Passport Canada’s Addendum to Human Resources and Skills Development Canada (HRSDC) (Service Canada)

Overarching Privacy Impact Assessment regarding Passport Receiving Agent Services

Passport Canada has developed an addendum to HRSDC (Service Canada) overarching Privacy Impact Assessment regarding Passport Receiving Agent Services.

More specifically, the addendum provides in a clear and concise document all pertinent modifications pertaining to the Privacy Impact Assessment (PIA) that was approved on June 7, 2005 by HRSDC.

Thus, please find below the Executive Summary of the subject addendum along with the risks identified.

Executive Summary

In 2004, three Service Canada centres (SCCs) were initially selected to participate in the pilot project of the Passport Receiving Agent (RA) service: Brandon in Manitoba, Drummondville in Québec, and Kamloops in British Columbia. An additional 30 locations were established in 2005. A third expansion took place in 2007 that saw the total number of locations increase to 101 by October of that same year. An Order in Council (OIC) amending the Canadian Passport Order was obtained by Passport Canada (PPTC), which included authorities to expand the number of sites for Passport RA. As a result of coming into effect of the OIC, the total number of locations can increase up to a maximum of 200 Receiving Agent sites. These authorities have been provided on a temporary basis unless further amendments to the Canadian Passport Order are made to extend the authorities.

Furthermore, the OIC significantly changes the nature of Human Resources and Skills Development Canada’s (Service Canada) authority to conduct passport activities since the original 2005 PIA was finalized and approved. As of May 28, 2008, HRSDC (Service Canada) is no longer legally acting as an “agent” of PPTC but is providing passport services under the direct authority of the Canadian Passport Order, the agreement between the Minister of the Department of Foreign Affairs and International Trade Canada (DFAIT) and the Minister of HRSDC (Service Canada) and a proposed administrative Memorandum of Understanding (MOU) to be signed between the same two organizations.

Since the original PIA was approved on June 7^th 2005, the structure of the department has also drastically changed: in 2005, both HRSDC and Social Development Canada (SDC) existed and hence are referenced in the original PIA. In 2006, the two departments were amalgamated under one department, HRSDC which contains the initiative Service Canada. Any references to the former SDC are now referring to the amalgamated HRSDC (Service Canada).

The protection of personal information is paramount to HRSDC (Service Canada). The obligation to protect clients’ information is established through a strong culture of service excellence and is also governed by the Privacy Act, Department of Human Resources and Skills Development (DHRSD) Act and Department of Social Development (DSD) Act. HRSDC (Service Canada) is committed to ensuring that information is protected according to the legislation. To accomplish this, internal assessments were conducted on the Passport RA service to identify and address all privacy and security risks.

The proposed administrative MOU to be signed between HRSDC (Service Canada) and PPTC supports the conduct of a threat and risk assessment (TRA) as a prerequisite to the launch of this service in SCCs selected for the RA service as well as clearly outlining the responsibilities of HRSDC (Service Canada) and PPTC regarding the protection of personal information. As the expansion of the RA service follows a seamless phased approach, TRAs have been conducted for existing RA locations with more TRAs to be conducted as confirmation is received of future RA locations.

There are two instances where personal information is collected by HRSDC (Service Canada) as part of the RA services:

• The passport application and supporting documents are collected by HRSDC (Service Canada) using a reviewing process developed by PPTC. HRSDC (Service Canada) retains custody of these documents for no more than one business day.

• As per the Receipt and Deposit of Public Money Regulations 1997, HRSDC (Service Canada) is required to collect information with respect to the receipt and deposit of public money including, the date of receipt and deposit, the amount received, deposited or withheld, and all other information required for identification and audit purposes. The contact information, which was not previously collected, will be part of the information collected in the Local Web Receipt System for all passport application payments received at a SCC and will be transmitted to PPTC on a ”on request basis”.

Potential Privacy Risks:

Potential privacy issues have been linked with the RA functions:

1. Inappropriate use of clients’ information
   • Risk: Possibility that SCC’s employees might inappropriately use clients’ information.
   • Mitigation: The risk of receiving agents inappropriately using clients’ information will be substantially mitigated by the impending implementation of a quality management program. This program will contain comprehensive audit capabilities such as random review and monitoring of RA applications/activities and the possible creation of an on-site Program Identity Officer who will have the necessary authority to ensure the integrity of the program. Should the position of an on-site Program Identity Officer be created, the PIA will be amended if deemed necessary.
2. Threat of lost/stolen clients’ information while in transit from HRSDC (Service Canada) to PPTC
   • Risk: The threat of lost/stolen clients’ information while in transit from HRSDC (Service Canada) to PPTC.
   • Mitigation: The risk of information being lost or stolen while in transit is greatly reduced by the implementation of a robust tracking system that utilizes tools/services provided by the Canada Post Corporation.
3. Lack of Privacy Notice
   • Risk: The lack of information provided to clients as to the personal information collected and its use by HRSDC (Service Canada) have also been identified as potential privacy issues.
   • Mitigation: The risk of lack of information provided to inform clients of the collection, protection and use of their personal information will be mitigated by a privacy notice that will assist Citizen Service Agent (CSA) in effectively communicating to the applicants the nature of the information that is collected, the purpose of collecting that personal information and safety measures in place to protect it. The privacy notice will be given to the client while the CSA reviews the application. The new information collected will be the telephone number of applicants.
4. Lack of authority for HRSDC (Service Canada) to collect passport applications
   • The 2005 PIA presented a specific risk that has since been mitigated. The risk previously identified as a lack of authority for HRSDC (Service Canada) to collect personal information with respect to passport applications has been resolved through the issuance of an OIC amending the Canadian Passport Order which came into force on May 28, 2008 and the accompanying ministerial agreement under which the Minister of Foreign Affairs authorizes the Minister of HRSD to exercise the administrative powers set out therein with respect to passport applications. These authorities are now effective.