Privacy Impact Assessment Summary on Canada's anti-spam legislation

Executive Summary

Description of the Program

The legislation

The Canada's anti-spam legislation (CASL) received Royal Assent on December 10, 2010. CASL's purpose is to encourage the growth of electronic commerce by ensuring public confidence and trust in the online marketplace, by promoting the use of electronic messaging as a means to carry out commercial activities.

CASL introduces a regulatory framework to deter spam and other damaging and deceptive electronic threats such as identity theft, phishing and spyware, malware and botnets from occurring in Canada and to help drive spammers out of Canada.

CASL seeks to do this both through the provisions contained within the legislation itself and by introducing legislative amendments to the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, PIPEDA and the Telecommunications Act.

On April 1, 2011, CASL introduced some limited changes to PIPEDA. Specifically, the Privacy Commissioner was given wider powers to:

Decline to investigate a complaint (ss. 12.(1));
Discontinue the investigation of an existing complaint (ss. 12.2(1));
Consult, enter arrangements and agreements and share information with her counterparts in the provinces (s. 23); and
Enter into written arrangements and share information with her foreign counterparts (s. 23.1).

A new enforcement model

CASL introduces a different enforcement model, in that there are three federal agencies responsible for enforcement of the law: the OPC, CRTC and the CB (collectively referred to as the "Enforcement Agencies"). In addition to any independent actions each agency may undertake to enforce CASL's provisions, the law requires that all three Enforcement Agencies must consult with each other to the extent considered appropriate to ensure the effective regulation of prohibited activities. These Enforcement Agencies may share information with each other. They may also disclose information to the government of a foreign state and certain international organizations (in specified circumstances, and under written agreements or arrangements between the parties).

The Spam Reporting Centre

To facilitate the CASL enforcement model, the SRC has been created. The SRC will be administered and hosted by the CRTC. The SRC will receive submissions and reports of alleged violations from IC's public-facing website, and information held within third-party data feeds and honey pots. As such, the SRC is intended to serve as a repository of information from which the Enforcement Agencies may draw upon, for the purpose of conducting a range of CASL compliance activities, including investigations.

The OPC's collection, use and disclosure of personal information under CASL

Personal information collected by the OPC for the purposes of enforcing compliance with CASL from both the SRC, and through its own information-gathering powers and capabilities, will be used for administrative purposes (i.e., to make decisions that directly affect an identifiable individual). However, such information is not intended to be used for the purposes of making administrative decisions about individuals who make submissions to the SRC, or complaints to the OPC, rather it will be used to make administrative decisions relating to targets or respondents, i.e., those who commission, facilitate and/or send spam and other electronic threats to the public.

Personal information collected in the course of the OPC's enforcement activities may be used for investigating possible contraventions of PIPEDA (as amended by CASL) with administrative or civil consequences. The use of personal information for investigative purposes and the disclosure of personal information to third parties are to be guided by the respective legislative provisions set out in CASL, PIPEDA, the Privacy Act and other relevant laws and policies of the Government of Canada.

It is not envisaged that the OPC's CASL enforcement activities will necessitate the collection, use or disclosure of "sensitive" personal information belonging to those individuals who send submissions or reports to the SRC or submit CASL complaints direct to the OPC. While "sensitive" personal information is not defined in PIPEDA, medical and income records are referred to within this context under Principle 4.3.4 of Principle 1 of PIPEDA. For the purposes of this PIA, such information is considered to be information such as solicitor-client privileged information, political affiliations, religious beliefs, associations or lifestyles, financial records, legal records, medical records, employee evaluations and police reports which are typically considered "Protected B" Information, or higher, in very rare cases, depending upon the context.

Indeed, the supply of personal information in public submissions and reports to the SRC will be entirely voluntary. In most cases, the personal information to be collected will be limited to an individual's name, contact information and matters pertinent to the alleged incident. In and of itself, such information is not considered to be contextually sensitive.

Individuals who make a submission may provide personal information that they believe to be relevant to their submission and that some of this may be sensitive in nature (alone or in combination with other identifiable information). In addition, individuals may also provide information that they may not realize is personal, e.g. IP addresses. Again, this information will be considered "Protected B" by the OPC and will be protected by appropriate security safeguards.

Wherever possible, the OPC will collect personal information directly from the individual to whom it belongs, e.g., through an individual sending a submission to the SRC. Such submissions may also be supplemented by individuals sending PIPEDA complaint forms about alleged contraventions of CASL directly to the OPC. The latter will not be encouraged by the OPC and individuals will, wherever possible be directed to make submissions online via Industry Canada's fightspam.gc.ca website to ensure that the SRC's information about spam is as comprehensive as possible. However, the OPC will ensure that its intake triage process can appropriately manage the receipt and handling of such complaint forms.

The OPC may also have access to the personal information of individuals where third-party organizations provide information about spam and other electronic threats to the SRC via data feeds, under written agreements or contracts, e.g., IP addresses of individuals who have been sent spam containing spyware.

Furthermore, it is possible that third party organizations may elect to disclose the personal information of individuals directly to the OPC, CRTC and CB under section 56 of CASL.^{Footnote 1}

The personal information of persons who make a submission, or are contained in data feeds are not expected to be used by the OPC for secondary purposes such as conducting research, statistical reporting, educating the public or private-sector stakeholders about the OPC's CASL mandate, or publishing the results of enforcement activity. Rather, personal information will be aggregated and anonymized when used for such purposes.

Scope of the PIA

The purpose of the OPC's CASL PIA is to perform a high level assessment of the potential privacy impacts associated with the OPC's CASL-related enforcement activities. The assessment includes an evaluation of:

the OPC's planned CASL collection of personal information through the SRC and how it will seek to protect the integrity of its own systems, when such collection includes malicious material such as malware;
the process by which information collected from the SRC will be subject to further analysis by the OPC's Technology Analysis group;
how the OPC will communicate its CASL mandate to the public, including how it will respond to CASL-related inquiries and correspondence, including the submission of direct PIPEDA complaints that allege contraventions of CASL;
the OPC's triage function: with respect to how potential contraventions of CASL will be identified and assessed and the appropriate enforcement action, if any, determined;
the extent to which the OPC may use alternative methods of enforcement to resolve contraventions of CASL;
how the OPC's CASL-related investigations process will work and how the process will differ from the process used to investigate non-CASL contraventions of PIPEDA;
how the OPC will seek to enforce compliance with CASL collaboratively with its Enforcement Agency partners, e.g. joint investigations;
the OPC's potential sharing of personal information with its CASL Enforcement Agency partners and the use of such information under sections 57 to 59 of CASL;
the OPC's potential sharing of personal information regarding its CASL enforcement activities with foreign states and organizations under sharing under subsection 23.1 of PIPEDA and section 60 of CASL;
the OPC's processing of Access to Information and Privacy Act requests in relation to its CASL enforcement activities; and
Retention and destruction of personal information collected, used and disclosed as part of its CASL enforcement activities.

Risk Area Identification

Activity Type Elevated Risk (TBS Level 4)	Personal information of individuals may be obtained by the OPC from: The SRC by means of data linked to online submissions or reports made to the SRC, through the IC consumer intake form or e-mail forwarding service, third-party data-feeds or honey pots; Individuals providing the information directly by submitting an OPC PIPEDA online complaint form; or Organizations providing direct disclosure of information to the OPC concerning alleged contraventions of CASL, or section 5 of PIPEDA, as it relates to a collection or use described in subsections 7.1(2) or 7.1(3) of PIPEDA, as set out under section 56 of CASL. Such information is not intended to be used by the OPC for the purposes of making administrative decisions about the individuals who made submissions or reports to the SRC or OPC themselves. Rather, personal information collected by the OPC as part of its enforcement activities under CASL - specifically that relating to potential targets or respondents - may be used for administrative purposes (i.e., to make decisions that directly affect an identifiable individual). Typically, the OPC will use such personal information for compliance or regulatory investigations and enforcement (TBS Risk Level 3). However, due to the nature of the spam and electronic threats caught under the OPC's CASL enforcement mandate, e.g. the use of malware to collect or use individual's personal information without consent, it is envisaged that certain investigations may reveal potentially criminal behaviour by respondents. Therefore, personal information may be used for investigating possible contraventions of CASL with administrative, civil or criminal consequences (TBS Risk Level 4). While actions against persons who make a submission are unlikely, an individual who makes a submission may be called upon to testify or act in support of enforcement actions or legal proceedings. The use of personal information for investigative purposes and any subsequent disclosure of personal information to law enforcement authorities, foreign states or organizations, will be in accordance with the legislative provisions set out in CASL and the laws and policies of the Government of Canada.^{Footnote 2}
Data Type Moderate Risk (TBS Level 3)	The OPC's CASL enforcement activities do not necessitate the collection, use or disclosure of sensitive personal information. The personal information collected by the OPC from the SRC will be derived from submissions or reports and will generally be limited to an individual's name, basic contact information and information directly relevant to an alleged incident or wrongdoing. These personal information elements, when combined, are not considered to be sensitive. Indeed, steps have been taken to prevent the collection of such sensitive personal information through the IC intake form. In some cases, persons who make submissions or reports may provide information that they believe to be relevant to their submission. This information, alone or when combined with other identifiable information, may be of a sensitive nature, e.g. IP address, e-mail address and an example of spam related to a medical condition, treatment or service. Furthermore, while the OPC will seek to redirect individuals who wish to report concerns about spam and other electronic threats directly to the OPC back to the fightspam.gc.ca website and the IC consumer intake form, it is possible that certain individuals will submit OPC PIPEDA online complaints forms about CASL matters regardless. These forms will contain personal information and may, in some instances, contain sensitive personal information, even if the OPC has not requested such disclosure. Where the OPC needs to collect additional personal information as part of its enforcement activities, such information will be collected directly from the individual to whom it belongs, or with the consent of the individual by a federal, international, private-sector partner for purposes of enforcing the law. The submission of non-relevant and potentially sensitive data will be strongly discouraged through OPC communications efforts, including the use of the OPC's public-facing website. The OPC is not expected to use the personal information of individuals submitting concerns about spam or other electronic threats for secondary purposes.
Program Partners Elevated Risk (TBS Level 4)	The OPC's CASL enforcement activities will involve the sharing of personal information with the other Enforcement Agencies: the CRTC and CB. Beyond any independent enforcement activities undertaken by the OPC to enforce PIPEDA, section 57 of CASL requires that all three Enforcement Agencies consult with each other to ensure the effective regulation of CASL. Subsections 58(3) and 59(3) allows the Privacy Commissioner to disclose information to the CRTC and CB and use information disclosed to it by the CRTC and CB for enforcement purposes. To facilitate the above, the OPC has entered into a Memorandum of Understanding for Cooperation, Coordination and Information Sharing^{Footnote 3} with the CRTC and CB. Under section 60 of CASL, the OPC may share such information with the government of a foreign state (where information is relevant to an investigation or proceeding in respect of a contravention of the laws of a foreign state that is substantially similar to the conduct prohibited by Canadian law). Under the same section, information may be shared with a foreign state or organization where the disclosure is necessary in order to obtain from that foreign state or organization information that may be relevant to a Canadian investigation. The sharing of such information must be subject to a written arrangement or agreement. The OPC may continue to share information with other provincial and international privacy enforcement agencies, by way of an information sharing arrangement or written agreement, as permitted under section 23 and subsection 23.1 of PIPEDA. All information sharing is also to be conducted in compliance with the personal information handling requirements set out in the Privacy Act.
Program Duration Moderate Risk (TBS Level 3)	On July 1, 2014 sections 1 to 7, 9 to 46, 52 to 54, 56 to 67 and 69 to 82 of the CASL will come into force. On January 15, 2015, section 8 of CASL will come into force, and on July 1, 2017, sections 47 to 51 and 55 of CASL will come into force. Enforcement activities are expected to continue indefinitely, without a set sunset date, in accordance with the Act and its supporting Regulations. Notwithstanding the above, the indefinite operation of the OPC's CASL enforcement activities is not expected to present an elevated risk to the privacy of individuals. Personal information collected by the OPC from individuals through the SRC or through its own enforcement activities will be - to the extent possible - limited to that required for stated purposes. The OPC will destroy or render anonymous this information in accordance with its own information retention and destruction policy.
Program Population Moderate Risk (TBS Level 3)	CASL enforcement activities may affect certain individuals for external administrative purposes.
Technology Moderate Risk (TBS Level 3)	Following CASL's coming into force date of July 1, 2014, the OPC will be regularly extracting data from the SRC's SID. Due to the nature of its enforcement mandate investigating the unauthorized collection or use of personal information resulting from address harvesting, malware and other electronic threats, it is envisaged that some of the data pulled from the SID by the OPC will contain malicious content. The OPC will establish a network infrastructure with appropriate security measures.
Data Transmission Moderate Risk (TBS Level 3)	The SRC is intended to be the primary repository of personal information under CASL. The SRC will provide the OPC with access to working copies of raw information held in the Spam Information Database, and provide analysis on spam trends and other reports of interest. Direct access to the SRC's SID by the OPC will be restricted to designated individuals. An OPC-funded SRC Analyst will be designated to support the OPC's information needs. The OPC will extract data of interest from the SRC's SID via secure means. The extent of the information pulled by the OPC from the SRC's SID will be based on pre-determined filters agreed between the SRC and OPC. The OPC may also receive data direct from individuals wishing to submit information about spam and other electronic threats, through the OPC's PIPEDA complaint form. Such complaints are received as encrypted packages.
Impact on Individuals in the Event of a Breach Moderate Risk (TBS Level 2)	Personal information of individuals collected from the SRC by the OPC, for the purposes of analysis and the potential investigation of CASL contraventions is not likely to be sensitive in nature, as the ability to collect sensitive information has been reduced through a redesign of the IC intake form. Although the volume of such data may be high, the privacy impact on individuals in the event of such a privacy breach by the OPC is considered to be low. However, the privacy impacts on individuals may increase: where an individual who made a submission or report to the SRC provided information of a sensitive nature in the submission or report, despite being warned not to do so; A small number of individuals may enclose sensitive personal information to the OPC when submitting CASL-related concerns through PIPEDA online complaint forms; or where the personal information gathered by the OPC is used in the context of an ongoing investigation or legal proceeding at the time of a breach. In most cases, the risk to persons making submissions in the event of a data breach is likely to be limited to inconvenience or embarrassment. However, it must be recognized that for a smaller group of individuals where sensitive information is involved, the impact may be a more serious invasion of privacy. The overall impact on these individuals and the attendant risk level must be considered Moderate, rather than Low.
Institutional Impact in the Event of a Breach Moderate Risk (TBS Level 3)	Personal information most likely to be collected from persons who make a submission or report to the SRC under CASL is not considered to be sensitive in nature. The impact on any department or agency in the event of a data breach is therefore likely to be moderate. These impacts are likely to be limited to organizational harms (i.e., a need to change organizational structures, decision-making, responsibilities and accountabilities and/or program activity architecture). In some cases, depending on the nature of the breach and the personal information lost, stolen, accessed, or corrupted, reputational harms may also arise (e.g., embarrassment, loss of credibility, a decrease in public confidence, and an increase in attention on departmental and elected officials). This has some significance for the OPC due to its role as a privacy compliance regulator.

Categorization of Risks using a Common Risk Scale

The following table summarizes the results of the standardized risk assessment above:

Identified Risk Categories	Aggregate Risk Rating
No. of program characteristics identified as "low" risk (TBS Level 1 or 2)	0
No. of program characteristics identified as "moderate" risk (TBS Level 2 or 3)	7
No. of program characteristics identified as "elevated" risk (TBS Level 3 or 4)	2
No. of unaccounted or other potential privacy risks	0
Overall risk rating for the OPC's CASL enforcement activities	Moderate

Based on a summary analysis of program characteristics, the OPC's CASL enforcement activities, in general, are likely to present a moderate risk to the privacy of individuals.

NOTES

Footnote 1

Section 56 allows an organization subject to Part 1 of PIPEDA to disclose to the Commissioner of the CRTC, the Commissioner of Competition or the Privacy Commissioner, on its own initiative, and despite subsection 7(3) of PIPEDA, any information in its possession that it believes relates to a contravention of any of sections 6 to 9 of CASL, section 5 of PIPEDA where contravention relates to a collection or use described in subsections 7.1(2) or (3) of the Act, and certain specified sections of the Competition Act and Telecommunications Act.

Return to footnote 1

Footnote 2

Under subsection 8(2) of the Privacy Act, institutions may disclose personal information to law enforcement officials in respect of any law of Canada or a province, or for purposes of carrying out a lawful investigation. Information may also be disclosed for the purpose of complying with a subpoena or warrant issued or order by a court or body with jurisdiction to compel the production of that information. The disclosure of personal information in these circumstances would be considered an administrative use.

Return to footnote 2

Footnote 3