Privacy Impact Assessment for the International Scholarship Program

Executive Summary

The International Scholarship Program distributes approximately $11 million in scholarships to foreign students who wish to study in Canada.  It is intended for students of merit who want to pursue post-secondary studies or research programs in Canada and for Canadians to take advantage of reciprocal awards offered by foreign governments. The purpose is to train future leaders, facilitate the exchange of ideas, and enable foreign scholars and future opinion leaders to contribute to their country’s knowledge and understanding of Canada upon their return, thereby raising Canada’s profile and promoting its interests globally. Canada is committed to participation in international study and research partnerships that build understanding among peoples, develop global citizens and leaders, and contribute to the development of nations. Foreign Affairs and International Trade Canada (DFAIT) is responsible for the Government of Canada's participation in major International Scholarship Programs. DFAIT provides support to international scholars in Canada, which is often reciprocated by foreign governments, which support Canadian scholars in their countries.

A Privacy Impact Assessment (PIA) was completed as part of the Department’s commitment to protection of personal information. The assessment process also met the Management of Information Technology and Security (MITS) requirements obligating departmental enterprise applications to undergo a security and privacy assessment.

At the time the PIA was completed, the program was administered by the Canadian Bureau for International Education (CBIE) under a contribution agreement with DFAIT. CBIE hosted and administered the www.scholarships.gc.ca website and databases containing scholarship recipient and alumni information. DFAIT, at that time, had little to no control over the web environment for matters such as data collection, management, retention, disposition, or security.

At the same time, DFAIT engaged CBIE as Scholarship Administrator to provide processing and reporting for DFAIT scholarship applications from international (non-Canadian) as well as Canadian students and academics. Personal information received from students under the various programs may include the following: contact information, sensitive details of proposed research projects, copies of student visas and study permits, and the names of institutions and programs of study.

Information about applicants was stored in four main databases:

1. DFAIT Scholarships for Non Canadians, which contained applicants’ personal information as well as their research proposals;
2. DFAIT Scholarships for Canadians
3. DFAIT project Scholarships
4. Alumni program

In addition to the above, the Department and the program collected personal information associated with the operation of the following committees and working groups in order to manage the International Scholarship Program:

1. Personal information related to the Selection Committees, normally Canadian university professors
2. Personal information related to individuals involved in Collaboration Missions –promoting partnerships between Canadian post-secondary institutions and Caribbean and Latin American counterparts
3. The content of the Research Proposals provided by the candidates may contain personal information

There were inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the Scholarship Administrator web-based tool, as well as the scholarship program. The PIA resulted in the identification of selected risks and described detailed mitigation strategies associated with each risk. The following are brief recommendations drawn from the completed PIA to reduce the levels of risks found with the initiative.

• Recommendation 1: As part of the Department’s accountability and commitment to protect personal information the following steps were recommended to mitigate the accountability risks:
  1. There is a need for the International Education and Youth Division at DFAIT to identify an information custodian who would be responsible for the management of content and application of policies and procedures in accordance with legislative mandates and requirements;
  2. There is also a need for the department to invest in development of Standard Operating Procedures (SOP), policies, institutional and jurisdictional (country) sharing agreements, and to document evidence of decision-making concerning personal information under the custody of this program; 
  3. DFAIT also needs to develop a communication strategy in order to communicate its role, policies, and legislative requirements to staff, the Scholarship Administrator, Selection Committees, other host countries, and academic institutions.
  4. DFAIT will choose a new Scholarship Administrator through a competitive process, once the agreement with the current Administrator (CBIE) expires. Both the Request for Proposal and the new contract must include appropriate clauses obligating the future Scholarship Administrator to protect the personal information collected and managed in accordance with the Privacy Act, and modalities established by DFAIT.
• Recommendation 2: While administering the program, third party personal information is sometimes needed for operational purposes. In order to mitigate collection of personal information without consent, it is recommended that DFAIT review the requirements for third party personal information regularly and eliminate unnecessary personal information which may lead to collection of third party personal information (e.g. names of family members, references, etc.).
• Recommendation 3: As a result of the PIA, the Department has decided to ask the Scholarship Administrator to stop the collection of Social Insurance Numbers (SIN) and destroy the existing SIN data held by the Scholarship Administrator. The SIN can only be collected or used for administrative or non-administrative purposes expressly authorized under specific acts and regulations, or under programs or activities made pursuant to lawful authority and approved by Treasury Board. The acts and regulations that explicitly refer to the SIN and the specific programs and activities that are authorized are listed in Appendix “A” of TBS’ Directive on Social Insurance Number. DFAIT’s legislative authority does not include provision for the collection of SIN numbers. The following steps were to be taken by DFAIT to mitigate existing risks in this area:
  1. put in place a process by which the Department officially communicates its policy regarding collection of SIN numbers to the Scholarship Administrator;
  2. develop and document appropriate processes and procedures, in collaboration with the Scholarship Administrator and the CRA, to destroy all SIN numbers in custody of the Scholarship Administrator at present;
  3. seek legal advice concerning how the Post-Doctoral Research Fellowships Program could be taxable, as well as appropriate avenues by which the Department could communicate the recipient’s personal information to CRA.
• Recommendation 4: Documenting evidence of personal information management:
  1. It is recommended that the International Scholarship Program (GLEP) develop clear policies concerning retention and disposition of personal information. As part of such a policy suite it is recommended that DFAIT take steps to identify the retention period based on the program’s long-term business requirements. Once identified, such a retention period must be reflected in the Personal Information Bank (PIB), and communicated to contracted administrators of the program and further be reflected in the Privacy Notice Statements (PNS).
  2. Furthermore, DFAIT must communicate its privacy obligations to its Scholarship Administrator, other partner countries, and academic institutions. DFAIT is advised to develop Information Sharing Agreements that are used to document the personal information sharing between the Department and its many partners regarding this program.
  3. Under this program DFAIT is obligated to share student information with foreign governments and foreign academic institutions subject to local laws and conditions. While DFAIT and the Government of Canada are not in a position to dictate treatment of personal information to such jurisdictions, the information sharing agreements will reduce the risk of personal information misuse.
  4. DFAIT also needs to make every effort to protect personal information associated with the selection committee.
• Recommendation 5: Security measures associated with the personal information collected and managed under the International Scholarship Program must be commensurate with the sensitivity of the information collected. DFAIT needs to take the following steps to mitigate the existing risks:
  1. undertake a Threat Risk Assessment (TRA);
  2. document security procedures and contingency plans and communicate them to those who need to know;
  3. assess and identify the proper level of security designation for the data holdings;
  4. consider planning the development of access controls which would enable an audit-trail for user and, most importantly, administrative access to the data;
  5. and, ultimately, finalize the plans for the repatriation of the system, the website, and the data back into the Department.

Action plans have been developed based on identified risks and recommended mitigations. At the time the PIA was completed, DFAIT was prioritizing the associated actions required to follow up on the recommendations and the mitigation strategies.

While these mitigating strategies did not eliminate the risk entirely, it reduced it to a level for which the Department and its senior management could assume the remaining risk with a reasonable expectation that risks in the process of being realized would be caught by monitoring processes before they became untenable. These residual risks required to be managed in accordance with the executive duties, powers and prerogatives and accountability bestowed upon the Deputy Head.