A Privacy Impact Assessment (PIA) report was developed for the Passport Canada (PPTC) Information Interchange with Correctional Services Canada (CSC) Project. The objectives of the PIA were to determine if there were privacy risks associated with the project, and, if so, to provide recommendations on mitigation measures.
The project addressed the sharing of personal information of offenders under the jurisdiction of CSC with PPTC so as to allow PPTC to more effectively administer its mandate of passport issuance and revocation.
The exchange of information contemplated under a Memorandum of Understanding (MOU) supports PPTC’s authority to enforce certain provisions of sections 9 and 10 of the Canadian Passport Order (CPO).
The objective of the project was to establish a protected electronic sharing of personal information of offenders under the jurisdiction of CSC with PPTC. This provides PPTC with an awareness of individuals who are current offenders under federal responsibility and thus facilitate their discretionary capacity in the issuance, refusal, or revocation of a passport.
Under the terms of the MOU, CSC provides PPTC with current information relating to individuals (both incarcerated and paroled) within its federal jurisdiction. Where such an individual applies for a passport or holds an existing passport, PPTC informs CSC of the situation and communicates its decision relating to passport issuance, refusal, maintenance or revocation.
The approach to the planned information sharing involves the daily exchange of information between CSC and PPTC through a secure, on-demand, private connection between the two organizations.
From a single, designated workstation, authorized personnel within the PPTC Security Bureau establishes a secure connection to a secure CSC file transfer facility and initiates the information exchange.
Data relating to the personal information of offenders under the jurisdiction of CSC is transferred to PPTC. Data relating to requests for offender profile refreshes and decisions pertaining to passport issuance, refusal, and revocation are transferred to CSC.
Upon receipt of CSC offender data, a PPTC process updates its System Lookout facility with a subset of each offender profile (for passport issuance & entitlement purposes) and places each full profile in a secondary offender repository accessed exclusively by PPTC security analysts and investigators during the course of a detailed applicant investigation.
The data exchange takes place on a daily basis. Directives within the incoming CSC data causes the addition, replacement, or removal of offender profiles at the PPTC location, thus ensuring data is current and reliable.
Offender personal information is safeguarded at PPTC through a number of security measures that include data encryption, data access restriction, as well as access and activity logging.
This report identified the following privacy risks, and included recommendations to mitigate the risks. Revisions of the MOU are currently underway.
PPTC’s passport issuance system, IRIS, currently does not maintain an audit trail of users who read the System Lookout list. The privacy risk is that it would not be possible to determine who has viewed an offender’s personal information. This same risk exists today in regard to other personal information maintained within the System Lookout list.
Recommendation 1: IRIS should be enhanced to provide a read-audit capability. The secondary offender repository described in the PIA, which contains the full set of offender information, including the offender photographs, will provide read auditing capability.
Recommendation 2: Promote awareness to passport examiners and security analysts around the sensitivity of personal information.
Access to personal information by support personnel should be limited to a “need to know” basis. The privacy risk is that some support personnel could unnecessarily have access to personal information.
Recommendation 3: Access profiles of support personnel should be established to limit access to a need-to-know basis. Logging and auditing of activities will also further reduce such risk, as well as an on-going, periodic awareness program for support personnel on the sensitivity of personal information.
PPTC provides a numeric identifier relating to an employee to CSC in two instances. Initially when a refresh of an offender’s information is requested and also once a decision has been made regarding an offender’s application for a passport.
Under both of these instances, a numeric identifier of the employee making the ‘refresh request’ or the employee who made the decision related to the passport application, is sent to CSC. This is a requirement of CSC so that they are able to satisfy their Access to Information requirements by identifying who has seen an offender’s personal information.
The safety risks are that an offender or former offender could obtain, under the Access to Information Act, the identity of the PPTC employee, potentially placing the employee at risk of harm.
Recommendation 4: To mitigate this risk, procedures relating to responding to requests for information under the Access to Information Act should consider the employee’s personal safety and apply discretion in the disclosure of their identity.
The system described in the PIA exchanges encrypted data files containing personal information using a secure VPN connection between PPTC and CSC. The PPTC Security Bureau maintains the set of accounts and passwords that can access the VPN connection.
The risk of inappropriate access is that an unauthorized individual may obtain access to the account and password credentials and therefore be in a position to access data files that contain personal information.
Recommendation 5: The custodian of the set of account and passwords should be clearly identified and the credentials should be maintained in a secure, well controlled location.
PPTC IT Security has developed and implemented IT security incident response procedures (ITSIRP) as part of Management of Information Technology Security (MITS) compliance.
The PIA report identified a number of privacy risks that can easily be mitigated by taking appropriate measures. The issues related to data access limitation, data access auditing, and PPTC personnel identification protection. The majority of the identified issues constituted a low level of risk materialization and no issues were assessed as providing high levels of risk materialization.