Introduction

The Social Data Linkage Environment (SDLE) builds on past record linkage experience to make possible a program of pan-Canadian socio-economic record linkage research. A well structured and regulated program of record linkage is required to: a) increase the relevance of existing Statistics Canada surveys without the need to collect new data or re-collect data held by other data sources; b) maintain the relevance of longitudinal surveys that have been terminated, including the National Population Health Survey, the National Longitudinal Survey of Children and Youth, the Youth in Transition Survey, the Longitudinal Survey of Immigrants to Canada and the Survey of Labour and Income Dynamics; c) substantially increase the use of administrative data; d) replace or supplement existing data collection programs in the social domain; e) maintain the highest data privacy and security standards.

Objective

A privacy impact assessment for the Social Data Linkage Environment was conducted to determine if there were any privacy, confidentiality and security issues associated with the program, and if so, to make recommendations for their resolution or mitigation.

Description

Statistics Canada has responsibility for securely storing and processing data sets and for the production of analysis files needed to carry out approved research studies. Because SDLE research projects will involve the use of linked records, approval on a study-by-study basis will also be required from Statistics Canada’s senior management in accordance with the Statistics Canada Directive on Record Linkage. A Derived Record Depository and separate Key Registry will be created to reduce privacy risks and to improve the efficiency and quality of the linkages.

The Derived Record Depository (DRD) is created by linking various Statistics Canada data files for the purpose of producing a list of unique individuals. Each individual in the DRD is assigned an anonymous SDLE identifier. The identifier is randomly assigned and has no value outside of the SDLE. Some of the data files used for the DRD include the Census of Population and National Household Survey, T1 Personal Master Files (Tax), Canadian Child Tax Benefits (CCTB) files, the Canadian Birth Database (CBDB), the Canadian Mortality Database (CMDB), the Landed Immigrant Database and the Indian Registry. The DRD is an unduplicated national longitudinal file and will be updated through further record linkages on an ongoing basis.

Only basic personal identifiers are stored in the DRD. Survey data from the various input databases are not required to create the DRD and will not be stored within the DRD. The DRD will initially be comprised of the following personal identifiers: Surnames; Given names; Date of birth; Sex; Marital status; Date of landing/immigration; Date of emigration; Date of death; Social Insurance Numbers (SIN), Temporary Taxation Numbers (TTN), Dependant Identifier Numbers (DIN); Spouse’s SIN/TTN; Dependant/Disabled individual SIN/TTN/DIN; Parent SIN/TTN; Health Information Numbers; Addresses; Address Registry Unique Identifier (ARUID); Standard Geography Classification (SGC) codes; Telephone numbers; Spouses’ surname; Mother’s surname; Father’s surname; Alternate surname and a Statistics Canada-generated sequential identification number for each individual identified through the annual Derived Record Depository linkage process. Access to the Derived Record Depository will be restricted to the Statistics Canada employees responsible for its development and maintenance.

The paired SDLE IDS and source file Record Ids identified through the record linkage will be stored in a separate Key Registry. Once a study cohort has been defined, these “linkage keys” can then be used to find the records associated with cohort members across the databases comprising the SDLE. This approach creates a virtual linkage environment which eliminates the need to build a large integrated database. Under SDLE, all survey data will continue to reside in their current locations and be maintained under existing arrangements. Thus, the SDLE is an environment in which data sources can be brought together to create an analysis file for specific, approved linkage studies. The SDLE does not house a large, integrated database of information from across survey data sources.

Risk Area Identification and Categorization

The PIA also identifies the risk areas and categorizes the level of potential risk (level 1 representing the lowest level of potential risk and level 4, the highest) associated with the collection and use of personal information of respondents.

• Type of program or activity – Level 1: Program or activity that does not involve a decision about an identifiable individual.
• Type of personal information involved and context – Level 3: Social insurance number, medical, financial, or other sensitive personal information, or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
• Program or activity partners and private sector involvement – Level 1: Within the institution (among one or more programs within the same institution).
• Duration of the program or activity – Level 3: Long-term program or activity.
• Program population – Not applicable: The program’s use of personal information is not for administrative purposes. Information is collected for statistical and related research purposes, under the authority of the Statistics Act.
• Personal information transmission – Level 1: The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system, and the circulation of hardcopy documents is controlled).
• Technology and privacy: The program involves a modified version of the Longitudinal Health and Administrative Data (LHAD) Initiative methodology. It uses the LHAD data model but replaces LHAD’s Health Client Registries (health insurance client registries provided by provincial ministries of health) with a Derived Record Depository (DRD) using data collected or held by Statistics Canada. The program involves automated personal information processing, and personal information matching techniques for statistical analysis purposes only.
• Privacy breach: There is a very low risk of a breach of some of the personal information being disclosed without proper authorization. The impact on the individual would be low because personal identifiers such as a person’s name or address are never stored with survey or administrative data. Personal identification data are stored in separate index files that are only accessed by a small number of Statistics Canada staff whose work requires access.

Conclusion

This privacy impact assessment has not identified any outstanding issues relating to confidentiality or security. Confidentiality of information maintained in the secure environment of Statistics Canada is governed by the Statistics Act and the Agency has an exemplary record in that regard. Similarly, from a security perspective, Statistics Canada has had in place for many years, security policies and practices that are now just becoming a best practice in many other organizations.

Many activities of Statistics Canada–like the SDLE–by their very nature are privacy intrusive. Although a number of potential privacy concerns were identified, this assessment concludes that with the mitigation measures that have been put in place, any remaining risks are either negligible or are such that Statistics Canada is prepared to accept and manage the risk.

Introduction

Statistics Canada developed the conference online registration system to allow potential conference participants to complete their registration via its website, which will reduce the amount of manual intervention. The introduction of this system will also simplify the registration process for conference organizers.

Objective

A privacy impact assessment of the conference online registration system was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

The conference online registration system will provide participants with a self-serve option to register for upcoming conferences and allow presenters to submit abstracts for their presentation or display.

Participants will be asked to enter personal information such as salutation, name, organization, division, title, mailing address, phone number and email address, and indicate their choice of package (with or without a workshop), choice of meal, if applicable, and method of payment.  Personal information of participants will be used to contact them to complete the registration process and payment. Where consent is provided, their name and organization will be printed in a participant list and distributed at the conference.

Conclusion

The privacy impact assessment of the conference online registration system did not identify any privacy risks that cannot be managed using existing safeguards.

Revisions

The Canadian International Merchandise Trade Statistical Program of Statistics Canada produces monthly International Merchandise trade values, price indices and volume indices on both a Customs and Balance of Payments (BOP) basis. These figures are prepared under very tight deadlines and depend primarily on large volumes of administrative records received from the Canadian Border Services Agency and the United States Customs and Border Protection Agency. In accordance with the agreement on the exchange of import data, Canadian and United States international merchandise trade data are released simultaneously by Statistics Canada and the United States Census Bureau approximately 35 days after the end of the reference month.

In addition to being a closely watched indicator in its own right, merchandise trade data are a critical input to the System of National Accounts and BOP basis data are prepared in accordance with the System of National Accounts concepts, definitions, and revision schedule in mind. While the Customs data are available on the day of release, it is the seasonally adjusted BOP based data series, along with the associated price and volume indices, that are the focus of the monthly release in the Daily.

Factors influencing revisions include late receipt of import and export documentation, incorrect information on customs forms, replacement of estimates produced for the energy section with actual figures, changes in classification of merchandise based on more current information, and changes to seasonal adjustment factors. In general, merchandise trade data are revised on an ongoing basis for each month of the current year. Current year revisions are reflected in both the Customs and Balance of Payments based data.

The previous year's Customs data are revised with the release of the January and February reference months as well as on a quarterly basis. The previous two years of Customs based data are revised annually and are released in February with the December reference month. Previous year's BOP based data are revised with the release of the January, February, March and April reference months. Revisions to BOP based data for previous years are released annually in December with the October reference month.

Seasonal Adjustment

Seasonal adjustment of Customs and BOP values and indices is performed at an aggregated commodity grouping level. Customs and BOP values are also seasonally adjusted at the principal trading partner level of geographical detail. Monthly fluctuations can occur as a result of weather patterns, number of trading days, roving holidays (such as Easter) and institutional factors (such as scheduled factory shut downs). In order to isolate turning points or trends in the basic data, it is necessary to eliminate this effect of seasonal movement. To remove seasonal fluctuations from time series, Statistics Canada uses the SAS® X12 procedure (SAS Institute Inc., 2010),  as well as an adaptation of the U.S. Census Bureau X-12-ARIMA Seasonal Adjustment program (U.S. Census Bureau, 2010).  The seasonal adjustment process is applied following the Statistics Canada Quality Guidelines.

Revised data are available in the appropriate CANSIM tables.

Reference

SAS Institute Inc. (2010), "The X12 Procedure", SAS 9.2 Documentation: SAS/ETS 9.22 User's Guide, Cary, NC: SAS Institute Inc.

U.S. Census Bureau (2010), X-12-ARIMA Seasonal Adjustment Program, Version 0.3, Washington, DC.

The Canadian international merchandise trade statistical program

Introduction

The objective of this text is to provide a general overview of the Canadian International Merchandise Trade Statistical Program, with special reference to concepts and definitions.

Conceptual framework

1. Objectives and coverage: The primary objective of the Canadian International Merchandise Trade Statistical Program is to measure the change in the stock of material resources of Canada resulting from the movement of merchandise into or out of the country. Information on imports and exports are inputs into the System of National Accounts, particularly in the Balance of Payments and Gross Domestic Product, and are used in the formulation of trade and budgetary policies. Governments, importers, exporters, manufacturers and shipping companies use international merchandise trade statistics to:

• monitor import penetration and export performance
• monitor commodity price and volume changes
• examine transport implications

2. Trade statistics (Customs basis / Balance of Payments basis): Merchandise trade statistics are reported and presented on two different bases: Customs basis and Balance of Payment basis.

When goods are imported into or exported from Canada, declarations must be filed with the Canada Border Service Agency (CBSA), giving such information as description and value of the goods, origin and port of clearance of commodities and mode of transport. Most of this information is required for the purposes of Customs administration. Statistics developed from administrative records of Customs are commonly referred to as Customs-based trade statistics.

Customs-based export statistics may understate or incorrectly portray the destination of exports. Exports are incorrectly portrayed when the country of final destination is inaccurately reported on the Customs documentation. This occurs most frequently when goods are routed through an intermediary country before continuing on to their final destination.

Statistics Canada does not have a direct measure of undercoverage, however a monthly estimated adjustment is included within BOP based data.

On January 1, 1990, Canada entered into a memorandum of understanding with the United States concerning the exchange of import data. As a consequence, each administration is using the other's import data to replace its own export data. Canada's international merchandise trade statistics are, therefore, no longer derived exclusively from the administrative records of the Canada Border Services Agency, but from United States Customs records as well.

Customs-based information is adjusted to conform to the National Accounts concepts and definitions. The adjustments to derive Balance of Payments-based trade data include adjustments related to trade definition, valuation and timing. The principal difference between the two trade concepts is that Customs-based merchandise trade statistics cover the physical movement of goods as they are reflected in Customs documents while Balance of Payments-adjusted data are intended to cover all economic transactions that involve merchandise trade between residents and non-residents.

3. System of trade: Canadian trade statistics are compiled according to the general system of trade, as defined by the United Nations Statistical Office. Under this system, imports include all goods that have crossed Canada's territorial boundary, whether for immediate consumption in Canada or for storage in bonded Customs warehouses. Domestic exports include goods grown, extracted or manufactured in Canada, including goods of foreign origin that have been materially transformed in Canada. Re-exports are exports of goods of foreign origin that have not been materially transformed in Canada, including foreign goods withdrawn for export from bonded Customs warehouses. Total exports are the sum of domestic exports and re-exports. Thus the general trade system, in principle, presents all goods entering the country (imports) and all goods leaving the country (exports). It differs from the special system of trade in the treatment of imported goods into bonded Customs warehouses. Conceptually, under the general system, the statistical frontier coincides with the geographical boundary.

4. Valuation: For Customs purposes, imports are recorded at values established according to the provisions of the Customs Act, which, since January 1, 1985, reflects valuation methods based on the General Agreement on Tariffs and Trade (GATT) Valuation Code System. In general, the value for duty of imported goods must be equivalent to the transaction value or the price actually paid.

The transaction value of imported goods includes all transportation and associated costs incurred up to the point of direct shipment to Canada. Therefore, Canada's imports are valued Free on Board (FOB), place of direct shipment to Canada. It excludes freight and insurance costs in bringing the goods to Canada from the point of direct shipment.

For countries other than the United States, exports are recorded at the value declared on export documents, which usually reflect the transaction value (i.e., actual selling price or, in the case of a non-arm's length transaction, the transfer price used for company accounting purposes). Canada's exports to overseas countries are valued at FOB port of exit, including domestic freight charges to that point but net of discounts and allowances. As of January, 1990, Canada's exports to the U.S. are valued FOB point of exit from Canada. Prior to 1990, they were valued FOB place of lading net of freight charges, discounts and allowances.

5. Statistical period: The closing of the statistical month for imports and exports is defined as the last calendar day of the month based on the date of clearance from Customs.  Documents received too late for incorporation in the current month are assigned to the month the transaction took place and are published the following statistical month.

6. Trading partner attribution (country of origin/destination): Exports are attributed to the country that is the last known destination of the goods at the time of export. Exports to the United States are attributed to the state of destination.

On a custom basis, imports are attributed to their country of origin, that is, the country in which the goods were grown, extracted or manufactured in accordance to the rules of origin administered by the Canada Border Services Agency. On a balance of payments, the imports are attributed to the country of export instead of the country of origin to reflect the change in ownership of the goods (with no adjustment for exports). Imports from the United States are attributed to the state of origin.

7. Principal Trading Partners (PTPs): The list of PTPs is based on their annual share of total trade—merchandise imports and exports—with Canada in 2012. The countries included in the list of PTPs are the following:

List of Canada's Principal Trading Partners

• United States
• European Union
  • United Kingdom
  • Germany
  • Netherlands
  • France
  • Italy
  • Belgium
  • Spain
• China
• Mexico
• Japan
• South Korea
• Hong Kong
• Brazil
• Algeria
• Norway
• India
• Switzerland
• Saudi Arabia
• Turkey
• Taiwan
• Peru
• Australia
• Iraq
• Indonesia
• Singapore
• Russian Federation

8. Legal framework: Import and export statistics with countries other than the United States are derived from information contained in administrative records collected by the Canada Border Services Agency under the Customs Act. Copies of these documents (or information therefrom) are sent to Statistics Canada in accordance with Section 25 of the Statistics Act. It follows that the disclosure of trade statistics is governed by both the Customs Act and the Statistics Act and is subject to the provisions of Section 17(2)(a) of the latter. Disclosure of export statistics to the United States is governed by a memorandum of understanding that provides for the exchange of detailed import statistics between Canada and the United States.

Contact information

Telephone: 1-800-263-1136 
Facsimile: 1-877-287-4369
Internet:infostats@statcan.gc.ca

Introduction

Statistics Canada is facing increasing demands from researchers for access to detailed microdata. In recent years, Statistics Canada has looked at ways to meet these demands balancing at the same time the legislative requirement to protect the confidentiality of respondent data. One option that Statistics Canada has decided to develop is a Real Time Remote Access (RTRA) Application which is already used by a number of other statistical agencies throughout the world. This application is essentially an on-line remote access facility allowing users to run, in real time, data analyses on microdata or lightly masked microdata sets, defined as confidential under the Statistics Act, that are kept in a central and secure location under the control and care of Statistics Canada.

Objectives

A privacy impact assessment of the pilot version of the Real Time Remote Access Application for Household Cross Sectional Surveys was conducted to identify any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

The model developed for the current prototype of the application is similar to the one used by the National Center for Health Statistics in the United States. A limited number of researchers in other federal government departments are issued a username and password so they can remotely submit SAS programs to a secure Statistics Canada server. The submitted job requests use a modified version of SAS that will place limits on their requests and the subsequent outputs. Before being sent back to these researchers, results will be vetted to prevent disclosure of confidential information.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either present safeguards or others that have been specifically developed for the pilot of the Real Time Remote Access Application for Household Cross Sectional Surveys. Because the development of a real time remote access application is a multi-year project, it will be necessary to provide regular updates to this assessment if there are any additional changes to the application.

Introduction

The Canadian Cancer Registry is an administrative survey that collects information on cancer incidence in Canada. A collaborative effort between the thirteen Canadian provincial and territorial cancer registries and Statistics Canada, the registry has been developed to provide Canadian incidence and survival information required for cancer control from a standardized, patient-oriented, updateable database. Its holdings are used for statistical purposes only.

Objectives

A privacy impact assessment for the Canadian Cancer Registry was conducted to determine if there were any privacy, confidentiality and security issues associated with the program, and if so, to make recommendations for their resolution or mitigation.

Description

The provincial and territorial cancer registries provide data to Statistics Canada. Each registry supplies information for new cancer patients and new cancer tumours in a standard format. This privacy impact assessment examined possible privacy risks related to the receipt, processing and the return of information back to provincial and territorial cancer registries as well as the transmission of cancer microdata to other organizations.

While the method of transmittal of files to Statistics Canada is the responsibility of the cancer registries, the Agency encourages these organizations to follow Statistics Canada's standards for the transmittal of sensitive statistical information. This includes sending electronic data and images on encrypted or password-protected compact discs and sending any encryption keys or passwords separately. Use of bonded couriers is recommended also for the delivery of compact discs and paper copies of reports.

Upon receipt by Statistics Canada, all Canadian Cancer Registry information is provided the same level of security afforded to all information obtained under the authority of the Statistics Act. As well, the return of records to the registries and transmission of microdata to other organizations complies with Agency procedures for the protection of sensitive statistical information.

Conclusion

This assessment of the Canadian Cancer Registry did not identify any privacy risks that cannot be managed using existing safeguards.

Introduction

The Human Resources Branch Service Request Management (HR-SRM) application serves as a mechanism for employees to submit electronic requests related to compensation, staffing, training, human resources planning reports and inquires to the Agency’s Official Languages section. The HR-SRM is part of the Agency’s Helpdesk Expert Automation Tool Service Request Management application which is also used by Statistics Canada’s Informatics Technology Services Division to handle and manage IT-related requests from employees.

Objective

A privacy impact assessment for the Human Resources Branch Service Request Management Phase 2 application was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

Statistics Canada’s Human Resources Branch (HRB) has identified a need to change the process by which employees submit requests to the various sections in Human Resources Branch. In order to streamline the work flow and improve service to human resources clients (i.e., employees), modifications are being made to the Agency’s Helpdesk Expert Automation Tool Service Request Management application. This allows employees to use a common application to submit inquiries electronically to the various HR sections as well as allowing them to view the status of their requests.

The HR-SRM also facilitates workload management in the various sections. The application includes an escalation process that will notify human resources managers if requests are not completed within a specified time frame.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the implementation of the HR-SRM Phase 2.