Contents
- Section 1: Overview
- Section 2: Risk Area Identification and Categorization
- Section 3: Analysis of the personal information elements for the program or activity
- Section 4: Flow of personal information for the program or activity
- Section 5: Privacy compliance analysis
- Principle 1: Accountability
- Principle 2: Limiting Collection
- Principle 3: Direct Collection and Purpose Identification
- Principle 4: Retention
- Principle 5: Accuracy
- Principle 6: Disposal
- Principle 7: Limiting use
- Principle 8: Limiting Disclosure
- Principle 9: Safeguards
- Principle 10: Openness
- Principle 11: Individual Access
- Section 6: Threat and risk assessment
- Section 7: Summary of analysis and recommendations
- Section 8: Breach protocol
- Section 9: Supplementary Documents List
- Appendix 1 – PIA Summary
- Appendix 2 – Privacy Notice
Section 1: Overview
Responsible department: Statistics Canada
Chief Privacy Officer: Director, Office of Privacy Management and Information Coordination
Subject-matter manager: Director, Census Communications
Senior official: Assistant Chief Statistician, Corporate Strategy and Management
Legal authority: Financial Administration Act
Reference to Personal Information Bank (PIB): Standard PIB – Public Communications, PRN 939, PSU 914
Project Description:
To improve respondent services, Statistics Canada is introducing a chatbot on its Census website as a new communications method. This automated communication and service channel aims to help Census respondents anonymously submit questions and obtain more timely responses in a positive and secure online experience. This technology will improve services and assist respondents in their questionnaire needs, in addition to creating a positive and secure online experience.
While Statistics Canada already provides a Contact us formFootnote 1 where users can submit questions, the chatbot will automatically provide answers instead of waiting the general 5 to 10 business days to receive a response.
The chatbot will be of particular value when Statistics Canada conducts census activities. During the 2021 Census collection cycle, the Census Help Line (CHL) received over 2 million calls. This unprecedented volume led to 1.2M not being answered due to limited resources. Equally, Statistics Canada's Respondent Relations Unit received 63,000 emails and 7,000 pieces of mail, five times the amount received in the previous census, and the social media (Web2Social) team received numerous complaints regarding the lack of immediate response, long phone queues, or dropped calls.
The chatbot does not collect any personal information and a privacy notice (see Appendix 2) statement will be provided to users at the beginning of the chat session instructing them not to share any personal information and advising users who nevertheless include PI, that it will be manually removed from chatbot transcripts. The chatbot will use Artificial Intelligence (AI) to detect keywords to answer a user's question. If a user requires further assistance, the chatbot will transfer the conversation to a live chat agent. The chatbot was initially trained on extracted content from 2021 Census Questions and Answers (e.g., What is a census letter? Where can I find my secure access code?) and will keep training on new content that will be added as needed. As the chatbot does not make any administrative decisions on individuals, an Algorithmic Impact Assessment is not required.Footnote 2
The chatbot software and licenses have been acquired by Statistics Canada from a service provider. It has been integrated into Statistics Canada's website structure in a development environment prior to being moved to its production environment on January 15, 2024. A full security assessment was completed on January 9, 2024, with a risk management input (RMI) assessed as very low.
Section 2: Risk Area Identification and Categorization
The following table below evaluates the aggregate risk of the proposed initiative against a suit of standard dimensions applicable to most Statistics Canada's programs and activities. The numbered risk scale is presented in ascending order: level 1 represents the lowest level of potential risk for the risk dimension the fourth level (4) represents the highest level of potential risk for the given risk dimension.
Applicable risk level for each dimension is in BOLD.
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual | 1 |
| Administration of program or activity and services | 2 |
| Compliance or regulatory investigations and enforcement | 3 |
| Criminal investigation and enforcement or national security | 4 |
| b) Type of personal information involved and context | Risk scale |
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive. Personal information of minors, legally incompetent individuals or a representative acting on behalf of the individual. | 3 |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 |
| c) Program or activity partners and private sector involvement | Risk scale |
| Within the institution (among one or more programs within the same institution) | 1 |
| With other government institutions | 2 |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 |
| With foreign governments, international organizations and/or private sector organizations | 4 |
| d) Duration of the program or activity | Risk scale |
| One-time program or activity | 1 |
| Short-term program (January 16, 2024 to June 28, 2024 for Behavioral Testing and from January 2026 to August 2026 for the 2026 Census of Population collection period). | 2 |
| Long-term program (long-term date / ongoing / no end date) | 3 |
| e) Program population* | Risk scale |
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| he program's use of personal information for external administrative purposes affects certain individuals. | 3 |
| The program's use of personal information for external administrative purposes affects all individuals for external administrative purposes. | 4 |
| * The program's use of personal information is not for administrative purposes. Information is collected for statistical purposes, under the authority of the Statistics Act. | N/A |
| f) Personal information transmission | Risk scale |
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 |
| The personal information is used in a system that has connections to at least one other system. | 2 |
| The personal information is transferred to portable devices or printed (USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 |
| The personal information is transmitted using wireless technologies. | 4 |
| g) Technology and privacy | |
|
Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? Yes. Power Microsoft Agent (chatbot) from Microsoft Dynamics is being implemented to facilitate a new communication method via chatbot to improve Statistic Canada's services and promote direct communication with data users and survey respondents. |
|
|
Does the new or significantly modified activity or program require changes to IT legacy systems? Yes. Integrating Power Microsoft Agent (chatbot) from Microsoft Dynamics code into the website will require changes to our IT systems to enable integration of the code in the infrastructure. |
|
|
Specific technological issues and privacy
No. |
|
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee | |
| Users will be advised to not provide any personal information when a chat session is opened. If provided, it will not be used and will be destroyed after three months. Therefore, the risk of some personal information being disclosed without proper authorization is very low, and the impact on the individual would be low. | |
| i) Potential risk that in the event of a privacy breach, there will be an impact on the institution. | |
| Users will be advised to not provide any personal information. If provided, it will not be used and will be destroyed after three months. Therefore, the risk of certain personal information being disclosed without proper authorization is very low, and the impact on the institution would be low. | |
Section 3: Analysis of the personal information elements for the program or activity
A privacy notice will inform users to not provide personal information when the chat starts. However, users might still provide personal information voluntarily. Such information could be anonymously retained by Statistics Canada for a three-month period in the form of transcripts for the purpose of assessing quality of the service and to meet user needs.
If users voluntarily share personal information despite the privacy notice, deemed employees from Respondent Relations will manually remove personal information from the transcript before being saved on Statistics Canada servers.
Necessity and Proportionality
While the chatbot is not intended to collect or use personal information and users are advised not to include any, some personal information could inadvertently be provided. The implementation of the chatbot can be justified against Statistics Canada's Necessity and Proportionality Framework:
- Necessity: The chatbot will be a new communications method introduced on Statistics Canada website to improve respondent services by providing automated communication and service channels that will increase the agency's Census Program's efficiency by reducing the number of correspondence pieces to be treated by Statistics Canada employees. These improvements will also benefit Canadians by creating a positive, secure online experience and assist respondents in their 2026 Census of Population questionnaire needs.
- Effectiveness - Working assumptions: The chatbot will allow live agents to focus on answering more complex questions in a timely manner and improve service standards. Moreover, the chatbot will help users fulfill their legal census obligation more quickly by submitting a question anonymously to the chatbot. Then, the chatbot will detect keywords and propose answers to users without using any personal information. The chatbot will create efficiency for Canadians and the agency.
- Proportionality: While there is a potential for the agency to collect personal information, the benefits of having quick and efficient access to information to help Canadians complete the Census are highly valuable proportional to any privacy risks. The chatbot aims to improve and supplement the existing services provided to Canadians by creating a positive, secure online experience and assist respondents in their 2026 Census of Population questionnaire needs.
- Alternatives: Unfortunately, there are no alternatives to automated services such as a chatbot. The method used in the past resulted in a high number of incoming calls and emails for the 2021 Census collection cycle to the CHL and Respondent Relations Unit of many of which were left unanswered due to lack of resources and unprecedented volumes. The chatbot will enable automation of Census program's services and efficiently provide answers to Canadian users. In the event the chatbot is not able to provide users with the information they need to fulfill their obligation towards the Census program, their request will be transferred to our Live Chat (CHL) to provide them with further assistance. Requests that require research or a personalized answer, such as complaints, will be transferred to a Respondent Relations agent that will work on a personalized response.
Section 4: Flow of personal information for the program or activity
Identify the source(s) of the personal information collected and/or how the personal information will be created.
When a user opens a chat session, they will be presented with a privacy notice statement and informed not to share any personal information before being prompted to ask a question. Once the question is submitted in the conversation window, the chatbot will analyze keywords to find a suitable answer to the user's question. Although users are advised to not provide any identifying personal information, they could voluntarily provide some.
Identify the internal and external uses and disclosures. Specifically, identify the areas, groups and individuals who will have access to or handle the personal information and to whom it will be provided or disclosed.
Information that users may voluntarily provide will not be used or disclosed, either internally or externally. Only deemed employees from Respondent Relations, Census Help Line (CHL) and the social media (Web2Social) are viewing and handling the data.
Identify where the personal information will transit and will be stored or retained.
During a chatbot session, any personal information that may be provided voluntarily by the user will transit through Statistics Canada's Microsoft Dynamics portal. The exchange will then be manually striped of any personal information and be stored on Statistics Canada's Cloud for a three-month period for the purpose of assessing quality of the service and to meet user needs.
Identify where areas, groups and individuals can access the personal information
When a chatbot user is redirected to a live chat CHL, Respondent Relations, Web2Social or recruitment agent, the agent in question and their supervisor will have access to that information.
During the three-month storage period, only supervisors and managers (four to six people) who need to consult the information for evaluation purposes will have access to the data.
Section 5: Privacy compliance analysis
As recommended by the Office of the Privacy Commissioner's Guide to the Privacy Impact Assessment Process, this chatbot has been assessed against the following principles that are based on the Organization for Economic Co-operation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Principle 1: Accountability
Statistics Canada is responsible for all personal confidential information collected and used under authority of the Financial Administration Act. The agency is also responsible for all personal information under its control and has designated individuals who are accountable for the agency's compliance with the obligations of federal departments to respect privacy rights as described in sections 4 to 8 of the Privacy Act.
The Director of the Office of Privacy Management and Information Coordination is Statistics Canada's Chief Privacy Officer (CPO) and is accountable for the department's compliance with the principles contained in this document. The CPO is also responsible for the development of Statistics Canada's policies related to information, including all aspects of information classification, control, and access and for providing advice, guidance, and assistance in the implementation of information security measures.
The Chief Security Officer (CSO) is responsible for the day-to-day operations of the Departmental Security Office, and for the development and administration of the security program for Statistics Canada.
The Respondent Relations, CHL and Web2Social teams and its managers, as directed by the Census Communications Director (Communications Branch), are responsible for applying all central agency and Statistics Canada policies related to the protection of privacy and personal information for this activity.
The Communications and Dissemination Branch is responsible for the entire Statistics Canada website.
An individual can address a challenge concerning compliance by Statistics Canada with the above principles.
Complaints may be addressed to:
Chief Privacy Officer
Statistics Canada
R.H. Coats Building, 2nd floor
100 Tunney's Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 613-951-0466
E-mail: statcan.atip-aiprp.statcan@statcan.gc.ca
In addition, under the Privacy Act, individuals may make a complaint to the Office of the Privacy Commissioner of Canada, who will undertake an investigation.
Principle 2: Limiting Collection
The authority to collect this information falls under the Financial Administration Act. Personal information will be not collected, but any that might be voluntarily provided by users will be protected under the Privacy Act. That information is included in the "Public Communications" Personal Information Bank.
The chatbot does not require the collection of personal information to provide is service to Canadians. As mentioned in previous section, users might voluntarily share personal information even if they have been informed not to at the beginning of the chat session.
Principle 3: Direct Collection and Purpose Identification
The purpose of the chatbot is to provide Canadians with a service that will increase Statistic Canada's Census Program's efficiency by helping respondents fulfill their legal census obligation more quickly and efficiently by anonymously submitting a question to the chatbot.
No personal information is asked or required from users to use the chatbot. Statistics Canada will not disclose personal information that might be provided by chatbot users. A privacy notice statement (Appendix 2) will be given to users instructing them to not share personal information when the chat session starts.
The conversation history will be used to improve Statistics Canada's services and to make information about the Census more accessible to the Canadian population. The data is used only by those individuals with a need-to-know including Respondent Relations, Social Media and recruitment agents and their supervisors to ensure the quality of the service provided and to meet user needs.
Consent will not be asked for because no personal information is collected, used or disclosed. Any personal information that might be voluntarily provided by a user will not be used, and the personal information will be manually removed from the conversation transcripts. Such transcripts will only be retained by Statistics Canada for a three-month period.
Principle 4: Retention
Personal information inputted by respondents will not be retained since the nature of the chatbot does not require the use of such information to provide users with an answer to their posed question. If users voluntarily include personal information, the information will be manually deleted from the conversation transcripts. These redacted transcripts will then be retained by Statistics Canada for a three-month period to improve services and to make information about the Census more accessible to the Canadian population.
Additionally, the Power Virtual Agent system (by Microsoft) will keep the conversation transcripts for a period of 28 days after which it will automatically be deleted. Microsoft has confirmed that it does not use the information to train, retrain, or improve their models.
Principle 5: Accuracy
Participants submit their own information electronically. Statistics Canada will not modify any of the submitted information, so inaccuracies should not occur. However, any errors that are brought to the attention of Statistics Canada by participants will be rectified immediately. If the chatbot provides the wrong answers based on faulty users' information, the chatbot will prompt the user to reformulate or specify his concerns in order to provide the proper information.
Statistics Canada will not alter any information that may be voluntarily submitted by users, and that information will be retained only for three months. Because that information is not required and will not be used or disclosed, its accuracy in the context of this activity is irrelevant.
Principle 6: Disposal
Voluntarily shared personal information will be in digital format. Disposal of such information will be done directly from the chatbot system.
Technology and privacy issues
- There will be no change to the business requirements. The same principles and guidelines applicable to email communication via Respondent Relations, the existing communication service, will be applied to chatbot.
- The existing communication tools, as well as the addition of chatbot, comply with privacy obligations.
- A privacy notice before using chatbot will notify users that their information will remain protected under the Privacy Act.
Principle 7: Limiting use
The information will be used to improve Statistics Canada's services and to make data more accessible to the Canadian population. The information is used only by Respondent Relations and Social Media agents and their supervisors to ensure the quality of the service provided and to meet user needs. However, the use of personal information is not required for the chatbot to operate.
Once the chatbot is launched, an automated message will appear to inform users not to share personal information.
Principle 8: Limiting Disclosure
Statistics Canada will not disclose personal information from the chatbot, without the consent of the respondent or unless as permitted by the Statistics Act. Access to any information obtained under the authority of the Statistics Act is restricted to employees who must swear an oath of confidentiality under the Act and who also have a need-to-know as part of their job duties.
Principle 9: Safeguards
Statistics Canada takes seriously its legal obligation to safeguard the personal information of all Canadians. The agency has had in place a framework of policies, directives, procedures and practices to safeguard protected information, including personal information, against loss, theft, unauthorized access or disclosure; they are supported by physical, organizational and technological measures that protect all the personal information that Statistics Canada holds.
Access will be restricted solely to Respondent Relations, CHL and Web2Social agents and supervisors located in the National Capital Region office. The information will be protected by existing mechanisms, such as the following:
- When logging into a work session on the computer, agents and supervisors must enter their protected, confidential username and password.
- Personal information voluntarily received from clients will pass through the site only to measure performance, productivity, and the quality of the service provided by Respondent Relations, CHL and Web2Social agents, and to answer users' questions. Briefly, the information will help measure accuracy of answers and it will allow us to remain at the dawn of new topics emerging to rehabilitate our content.
- The information will be stored only on Statistics Canada's internal platform; the information will not be disseminated or printed.
- Information passing over the Internet will be secured by HTTPS. It will then be stored on Statistics Canada's Cloud that meets the stronger IT security requirements. In addition, vulnerability analyses of the Census Chatbot have been conducted by Statistics Canada's Cyber Security Division. They completed a Security Assessment and Authorization (SA&A), and an interim Authority to Operate (iATO) was granted for a one-year period (Jan 2024-Jan 2025).
- The software used contains an option to hide the IP address, and that option will be used to prevent the storage of IP addresses.
Upon discovery of an actual or suspected privacy breach (however unlikely), the steps described in Section 8 would be taken.
Principle 10: Openness
Statistics Canada produces specific, easily accessible information about its policies and practices on the management and protection of personal information. Information on the use of personal information, in the form of a Privacy notice, can be read on the agency's website at www.statcan.gc.ca.
Summaries of approved privacy impact assessments are also available from the website, under "About Statistics Canada – Privacy Impact Assessments"
Information on the Statistics Canada website related to policies and procedures
The agency's Privacy Notice can be found under "About us – Terms and conditions and Privacy" on the Statistics Canada website, where there is also information about:
- the agency's Privacy Framework
- protecting confidential information and privacy at Statistics Canada;
- privacy-related policies and practices at Statistics Canada;
- what record linkage is and how it is used at Statistics Canada;
- Statistics Canada's Directive on Microdata Linkage;
- approved linkages at Statistics Canada, with their purpose, description and output
Statistics Canada's Trust Center also provides answers to questions on the security, privacy and confidentiality of personal information.
Contacts for further information
For further information about NetSupport, the contact person is:
Program Manager of the Business Integration, Collection, Planning, and Research Division
Statistics Canada
150 Tunney's Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 902-220-9153
Email: Patrick.Ellis@statcan.gc.ca
Principle 11: Individual Access
The collection of personal information through the Census communications chatbot is described in the Personal Information Bank (Public Communications – PSU 914), which is published in Statistics Canada's Information about Programs and Information Holdings chapter.
Upon request, Statistics Canada will provide users with access to their personal information held by the agency.
If users wish to submit a formal request for access to their personal information under the Privacy Act, the contact person at Statistics Canada is:
Access to Information and Privacy Coordinator
Statistics Canada
R.H. Coats Building, 2nd floor
100 Tunney's Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 613-951-0466
E-mail: statcan.atip-aiprp.statcan@statcan.gc.ca
Section 6: Threat and risk assessment
The purpose of this section is to assess the consultation for potential threats and risks that could compromise privacy. It outlines Statistics Canada's existing safeguards, the probability of occurrence of the threat, and the severity of the impact as it relates to the privacy and protection of participants' information.
Statistics Canada currently uses numerous safeguards to reduce threat probabilities. These safeguards are described in agency policies, practices, tools and/or techniques.
The ratings for threat probability, impact and residual risk are defined and presented as follows
Threat: An undesirable event with the potential to compromise privacy or breach data confidentiality.
Threat probability: The likelihood that the threat will occur, given Statistics Canada's existing safeguards. The threat probability is rated numerically.
- Level 1: The threat can only come about through the use of very specialized knowledge and/or costly specialized facilities and/or a sustained effort. The threat is unlikely to occur.
- Level 2: The threat requires some specialized knowledge and/or facilities and/or a special endeavour to create or take advantage of the threat opportunity. The threat is somewhat likely to occur.
- Level 3: The threat opportunity is widely available and can occur either intentionally or accidentally with little or no specialized knowledge and/or facilities. The threat is very likely to occur.
Impact: The effect on a participant's privacy in the event that a threat comes to fruition and their information is compromised. The level or degree of impact is expressed in terms of outcome severity as it relates to individual privacy.
- Level 1: Minor injury with no or minimal harm or embarrassment to the individual.
- Level 2: Moderate injury causing some harm or embarrassment to the individual, but with no direct negative effects.
- Level 3: Severe injury such as lasting harm or embarrassment that will have direct negative effects on an individual's career, reputation, financial position, safety, health or well-being.
Residual risk: A numeric rating is given following an evaluation and comparison of the threat probability and the impact on privacy.
Threat and Risk Assessment Grid
Chatbot on Statistics Canada's website
While the Chatbot does not collect personal information and users are instructed not to include any personal information in the chat, the following addresses any risks should any personal information be inadvertently or voluntarily included and compromised before it gets manually removed by deemed Respondent Relations employees.
| Threats | Existing Statistics Canada Safeguards |
Probability | Impact | Residual Risk | Assessment of Residual Risk |
|---|---|---|---|---|---|
| Environment: Risk associated with users' privacy – within Statistics Canada | |||||
| Activity: access to chatbot | |||||
| 1. There is unauthorized access to NetSupport by a non-Statistics Canada employee. | Access to the Cloud on which chatbot is hosted is restricted to a small number of Statistics Canada employees and deemed employees of Shared Services Canada who provide services to Statistics Canada. IT security measures include protection by firewall, configuration and access via Statistics Canada's internal network on local Network B. Access to the system requires a username and password reserved for authorized employees of the Respondent Relations, CHL and Web2Social teams. | 1 | 1 | 1 | Acceptable |
| 2. There is unauthorized access to NetSupport by a Statistics Canada employee. | IT security measures include access via Statistics Canada's internal network on local Network B. Access to the system requires a username and password reserved for authorized employees of the Respondent Relations, CHL and Web2Social teams. Also, employees are trained to lock their computers before leaving their offices. | 1 | 1 | 1 | Acceptable |
| 3. There is unauthorized use or disclosure of personal information | Employees have been made aware of the importance of protecting personal information and must comply with the Directive on Access to Information and Privacy. They have a legal obligation to comply with the legislative requirements of the Access to Information Act and the Privacy Act. If they fail to do comply, they are subject to the penalties set out in the legislation. Any employee who uses or discloses personal information in an unauthorized manner would receive additional training and may be subject to disciplinary follow-up. | 1 | 1 | 1 | Acceptable |
Section 7: Summary of Analysis and Recommendations
A privacy impact assessment for the chatbot was conducted to determine if there were any privacy, confidentiality and security issues associated with the program, and if so, to make recommendations for their resolution or mitigation.
This document summarizes Statistics Canada's assessment of the privacy implications of the chatbot. It includes a review of the privacy principles as they apply to the program. Also included is an assessment of the risks to the privacy, confidentiality, and security of users' information.
This assessment did not identify any privacy risks that cannot be managed using existing safeguards.
Section 8: Breach protocol
The chatbot meets agency standards for both IT and physical security. It includes password protection for access to the database/tool, configuration and use of a firewall. For this reason, the threat and risk assessment (TRA) grid rates unauthorized access by either Statistics Canada employees or individuals outside Statistics Canada as low probability.
Upon discovery of an actual or suspected privacy breach (however unlikely), the following steps, in accordance with the Statistics Canada Information and Privacy Breach Protocol, would be taken:
- Immediate notification of the Chief Security Officer and the Chief Privacy Officer. Response could include suspending operation of the chatbot activities.
- In collaboration with Departmental Security and IT Security, there would be an internal investigation that would include recommendations to prevent any recurrence. Any investigation would document in detail the circumstances that gave rise to the privacy breach, and determine what information may have been breached, the impact of the breach, and what measures have been introduced to eliminate the risk of any subsequent breach.
- In the case of a "material privacy breach", in accordance with the TBS Directive on Privacy Practices, Statistics Canada would notify the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS). "Material breaches" are those involving sensitive personal information and that could reasonably be expected to cause serious injury or harm to the individual.
- Depending on the nature of the breach, impacted individuals would be provided with an explanation of the situation and the steps being taken to remove the information from the possession of those not authorized to have it. Individuals would also be informed that they have the right to file a complaint with the Office of the Privacy Commissioner (OPC). The OPC and TBS would be informed of the individual(s) whose information was disclosed, the investigation and what actions have been taken to prevent a re-occurrence.
Section 9: Supplementary Documents List
Appendix 1 – PIA Summary
Appendix 2 – Privacy notice
Appendix 1 – PIA Summary
Census Chatbot
Privacy Impact Assessment Summary
Introduction
To improve respondent services, Statistics Canada is introducing a chatbot on its Census website as a new communications method. This automated communication and service channel aims to help Census respondents anonymously submit questions and obtain more timely responses in a positive and secure online experience. This technology will improve services and assist respondents in their questionnaire needs, in addition to creating a positive and secure online experience.
While Statistics Canada already provides a Contact us formFootnote 3 where users can submit questions, the chatbot will automatically provide answers instead of waiting the general 5 to 10 business days to receive a response.
Objective
A privacy impact assessment for Chatbot was conducted to determine if there were any privacy, confidentiality or security issues with this program and, if so, to make recommendations for their resolution or mitigation.
Description
The chatbot will be of particular value when Statistics Canada conducts census activities. During the 2021 Census collection cycle, the Census Help Line (CHL) received over 2 million calls. This unprecedented volume led to 1.2M not being answered due to limited resources. Equally, Statistics Canada's Respondent Relations Unit received 63,000 emails and 7,000 pieces of mail, five times the amount received in the previous census, and the social media (Web2Social) team received numerous complaints regarding the lack of immediate response, long phone queues, or dropped calls.
The chatbot does not collect any personal information and a privacy notice (see Appendix 2) statement will be provided to users at the beginning of the chat session instructing them not to share any personal information and advising users who nevertheless include PI, what will happen in such instances. The chatbot will use Artificial Intelligence (AI) to detect keywords to answer a user's question. If a user requires further assistance, the chatbot will transfer the conversation to a live chat agent. The chatbot was initially trained on extracted content from 2021 Census Questions and Answers (e.g., What is a census letter? Where can I find my secure access code?) and will keep training on new content that will be added as needed. As the chatbot does not make any administrative decisions on individuals, an Algorithmic Impact Assessment is not required.
The chatbot software and licenses have been acquired by Statistics Canada from a service provider. It has been integrated into Statistics Canada's website structure in a development environment prior to being moved to its production environment on January 15, 2024. A full security assessment was completed on January 9, 2024 with a risk management input (RMI) assessed as a very low.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does not involve a decision about an identifiable individual. | 1 |
| b) Type of personal information involved and context | |
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| c) Program or activity partners and private sector involvement | |
| Within the institution (among one or more programs within the same institution) | 1 |
| d) Duration of the program or activity | |
| Long-term program or activity. | 3 |
| e) Program population | |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 |
| f) Personal information transmission | |
| The personal information is transmitted using wireless technologies. | 4 |
| g) Technology and privacy | |
| Power Microsoft Agent (chatbot) from Microsoft Dynamics is being implemented to facilitate a new communication method via chatbot to improve Statistic Canada's services and promote direct communication with data users and survey respondents. Integrating Power Microsoft Agent (chatbot) from Microsoft Dynamics code into the website will require changes to our IT systems to enable integration of the code in the infrastructure. Specific technological issues and privacy |
|
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | |
| Users will be advised to not provide any personal information when a chat session is opened. If provided, it will not be used and will be destroyed after three months. Therefore, the risk of some personal information being disclosed without proper authorization is very low, and the impact on the individual would be low. | |
| i) Potential risk that in the event of a privacy breach, there will be an impact on the institution. | |
| Users will be advised to not provide any personal information. If provided, it will not be used and will be destroyed after three months. Therefore, the risk of certain personal information being disclosed without proper authorization is very low, and the impact on the institution would be low. | |
Conclusion
This assessment of the Chatbot did not identify any privacy risks that cannot be managed using existing safeguards.
Appendix 2 – Privacy Notice Statement
When the chatbot box opens a privacy notice will appear in a banner at the top of the chat window.
Shorter version of Privacy Notice for chatbot banner (600-character limit (with space)):
The chatbot is designed to assist you with general inquiries related to Census. Please do not include any personal information, such as your name, address, or other identifying information.
If you have any concerns or specific issues that require personalized assistance, we recommend reaching out to our dedicated support channels, where trained professionals will be happy to help you.
For more details, visit the Privacy section of (webpage name).
Detailed Privacy Notice available to respondents on (hyperlink to StatCan webpage):
The chatbot is designed to assist you with general inquiries related to Census. Please do not include any personal information, such as your name, address, or other identifying information, as it is not required for general inquiries related to the Census.
If nevertheless users decide to share personal information, such information would be manually removed from chatbot transcripts. These transcripts could be anonymously retained for a three-month period for service evaluation purposes in the form of a compilation for the purpose of assessing quality of the service and to meet user needs.
If you have any concerns or specific issues that require personalized assistance, we recommend reaching out to our dedicated support channels, where trained professionals will be happy to help you.
If you have questions, please visit our website at www.census.gc.ca where you can also chat online with us, or contact us at 1-833-835-2024. Respondents with access to TTY (for persons who have a hearing or speech impairment) should call 1-833-830-3109. Video relay services (VRS) can also be used.