Privacy Impact Assessment Summary on the “Snappy” Tool
Executive Summary
Description of the Project
The “Snappy” Tool project is the implementation of a new tool allowing Canadians to submit comments and concerns on various matters to the Office of the Privacy Commissioner of Canada (OPC) in the most efficient and secure manner possible.
This is a joint project involving the Communications, Investigations and Legal Services, Policy and Research branches of the OPC. The Communications and PIPEDA Investigations branches are leading the project.
The goal of this project is to offer a safe platform that will give Canadians an opportunity to share comments and concerns about privacy-related matters quickly and easily, without engaging the formal complaint process.
The “Snappy” Tool will allow the OPC to create forms on a variety of privacy-related topics or issues, accessible via the OPC’s website. It will provide Canadians with a quicker, simpler alternative to the formal privacy complaint form to share concerns on privacy, and provide the OPC with the ability to send follow-up notices related to ongoing significant privacy investigations and initiatives to Canadians. It is likely there will be other, yet to be determined, uses for the forms.
Project Background
While exploring options for improving intelligence gathering capabilities, the Communications and PIPEDA branches reviewed the “Snappy” tool being used by our international privacy counterpart, the United Kingdom Information Commissioner’s Office (UK ICO).
The “Snappy” Tool being used by the UK ICO offers individuals in the UK a simple and streamlined alternative to the standard privacy complaint form for various commonly encountered privacy issues, such as reporting spam and unsolicited marketing calls.
When the OPC version of the “Snappy” Tool is implemented on the Office’s website, it will provide Canadians with a quicker, simpler alternative to the formal privacy complaint form to share concerns on privacy and provide the ability for Canadians to receive follow-up notices from the OPC related to ongoing significant privacy investigations and initiatives when possible.
It is the hope of the OPC that reductions will be realized in its call volumes and formal privacy complaints, while providing an improved, real-time insight into the privacy concerns of Canadians.
Objective
Provide Canadians with a flexible online tool that could serve a range of complaint alternative functions while providing the OPC with and improved, real-time insight to Canadians’ privacy concerns.
Goals
- Provide Canadians with an easy way to express their concerns on privacy related issues.
- Provide Canadians with web-based complaint alternative functions that are easy and simple to use.
- Reduce formal privacy complaints.
- Forecast privacy trends and identify emerging privacy issues.
Approach
The “Snappy” Tool will be developed as a flexible tool that will serve a range of alternative functions to the formal complaint process. It will allow the OPC to create forms on a variety of privacy related topics or issues, accessible via its website. It will provide Canadians with a quicker, simpler alternative to the formal privacy complaint form to share concerns on privacy and provide the ability to the OPC to send follow-up notices related to ongoing significant privacy investigations and initiatives to Canadians when possible.
Risk Area Identification and Categorization
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual | 1 NO |
| Administration of program or activity and services | 2 YES |
| Compliance or regulatory investigations and enforcement | 3 NO |
| Criminal investigation and enforcement or national security | 4 NO |
| b) Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 YES |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 YES |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 NO |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 NO |
| c) Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | 1 YES |
| With other government institutions | 2 NO |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 NO |
| Private sector organizations, international organizations or foreign governments | 4 NO |
| d) Duration of the program or activity | Risk scale |
|---|---|
| One-time program or activity | 1 NO |
| Short-term program or activity | 2 NO |
| Long-term program or activity | 3 YES |
| e) Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 NO |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 NO |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 YES |
| The program's use of personal information for external administrative purposes affects all individuals. | 4 NO |
| f) Technology and privacy | Risk scale |
|---|---|
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | YES |
| Does the new or substantially modified program or activity require any modifications to information technology IT legacy systems? | NO |
| Specific technological issues and privacy Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
|
NO |
| g) Personal information transmission | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 NO |
| The personal information is used in a system that has connections to at least one other system. | 2 YES |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 NO |
| The personal information is transmitted using wireless technologies. | 4 NO |
| h) Potential risk that, in the event of a privacy breach, there will be an impact on the individual or employee | YES |
| i) Potential risk that, in the event of a privacy breach, there will be an impact on the institution. | YES |
Categorization of Risks using a Common Risk Scale
The following table summarizes the results of the standardized risk assessment above:
| Identified Risk Categories | Aggregate Risk Rating |
|---|---|
| No. of program characteristics identified as “low” risk (TBS Level 1 or 2) | 5 |
| No. of program characteristics identified as “moderate” risk (TBS Level 2 or 3) | 3 |
| No. of program characteristics identified as “elevated” risk (TBS Level 3 or 4) | 1 |
| No. of unaccounted or other potential privacy risks | 0 |
| Overall risk rating for the OPC’s “Snappy” Tool | Low |
Based on a summary analysis of program characteristics, the OPC’s “Snappy” Tool, in general, is likely to present a low risk to the privacy of individuals.
- Date modified: