Privacy Impact Assessment Summary on the Online Request Form
Executive Summary
Description of the Project
The Online Information Request Form (ORF) project is the implementation of a new tool allowing Canadians to submit requests for information to the Office of the Privacy Commissioner of Canada in the most efficient and secure manner possible.
This initiative is headed by the Communications Branch and is the responsibility of the Manager of the Information Centre.
The goal of this project is to offer a safe platform that will ensure that Canadians, who are asking privacy-related questions of our office, include all the details that we require in order to determine jurisdiction and provide the best possible response.
This tool will allow Canadians to request information about privacy-related matters overseen by our office via a secure form hosted on our website. This form will include mandatory fields that will be completed by the requestor. Once submitted, the information will be encrypted and will populate a secure database so that it can be treated by our Information Centre. The fields, carefully selected, will help our information officers understand the request, assess jurisdiction and provide a response.
Project Background
The current practice of the OPC is to accept enquiries from the public by phone or in writing via letter, both of which are responded to by the Information Centre. In some cases, information requests follow an alternative path and make their way to the Information Centre through contact avenues meant to manage media requests, or emails to the webmaster or breach notification inbox in another branch. These alternative paths result in inefficiencies with the approved enquiry process, delays for the enquirer to have their enquiry addressed, improper tracking of the enquiry, and could result in an enquiry being lost.
In the current era communicating with organizations via online methods is common place and, arguably, a best practice for public enquiry management. The implementation of the ORF will address this and see the OPC offer Canadians an online option to place electronic, written information enquiries. It will also mitigate the risks involved when enquirers use alternate paths to place an enquiry.
Following a review of the operations of the Information Centre, it was recommended that a mechanism should be developed to allow Canadians to submit enquiries electronically.
Objective
Provide Canadians with a method to send enquiries in writing electronically to the OPC while also finding a method to ensure information request response times are met.
Goals
- Provide Canadians with a method of placing enquiries in writing electronically via a simple-to-use web-based form.
- Eliminate or reduce enquiries to the OPC that follow paths outside of appropriate and sanctioned methods for enquiries.
- Provide opportunities to create efficiencies by reducing Information Centre phone and mail requests.
Approach
Currently the OPC uses more traditional methods to manage enquiries from the Canadian public – that is, by phone or letter. However, the evolution technology has presented new opportunities for online public enquiry management, while enquirer expectations have also evolved to expect engagement with organizations via online methods.
The implementation of the ORF will see the OPC offering Canadians an online, electronic option to place information enquiries in writing.
Risk Area Identification and Categorization
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual | 1 NO |
| Administration of program or activity and services | 2 YES |
| Compliance or regulatory investigations and enforcement | 3 NO |
| Criminal investigation and enforcement or national security | 4 NO |
| b) Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 YES |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 YES |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 NO |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 NO |
| c) Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | 1 YES |
| With other government institutions | 2 NO |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 NO |
| Private sector organizations, international organizations or foreign governments | 4 NO |
| d) Duration of the program or activity | Risk scale |
|---|---|
| One-time program or activity | 1 NO |
| Short-term program or activity | 2 NO |
| Long-term program or activity | 3 YES |
| e) Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 NO |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 NO |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 YES |
| The program's use of personal information for external administrative purposes affects all individuals. | 4 NO |
| f) Technology and privacy | Risk scale |
|---|---|
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | YES |
| Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? | NO |
Specific technological issues and privacy
|
NO |
| g) Personal information transmission | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 NO |
| The personal information is used in a system that has connections to at least one other system. | 2 YES |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 NO |
| The personal information is transmitted using wireless technologies. | 4 NO |
| h) Potential risk that, in the event of a privacy breach, there will be an impact on the individual or employee | YES |
| i) Potential risk that, in the event of a privacy breach, there will be an impact on the institution. | YES |
Categorization of Risks using a Common Risk Scale
The following table summarizes the results of the standardized risk assessment above:
| Identified Risk Categories | Aggregate Risk Rating |
|---|---|
| No. of program characteristics identified as “low” risk (TBS Level 1 or 2) | 5 |
| No. of program characteristics identified as “moderate” risk (TBS Level 2 or 3) | 3 |
| No. of program characteristics identified as “elevated” risk (TBS Level 3 or 4) | 1 |
| No. of unaccounted or other potential privacy risks | 0 |
| Overall risk rating for the OPC’s Online Request Form | Low |
Based on a summary analysis of program characteristics, the OPC’s Online Request Form, in general, is likely to present a low risk to the privacy of individuals.
- Date modified: