Privacy Impact Assessment for the International Scholarship Program

Executive Summary

The International Scholarship Program distributes approximately $11 million in scholarships to foreign students who wish to study in Canada.  It is intended for students of merit who want to pursue post-secondary studies or research programs in Canada and for Canadians to take advantage of reciprocal awards offered by foreign governments. The purpose is to train future leaders, facilitate the exchange of ideas, and enable foreign scholars and future opinion leaders to contribute to their country’s knowledge and understanding of Canada upon their return, thereby raising Canada’s profile and promoting its interests globally. Canada is committed to participation in international study and research partnerships that build understanding among peoples, develop global citizens and leaders, and contribute to the development of nations. Foreign Affairs and International Trade Canada (DFAIT) is responsible for the Government of Canada's participation in major International Scholarship Programs. DFAIT provides support to international scholars in Canada, which is often reciprocated by foreign governments, which support Canadian scholars in their countries.

A Privacy Impact Assessment (PIA) was completed as part of the Department’s commitment to protection of personal information. The assessment process also met the Management of Information Technology and Security (MITS) requirements obligating departmental enterprise applications to undergo a security and privacy assessment.

At the time the PIA was completed, the program was administered by the Canadian Bureau for International Education (CBIE) under a contribution agreement with DFAIT. CBIE hosted and administered the www.scholarships.gc.ca website and databases containing scholarship recipient and alumni information. DFAIT, at that time, had little to no control over the web environment for matters such as data collection, management, retention, disposition, or security.

At the same time, DFAIT engaged CBIE as Scholarship Administrator to provide processing and reporting for DFAIT scholarship applications from international (non-Canadian) as well as Canadian students and academics. Personal information received from students under the various programs may include the following: contact information, sensitive details of proposed research projects, copies of student visas and study permits, and the names of institutions and programs of study.

Information about applicants was stored in four main databases:

  1. DFAIT Scholarships for Non Canadians, which contained applicants’ personal information as well as their research proposals;
  2. DFAIT Scholarships for Canadians
  3. DFAIT project Scholarships
  4. Alumni program

In addition to the above, the Department and the program collected personal information associated with the operation of the following committees and working groups in order to manage the International Scholarship Program:

  1. Personal information related to the Selection Committees, normally Canadian university professors
  2. Personal information related to individuals involved in Collaboration Missions –promoting partnerships between Canadian post-secondary institutions and Caribbean and Latin American counterparts
  3. The content of the Research Proposals provided by the candidates may contain personal information

There were inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the Scholarship Administrator web-based tool, as well as the scholarship program. The PIA resulted in the identification of selected risks and described detailed mitigation strategies associated with each risk. The following are brief recommendations drawn from the completed PIA to reduce the levels of risks found with the initiative.

Action plans have been developed based on identified risks and recommended mitigations. At the time the PIA was completed, DFAIT was prioritizing the associated actions required to follow up on the recommendations and the mitigation strategies.

While these mitigating strategies did not eliminate the risk entirely, it reduced it to a level for which the Department and its senior management could assume the remaining risk with a reasonable expectation that risks in the process of being realized would be caught by monitoring processes before they became untenable. These residual risks required to be managed in accordance with the executive duties, powers and prerogatives and accountability bestowed upon the Deputy Head.

Date Modified: