Introduction
Statistics Canada is modernizing its methods of providing access to data under federal legislation and Government of Canada security protocols to improve its service. As part of this initiative, Statistics Canada will introduce the use of authorized workspaces, in addition to designated certified rooms where the virtual data lab may be accessed, to allow federal government employees access to anonymized data (direct personal identifiers removed) Statistics Canada's household and business survey and administrative data holdings.
Objective
This privacy impact assessment explores privacy and security risks associated with accessing anonymized data in authorized workspaces outside of the designated certified room at the Canada Mortgage and Housing Corporation (CMHC) virtual Federal Research Data Centre (vFRDC) and makes recommendations for issue resolution or mitigation. Statistics Canada is piloting modern data access methods to increase collaboration with trusted partners and to fully realize the potential of the data holdings created for the public good while ensuring that all data assets are protected against unauthorized use and disclosure.
Description
Building on the first prototype, where secure data access to anonymized data for statistical research projects is provided through the Virtual Federal Research Data Centre (vFRDC) located at CMHC headquarters in Ottawa, Statistics Canada and CMHC have entered into agreement to regulate access for approved CMHC employees to use anonymized research files in authorized workspaces outside of the designated certified room. CMHC will benefit from this access by being able to create statistical information to improve policy decision-making, specifically, the Federal Government's National Housing Strategy.
The anonymized data are housed only on secure servers at Statistics Canada headquarters and authorized researchers will be required to use Statistics Canada secure encrypted devices in the workspaces to connect to these central servers through Virtual Desktop Image (VDI). Statistics Canada's Confidentiality Classification Tool (CCT) is used to determine the level of sensitivity of the content of the data files and to determine which anonymized data files have a moderate to low risk of re-identification. Anonymized data accessed in authorized workspaces are less sensitive than the data accessed in the designated certified room in that the anonymized data include one or more of the following to reduce identifiability: the data are based on an inherently less sensitive topic, have been perturbed to increase disclosure protection, have sensitive variables removed from the file or contain additional aggregation for sensitive variables. Statistics Canada most sensitive anonymized data will only be accessed from the designated certified room.
Statistics Canada will continue to evaluate this prototype for its security, privacy and user-centric improvements to data access. Statistics Canada will analyze any incidents related to violations of security protocols and implement additional mitigation factors if necessary.
Risk Area Identification and Categorization
The PIA also identifies the risk areas and categorizes the level of potential risk (level 1 representing the lowest level of potential risk and level 4, the highest) associated with the collection and use of personal information of employees.
- Type of program or activity – Level 1: Program does NOT involve a decision about an identifiable individual
- Type of personal information involved and context – N/A: Only anonymized data held by Statistics Canada are accessed and used by authorized researchers in this pilot.
- Program or activity partners and private sector involvement – Level 2: With other government institutions.
- Duration of the program or activity – Level 3: Long-term (ongoing) program.
- Program population – N/A: The program's use of personal information is not for administrative purposes. Information is accessed for statistical purposes, under the authority of the Statistics Act.
- Personal information transmission – Level 2: The personal information is used in a system that has connections to at least one other system.
- Technology and privacy: The pilot does not involve the implementation of new technologies.
- Privacy breach: There is a very low risk of a breach of some of the personal information being disclosed:
- The impact on the individual would be minimal as the information is not linked to an individual's name, address or any other personal identifiers.
- The impact on the institution would be moderate, resulting in possible loss of trust and a small impact on the reputation of Statistics Canada.
Conclusion
Access to Statistics Canada’s anonymized data in an authorized workspace will improve user experience of data access while maintaining secure disclosure control.
Statistics Canada has ensured that there are measures in place that meet central agency and Statistics Canada security standards for the protection of personal information.
This assessment concludes that, with the existing safeguards and ongoing monitoring, any remaining risks are such that Statistics Canada is prepared to accept and manage the risk.