A Preliminary Privacy Impact Assessment (PPIA) was developed on the National Routing System’s (NRS) Pilot Initiative query functionality that will be used by Passport Canada (PPTC) to validate vital statistics information in relation to determining passport entitlement. The rationale for completing a PPIA is that the NRS was at an early stage of development. The design concept is being validated through the NRS Pilot Initiative. The PPIA addresses the NRS Pilot Initiative only.
This PPIA found minor privacy risks and offered options to mitigate them. Most of the risks identified were related to information management /information technology and the inherent risk associated with capturing, storing and transmitting personal information. The following summarizes the risks and the mitigation action proposed:
Unauthorized individuals are able to view personal information. To mitigate this risk, Passport Canada has in place necessary authentication safeguards that control access to the technical and physical infrastructure that will be used for the pilot.
Data that is being routed between partners has the risk of either being routed to an unauthorized entity or of being intercepted by unauthorized persons. To mitigate this risk, the data are encrypted at source using approved cryptographic methods and are not decrypted until they reside on the receiving organization’s secure internal network.
Unauthorized persons such as hackers gain access to a system that contains personal information. System security measures such as firewalls, network disconnection devices, virus detection and network monitoring software and restricted access to computing environment (physical protection of devices) are used to mitigate this risk,
The modification of personal information once it is entered into the database is a risk. To mitigate this risk, PPTC policy requirements for internal logging and access controls appear appropriate to deter internal modification
The PPIA Report did not identify any privacy risks that would warrant a PIA. A Threat and Risk Assessment will be carried out to complement the risk analysis carried out in the PPIA. Furthermore, if NRS design changes are contemplated, an analysis should be undertaken to determine whether or not a PIA is required.
This section summarizes various issues that have been identified during the course of this preliminary privacy risk assessment. The Birth Certificate Verification System will not interact directly with Passport applicants who submit information to PPTC. Furthermore, the Secure Channel’s Secure Message Routing System does not deal with “content” per se insofar as it is a “routing” application receiving requests from Passport, transmitting them to the pertinent provincial vital statistics organization and “routing” the information back to Passport for processing of the results. The applications facilitate the verification element associated with the current process used to determine an individual’s entitlement to a Canadian Passport. In this context, very few “direct” or new privacy issues exist.
Risk Definition: The issue of authentication usually arises in the context of wanting to know who is providing information or accessing a particular system in order to ensure that only authorized individuals see the personal information in question.
Risk Assessment: In this instance, authentication requirements are limited to Passport personnel. Passport applicants do not access the birth certificate or the applications. Passport Canada has in place necessary authentication safeguards that control access to the technical and physical infrastructure that will be used for the pilot.
Risk Definition: Data that is being routed between partners has the risk of either being routed to an unauthorized entity or of being intercepted by unauthorized persons.
Risk Assessment: This risk of this interception is very unlikely and would result in only one record being compromised as compared to an inappropriate access event. To mitigate this risk, the data are encrypted at source using approved cryptographic methods and are not decrypted until they reside on the receiving organization’s secure internal network. NRS Pilot Initiative would ensure that data are transmitted in a secure manner and according to standards agreed upon by the partners. The use of Secure Channel and its additional security features (e.g. encryption of message traffic) further mitigates this risk.
Risk Definition: There is always the very real risk that unauthorized persons such as hackers will gain access to a system that contains personal information.
Risk Assessment: Addressing the subject of inappropriate access is best done by ensuring access to Personal Information by support or PPTC personnel is limited to a “need to know” basis. Only individuals who are permitted access to the pilot system (i.e. systems administrators and pilot staff) will have access to the Personal Information processed by the applications in question (birth certificate information). Access logs will be used to identify those who access the applications and may be used as a mechanism to monitor such access. The use of system security measures such as firewalls, network disconnection devices, virus detection and network monitoring software and restricted access to computing environment (physical protection of devices) will further mitigate this risk.
Risk Definition: Modification of information in a privacy context will arise as a concern about identity theft or concerns about the accuracy of the information (and the corresponding need to correct if inaccurate and provide notice of correction). In submitting Passport application-related personal Information, modification of such information is only possible once it is entered into the database.
Risk Assessment: PPTC policy requirements for internal logging and access controls appear appropriate to deter internal modification, or identify such modification should it occur after it is entered into the database. The information in question in this PPIA is birth certificate information that is taken as is and transmitted for verification as is. In this sense, the information is not modified. There is, however, the possibility of human error at the data entry stage. Internal adjudications by the Security Section of query response to confirm the validity of the query results of PPTC will reduce the risk of “false negatives.” Moreover, no administrative decision will be taken by PPTC until such reviews and, where required, investigations by the RCMP are concluded.
Risk Definition: Passport applicants give their consent to have the information they provide verified and security queries conducted. This consent obviously encompasses the validation of vital event information (such as birth certificate information) and verifying the status of the registration (i.e. for flags such as death or loss/stolen status flags).
Risk Assessment: In the context of passports, consent of applicants is explicit and implicit. This is seen on the Application Form where:
Applicants thus consent to have their vital event information validated and the privacy related risk is therefore nil.