and assessed an additional use. The current addendum covers the use of the AACS personal information (employee name and card ID number) to count the number of employees present daily, weekly at the NCR Stats Can facilities in the context of the

current pandemic and the return to work to a hybrid environment to ensure the safety of the employees present in the building. The next sub-section will demonstrate how this use is considered to be covered by the use section of the applicable Identification Cards and Access Badges - PSE 917. This purpose will be communicated to all current and new employees via a Privacy Notice Statement (see subsection on openness below).

Use

In order to use personal information from FEENICS without obtaining employee consent, the intended use of the personal information must match the original purpose for which it was collected or be for a consistent use. These uses and consistent uses must be described in their related Personal Information Banks (PIBs) as well as communicated to the individuals.

An employee should be in a position to understand that the personal information collected initially could be used for this other purpose and the notice that should be provided to each employee should include a reference to the related PIB(s).

Statistics Canada's Privacy Impact Assessment on the Automated Access Control System did not cover or assess this use of personal information from FEENICS. The PIA originally written in 2009 and updated in 2016 indicates that the use of the personal information collected and stored in FEENICS is "strictly restricted to the specific purpose of investigating matters related to safety, security, and personal management. In all cases, any authorized used will require the approval of the Departmental Security Officer."

The PIA indicates that the personal information collected in FEENICS is described in the Personal Information Bank Identification Cards and Access Badges - PSE 917, whereas personal information related to the issuance of temporary passes is covered by PIB Security Video Surveillance and Temporary Visitor Access Control Logs and Access Badges - PSU 9074. Both are standard TBS PIBs that apply to all federal institutions.

Personal information collected in regards to the issuance of temporary passes that are collected by departmental security is not covered in this analysis as it is not involved or used as part of this activity. Based on the information provided by HRBI, the information collected in regards to StatCan employees' temporary passes is limited to the temporary card number and date of use collected through FEENICS when a temporary pass is used at a building security terminal. No information about visitors who are not employees of StatCan will be handled by HRBI or would be used in relation to the activity assessed.
Based on the above, the PIB PSU 907 does not apply in the context of this activity.

PSE 917 specifies that permitted uses of the personal information (limited to: photographs, signatures, name and card numbers of holders) are to "maintain information relating to the issuance, use and cancellation of identification cards and access badges, and to assist in ensuring the security of government institution facilities and the safety and security of individuals and assets present in such facilities." The allowed consistent uses are limited to: "use personal information in the event of security- related incidents such as thefts or emergency situations".Footnote 4

The Office of Privacy Management's current understanding is that only information from FEENICS, not information related to temporary visitor's access controls logs and access badges is intended to be used in relation to this activity.

PIB Human Resources Planning – PSU 935 includes the use of limited personal information elements for the management of facilities, but personal information elements related to identification cards and access badges is not covered under this PIB. The PIBs Occupational Health and Safety - PSE 907 as well as Employment Equity and Diversity – PSE-918, were also reviewed and do not include personal information elements related to identification cards and access badges.

The intended purpose of the proposed activity is to count the number of employees who are working from StatCan offices in the National Capital Region (NCR) buildings in the context of the hybrid return to the workplace.

The intended use of personal information related to identification cards and access badges to count the number of employees (including employees using a temporary card) who are accessing the StatCan buildings in the National Capital Region to inform management of the number of individuals present at each work site daily, weekly and to ensure the safety of individuals in the buildings during the return to work to an hybrid environment in the current health context is considered to be covered in the uses section of the PIB PSE 917. More specifically, to maintain information related to the use of identification cards and access badges (including temporary cards) and to assist in ensuring the safety and security of individuals present in facilities.

The use of any additional data elements or any new use of personal information from FEENICS not included in the PIA or in this addendum would need to be assessed and an additional addendum developed accordingly.

Disclosure

Based on the information included in section 1 to 3 by HRBI, this activity will not involve any disclosure of the FEENICS personal information used for the purpose of this activity.

Openness

Section 5(2) of the Privacy Act requires that the institution collecting personal information inform the individuals to which the personal information relates, of the purpose for which it was collected. The AACS PIA has identified the lack of proper notification as a potential threat and stated that: detailed information about the AACS "has been communicated via the Internal Communication Network, the employee newsletter and staff emails". As the PIA was drafted in 2009, which pre-dates the issuance of the Directive on Privacy Practices by the Treasury Board, it would be prudent to draft a Privacy Notice Statement including the elements listed in section 6.2.9 of the Directive. This Privacy Notice Statement will be presented to StatCan employees before or at the time of collection of their personal information through FEENICS in order to comply with section 6.2.10 of the Directive mentioned above. Both the purpose and the use of the personal information, including the uses described in the current document, will be included in the Privacy Notice Statement. In the interim, communication has been sent on July 12, 2022, by the Chief Statistician to all StatCan employees mentioning "I encourage you to familiarize yourself with the Statistics Canada Modernization Journey: Framework on Hybrid Work", which included a link to the document. The document includes the following statement: "To support the agency's ability to track onsite activity, inform floor design plans for PSPC renovations, and track the implementation of our hybrid work model, aggregated turnstile data will be used, wherever possible, to measure building occupancy levels."

Conclusion

This assessment concludes that this activity does not introduce any additional risks not addressed in the Automated Access Control System (AACS) PIA.

Footnotes

Footnotes

Footnote 1

See footnotes 3 & 4.

Return to footnote 1 referrer

Footnote 2

The card number and the date that are collected through the security terminals when a card is used are the only elements that will be made available to HRBI in relation to a StatCan employee temporary pass.

Return to footnote 2 referrer

Footnote 3

Visitors are considered to be non-StatCan employees requiring access to the StatCan facilities. The personal information that is provided to the front desk to complete a paper-based document, in relation to the issuance of temporary passes to visitors as well as for the issuance of employee’s temporary passes, will not be made available by SFD to HRBI or used. It is outside the scope of this activity. No data will be made available or used in regards to visitors.

Return to footnote 3 referrer

Footnote 4

The Office of Privacy Management’s current understanding is that only information from FEENICS, not information related to temporary visitor’s access controls logs and access badges is intended to be used in relation to this activity.

Return to footnote 4 referrer