In the mid-1990s the Treasury Board of Canada Secretariat (TBS) introduced the Shared Systems Initiative (SSI), which was intended to streamline systems development and management, develop a common information management and information technology (IM/IT) infrastructure, and make effective use of IT in government administration and service delivery.
The Department of Foreign Affairs and International Trade (DFAIT) has introduced the Info Bank to replace the Department’s existing electronic and paper-based document management methods for information up to the Protected A security designation. The Info Bank is based on the Government of Canada’s (GoC) Records and Document Information Management System (RDIMS), which flowed from the SSI. The implementation of Info Bank is assisting DFAIT to improve information capture, usage and disposal, and to provide a standard, unified method of managing documents and records.
In November 2007 a Preliminary Privacy Impact Assessment (PIA) was conducted by TBS, the Department of Finance, and the Canada Public Service Agency to determine if there was privacy issues associated with the RDIMS; and to provide recommendations on measures to avoid, control and mitigate privacy issues or risks identified. DFAIT also developed a PIA for Info Bank. Since Info Bank is very similar in nature to the RDIMS, the PIA was limited in focus to identifying any potential risks associated with the differences between DFAIT’s Info Bank and the TBS RDIMS PPIA.
As such, DFAIT’s PIA examined the aspects of the business model and data-flows as well as the policies and procedures relating to the Info Bank. It identified and evaluated any potential risks to the privacy of the personal information maintained within the system and recommended possible options for mitigating any risks that were identified. The PIA also evaluated existing privacy safeguards at the time the PIA was completed in order to determine whether they were sufficient to avoid or mitigate potential privacy risks and to determine if additional privacy safeguards were required.
While the requirements of the Privacy Act were adequately met, two (2) privacy risks were identified in the PIA, both which could be reasonably mitigated. The table below summarizes the privacy risks identified in the PIA, and categorizes the level of risk as low, moderate or high. Risk is defined by a factor of both impact and likelihood of occurrence. The goal of risk management is to maintain privacy risks within acceptable bounds. The higher ratings provide an indication of priority areas for implementing suggested risk mitigation mechanisms.
Nature of risk
Level of risk
Timely deactivation of user accounts
Any delay in disabling a user’s access rights to Info Bank is a concern in that these individuals could continue to access Info Bank until their account is deactivated.
Privacy and security awareness for all employees
Lack of appropriate security markings could result in the inappropriate sharing or storage of personal information.