PIA for the Intrusion Detection and Access Control (IDAC) System

Executive Summary

DFAIT represents Canada world-wide through a global network of embassies, High Commissions, consulates and diplomatic offices. These sites are supported by DFAIT Headquarters (HQ) located in Ottawa, Lester B. Pearson Building, 125 Sussex Drive which is the primary site for the Intrusion Detection and Access Control (IDAC) system’s operation. DFAIT has a total of 11 satellite offices within the National Capital Area (NCA). All of these NCA offices are serviced by the IDAC system at HQ, in one way or another, making it the largest operational IDAC system in DFAIT. DFAIT also has 11 Regional Offices, in every province and territory across Canada, but none were connected to the IDAC system at the time the PIA was completed, therefore these offices were out of scope for the PIA. Specifically, the Halifax Regional Office has since been added to the system and the Moncton and Toronto Regional Offices will be added in the near future.

In the vast majority of NCA sites the IDAC system is used in concert with guard forces to control physical access into DFAIT office spaces. Sites without a guard force presence are secured at all times and access is controlled via the IDAC system. All sites are also protected against illegal intrusion by the monitoring afforded via their IDAC system. This system reports all alarms to the security control center at DFAIT headquarters and guards respond depending on each site's requirements.

The Domestic Security Division of DFAIT is responsible for this activity including the IDAC system.

Individuals that are not employees of DFAIT and requiring access to a site must complete an Identification and Building Access Card Application form. The information requested on the form includes personal information such as name, first name, initials, phone number, signature and photo.

Individuals are well informed of the authority and purposes for the collection of their personal information as well as the related uses, disclosure, retention and disposal through the Privacy Notice Statement on the form. In cases where individuals refuse to provide their personal information, they will not be granted access.

The personal information collected, including a photo of the individual, is only used for the purpose of making a Access Card that allows the individual access to certain parts of the building. At the time the PIA was completed, there were no retention and disposal schedules in place.  Since the completion of the PIA, these schedules have been developed and implemented.  Specifically, the personal information collected through the above form and or stored in the IDAC system is retained for two years after the expiry date of the access card and is destroyed thereafter.

Individuals to whom the personal information pertains have a right to the protection of, access to and correction of their personal information under the provisions of the Privacy Act. Therefore, all access to the IDAC system is logged and is audited as required. Furthermore, the personal information collected for the purposes described herein and on the Identification and Building Access Card Application form is protected under the provisions of the Privacy Act and therefore, is only disclosed in accordance with that Act.

Privacy Risks

The following is a list of privacy risks resulting from the subject PIA along with the mitigation measure(s).

  1. At the time the PIA was completed, there were no retention and disposal schedules in place.  Since the completion of the PIA, these schedules have been  developed and implemented.  Specifically, the personal information collected through the above form is retained for two years after the expiry date of the access card and is destroyed thereafter. (Medium)
  2. At the time the PIA was completed, the Privacy Notice Statement on the Identification and Building Access Card Application form referred to the Government Security Policy dated 2002, which was replaced by the Policy on Government Security dated July 1st, 2009. The Privacy Notice Statement on the form has since been revised accordingly. (Low)