Introduction

In Canada, the census of population is conducted every five years. It provides a snapshot of the population: its size and geographic distribution as well as its demographic, socio-cultural and socio-economic characteristics. The data produced are used widely by all levels of government for policy planning and program administration. Population estimates based on census counts are used to determine fiscal transfers between levels of government. Aggregated census data are also used by the private sector, educators and the general public.

Statistics Canada will be conducting the 2006 Census of Population on May 16^th, 2006.

Objectives

A privacy impact assessment for the 2006 Census of Population was conducted to determine if there were any privacy, confidentiality and security issues associated with the census, and if so, to make recommendations for their resolution or mitigation.

Description

The 2006 Census of Population will collect detailed socio-demographic information on individuals and households through a long-form questionnaire which is completed by approximately one household in five. The remaining Canadian households will receive a short-form questionnaire asking basic demographic questions. Response to both questionnaires is mandatory under the Statistics Act.

Significant changes are being introduced into the collection and capture of data for the 2006 Census. The census will be more centralized and automated than in the past and respondents will be given the option of completing their questionnaire on-line as an alternative to mailing back a paper questionnaire. Questionnaires that are returned by mail will be imaged and data captured in a single Data Processing Centre using automated Optical Character Recognition technology before being edited and coded. Therefore local enumerators will no longer see the completed form and, overall, fewer people will handle respondents' information. These changes will improve the privacy, confidentiality and security of respondents' personal information.

Statistics Canada has reviewed the overall Census process and conducted a threat and risk assessment of the various collection and processing methods to be used in the 2006 Census. Some of the changes being introduced in 2006, however, warranted a more in-depth review: the use of the Internet for collection of Census data, the option of permitting use of tax records, the procurement of hardware, software and printing of questionnaires from the private sector for the 2006 Census, the capture, use and retention of names and addresses; and the implications of legislation allowing the archiving and eventual public release of Census records.

With respect to the introduction of an Internet option for completing the census questionnaire, Statistics Canada, in conjunction with the government's Secure Channel, has developed an approach that provides a much higher level of data security than that typically in place for commercial — including financial — transactions. While there are inherent risks in using the Internet, the use of Secure Channel and safeguards built into the Census application significantly reduce these risks, providing a secure and efficient on-line option to respond to the Census.

Also introduced in the 2006 Census is the option for respondents to give Statistics Canada explicit consent to obtain their income information from tax files rather than providing this information on the Census questionnaire. The questionnaire is designed to encourage the person completing it to consult each individual tax filer as to whether they grant permission or not. This option not only reduces respondent burden, but it also involves less privacy risk since sensitive income data will not appear on the census questionnaire.

The new methodology introduced for the 2006 Census required investment in hardware and systems development. Through a transparent and competitive procurement process, systems development for the Internet application, for the call centres, and for the Data Processing Centre was contracted out. To address concerns about private-sector contractors having access to Canadians' personal information, stringent security measures have been put in place to ensure that no confidential information is ever in the possession of contractors. All collection and processing of Census data is conducted exclusively by Statistics Canada employees in Statistics Canada facilities with no external connections. Regardless, all contractors must have the required security clearance and are sworn-in under the Statistics Act (thereby they are subject to sanctions for any breach of confidentiality). Contractors are under the direct supervision of Statistics Canada employees at all times. Finally, Statistics Canada is undertaking three independent Information Technology security assessments to further validate the security of contractor developed systems. With these measures, the privacy risk associated with the contracting out of work is mitigated.

The use of automated data capture from images makes it possible to capture names and addresses from Census questionnaires in a cost-effective manner. The availability of names and addresses in electronic format in turn improves the efficiency of collection, processing and evaluation activities. Other than in records retained for archival purposes, names will be retained on Census files for only a limited period of time. Strict controls have been put into place to limit access to identifiable information, such as names and addresses, which minimize the potential for misuse or disclosure of identifiable Census data.

In June 2005, Parliament passed an amendment to the Statistics Act allowing for the release of Census information by Library and Archives Canada after 92 years. For the 2006 Census and subsequent censuses, only information for persons who have given explicit consent will be released 92 years following a census. The wording of the question in the 2006 Census is designed to ensure that the responses reflect each individual's choice regarding the eventual release of their personal information.

Conclusion

This assessment concluded that the privacy risks related to the 2006 Census of Population were either negligible, were mitigated through existing safeguards or were addressed through the implementation of additional safeguards.

Introduction

The Human Resources Self Serve Portal was developed to provide desktop access to Statistics Canada employees to a wide range of personal and work-related information.

Objectives

A privacy impact assessment of the Human Resources Self Serve Portal was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

To make the management of a variety of employee information more efficient, the Human Resources Self Serve Portal was developed and added to Statistics Canada’s Administrative Portal. It resides on a secure internal network and access to the portal is restricted to Statistics Canada employees with a valid Statistics Canada computer account.

Prior to the Human Resources Self Serve Portal, key employee information was kept in numerous data bases and files. Employees did not have direct access to these, so, as a result they had to contact Human Resources Branch. For example if an employee needed to change his/her home or mailing address, or emergency contact, a request had to be made to Human Resources Branch and an officer would then make the requested change on the file of the employee.

With the Human Resources Self Serve Portal, employees can now make changes themselves as well as having access to other personal and work-related information.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the implementation of the Human Resources Self Serve Portal.

Introduction

Statistics Canada is installing a new automated access control system that replaces the system that has been in place since autumn 2002. At the same time, Statistics Canada is expanding its closed circuit television monitoring program by increasing the number of cameras and adding the capability to record.

Objective

A privacy impact assessment of the new automated access control system and the closed circuit television monitoring program was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

The automated access control system allows Statistics Canada to maintain the security posture required by the Government Security Policy for the protection of both its employees and assets.

This new system introduces enhanced security features, such as physical barriers, to prevent forceful entry and will require employees to “swipe out” when leaving the building. A system log is automatically generated, logging the entry and exit of employees. This feature supports a greater level of safety and security for Statistics Canada employees, in particular when they are in the buildings after normal hours working hours such as evenings and weekends.

Statistics Canada currently uses a limited number of closed circuit television cameras. Based on recommendations following an evaluation of its physical security posture conducted in 2007, it will be increasing the number of cameras, each of which will have the capacity to make a recording. These cameras will be placed in public areas, not in any area where persons would have an expectation of privacy.

The use of any information collected by the access control system and from the recordings made by the CCTVs will be strictly restricted to specific purposes, that is to say, security- and safety-related investigations. In all cases, any authorized use will require the approval of the Departmental Security Officer.

The personal information is part of the Personal Information Bank, Security Video Surveillance and Temporary Visitor Access Control Logs and Building Passes (PSU 907). Upon request, Statistics Canada will provide employees and others with access to their personal information related to this PIB.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the installation of a new automated access control system and the increased use of closed circuit television monitoring.

Introduction

In order to conduct the 2006 Census of Population and the 2006 Census of Agriculture, Statistics Canada needs to hire additional temporary staff. To facilitate this process, the Agency provides potential employees with the option of making a job application on-line via its Web site.

Objectives

A Preliminary Privacy Impact Assessment (PPIA) was conducted for the 2006 Census On-line Recruitment Application project. The purpose was to determine if there were any confidentiality, privacy or security issues associated with the project and, if so, to make recommendations for their resolution.

Description

The Preliminary Privacy Impact Assessment came to the following conclusions:

• The project does not involve new or increased collection of personal information - a similar on-line service was offered during the 2001 Census.
• The application requires the collection of less personal information from candidates than was the case in 2001.
• Persons are advised of alternate means of submitting a job application if they choose not to submit one via the Internet.
• A Threat and Risk Assessment was undertaken. It did not identify any risks to confidentiality, privacy or security of the personal information collected or used.

Conclusion

A full Privacy Impact Assessment is not required for the 2006 Census On-line Recruitment Application project.

Introduction

The National Routing System project is a pilot initiative being undertaken to demonstrate the feasibility of setting up a federal-provincial-territorial network that will allow vital event data to be delivered from the "producing" organizations to the authorized "subscribing" organizations. The pilot project must also demonstrate that the information can be delivered in a manner which follows established security protocols designed to protect the privacy of individuals.

Objectives

The rationale for completing a Preliminary Privacy Impact Assessment (PPIA) on the National Routing System Project was to determine if any privacy risks may be associated with the NRS pilot initiative and, if so, to determine possible options for resolving those risks.

Description

The NRS is envisioned as a secure communications network that will ultimately link together provinces and territories (P/Ts), federal departments and agencies for the purpose of providing both real-time and batch exchange of vital event information. This information flow is essential to authenticate identity, to determine program eligibility and entitlement for benefits, and to update vital records databases. It will also enable improvements in data quality, timeliness and cost effectiveness for statistical programs based on vital events.

Conclusion

This Preliminary PIA Report did not identify any privacy risks that would warrant a PIA for the NRS pilot initiative. However, a review should be undertaken of the recommendations made in the Acceptance Pilot Evaluation (March 2006). If NRS design changes are contemplated, an analysis should be undertaken to determine whether or not a PIA is required.

Introduction

The National Contact Centre Telephone Recording Database Program will assist in ensuring that the officers working in the National Contact Centre at Statistics Canada meet the Agency’s Standards of Service to the Public by permitting the efficient monitoring of calls with clients who use the 1-800 line maintained by the Agency. With the information such as how agents interact with clients and how well they are able to answers their inquiries, this will lead to improvement in the quality of data dissemination services provided to clients.

Objectives

A privacy impact assessment for the National Contact Centre Telephone Recording Database Program was conducted to determine if there were any privacy, confidentiality and security issues associated with the introduction of the system, and if so, to make recommendations for their resolution or mitigation. The scope of the assessment looks at privacy risk both in terms of clients and employees who work as agents in the National Call Centre.

Description

Prior to the development of this application, monitoring of client calls in the National Contact Centre for purposes of training and assessment of standards of service required supervisors listen to live incoming calls. This process was not only very time-consuming but there was a risk that personal, non-work calls received by an officer would be heard by the supervisor. To address these two issues, in particular privacy-related risk, the National Contact Centre developed a Telephone Recording Database Program. The system creates digital recordings in the form of “.wav” files of all incoming and outgoing calls from the ACD system (1-800 lines). To address the related privacy issues, measures have been put in place that clarify the use and retention of these recordings.

Conclusion

This assessment of the National Contact Centre Telephone Recording Database Program did not identify any privacy risks that cannot be managed by using new and existing safeguards and procedures.

Introduction

Since 1999, Statistics Canada's Long-term Health Outcomes Studies Program has been a fundamental part of the Health Information Roadmap, a collaborative effort among Statistics Canada, the Canadian Institute for Health Information and Health Canada. Its goal is to meet priority requirements for health information that serves to improve public health and the quality of Canada's health system.

The Long-term Health Outcomes Studies Program is carried out by the Occupational and Environmental Health Research Section of Statistics Canada's Health Statistics Division. The program oversees long-term health outcomes studies based on requests from outside clients such as Health Canada, Public Health Agency Canada, private sector employers, unions and university researchers through cost-recovery contracts.

The program uses databases created from information from Vital Statistics and the Canadian Cancer Registry programs. Occasionally, the Long-term Health Outcomes Studies Program uses additional variables obtained directly from the provinces and territories. It also uses cohort files such as records of individuals from employers and unions, health surveys, medical or clinical records or specific research groups. Finally it uses other Statistics Canada files for study and/or data quality purposes.

Most studies involve record linkages of databases and files in order to look at various health outcomes over extensive periods of time. These linkages require the approval of a senior management committee at Statistics Canada and are done on a case-by-case basis.

Objectives

A privacy impact assessment for Statistics Canada's Long-term Health Outcomes Studies Program was conducted to determine if there were any privacy, confidentiality and security issues associated with the program, and if so, to make recommendations for their resolution or mitigation.

Description

This privacy impact assessment examines the risks related to the use of information on the Canadian Birth, Stillbirth, Cancer and Mortality databases and the management of these databases; receipt of information directly from vital statistics registrars; receipt of cohort files from outside organizations/clients; the processing and linkage of cohort files to the databases; sending study or analysis files to clients either directly or indirectly; and the storage and retention of these files.

All database information and client cohort files are provided the same level of security afforded to all information obtained under the authority of the Statistics Act.

Conclusion

This assessment of the Long-term Health Outcomes Studies Program did not identify any privacy risks that cannot be managed using existing safeguards.

Introduction

The Longitudinal Health and Administrative Data (LHAD) Initiative is a joint research project between the provincial and territorial ministries responsible for health care and public health and Statistics Canada. The LHAD Initiative is the first collaborative project of its kind where personal health information from clinical databases routinely collected through the provincial and territorial health systems will be provided to Statistics Canada to be linked, on a study-by-study basis, with data already held by the Agency from national population health surveys, vital events (i.e., births and deaths) and cancer. The focus of the studies will be statistical in nature such as the analysis of the determinants of health of Canadians.

Objectives

A privacy impact assessment for the Longitudinal Health and Administrative Data Initiative was conducted to determine if there were any privacy, confidentiality and security issues associated with the program, and if so, to make recommendations for their resolution or mitigation.

Description

The LHAD Initiative addresses important health research that can only be undertaken by a central, national organization such as Statistics Canada. Priorities for research and an analytical plan will be established, on an annual basis, in the form of a LHAD Research Agenda. This Agenda will reflect the views of the majority of provincial/territorial LHAD Steering Committee members, who will review all research proposals and identify priorities for Canadian health statistics research to be undertaken by the LHAD Initiative.

Because LHAD research projects will involve the use of linked records, approval on a study-by-study basis will also be required from Statistics Canada's most senior management committee (Policy Committee) in accordance with the Statistics Canada Policy on Record Linkage.

Statistics Canada, as the operational arm of the LHAD Initiative, is responsible for securely storing and processing LHAD data sets and for the production of the analysis files needed to carry out the approved research studies.

An important step in the production of the analysis files will be the creation by Statistics Canada of a Key Registry, using information from the Population Registries to be provided by the provincial/territorial ministries. The Key Registry will generate and store a unique identification number for each person (the LHAD ID) which will then be attached to each record of all databases of the LHAD Initiative. As such, all records will have a LHAD ID, thus establishing the necessary infrastructure to support approved record linkages among any combination of LHAD databases. The use of the Key Registry will improve significantly the quality and efficiency of those linkages.

The use of a LHAD ID number for each person also eliminates the need to store sensitive personal information such as name and health number on the various LHAD Initiative databases. Further, by storing all sensitive personal information in a Key Registry, management of data security and access measures is much more simplified and easier to control.

Conclusion

This privacy impact assessment has not identified any outstanding issues relating to confidentiality or security. The transmittal of personal health information to Statistics Canada will be carried out by means of a secure medium of transmission to ensure the security and integrity of the data. Once received into the secure environment of Statistics Canada, confidentiality is governed by the Statistics Act and the Agency has an exemplary record in that regard. Similarly, from a security perspective, Statistics Canada has had in place for many years, security policies and practices that are now just becoming a best practice in many other organizations.

Many activities of Statistics Canada–like the LHAD Initiative–by their very nature are privacy intrusive. Although a number of potential privacy concerns were identified, this assessment concludes that with the mitigation measures that have been put in place, any remaining risks are either negligible or are such that Statistics Canada is prepared to accept and manage the risk.

Introduction

The Labour Relations and Grievance System (LRGS) is a secure database containing information on grievances as well as on labour relations cases relating to Statistics Canada employees in Ottawa and in the regional offices.

Objectives

A privacy impact assessment of the Labour Relations and Grievance System was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

The Labour Relations and Grievance System has been developed to assist Statistics Canada's Labour Relations Advisors in managing their activities related to grievances and labour relations cases in a more consistent and secure manner.

The system has been added to Statistics Canada's Administrative Systems Portal which resides on the internal closed network (Network A). Access to the system is restricted to only a limited number of authorized employees in the Human Resources Operations Division.

The system will allow Labour Relations Advisors to document cases in a consistent manner and will permit efficient tracking through the various steps of the management of the files. The database will also facilitate the production of reports using aggregate data based on selected criteria (for example, number of grievances per year, number of grievances upheld or dismissed, history of a specific case, etc.). These reports will be used by human resources management for reporting purposes and also by the Performance Management Steering Committee to support its ongoing initiatives within the Agency.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the implementation of the Labour Relations and Grievance System.

Introduction

The Human Resources Branch Service Request Management (HR-SRM) application will serve as a mechanism for employees to submit requests related to compensation and staffing. The HR-SRM will become part of the Agency’s Helpdesk Expert Automation Tool Service Request Management application which is currently used by Statistics Canada’s Informatics Technology Services Division to handle and manage IT-related requests from employees.

Objectives

A privacy impact assessment for the Human Resources Branch Service Request Management application was conducted to determine if there were any privacy, confidentiality and security issues, and if so, to make recommendations for their resolution or mitigation.

Description

Statistics Canada’s Human Resources Branch has identified a need to change the process by which employees submit requests related to compensation and staffing. In order to streamline the work flow and improve service to human resources clients (i.e., employees), modifications are being made to the Agency’s Helpdesk Expert Automation Tool Service Request Management application. Employees will not only be able to submit their compensation and staffing-related inquiries electronically, but the application will also allow them to view the status of their requests.

The HR-SRM will also facilitate workload management in the compensation and staffing areas. The application includes an escalation process that will notify human resources managers if requests are not completed within a specified time frame.

Conclusion

This privacy impact assessment did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the implementation of the HR-SRM.