Privacy Impact Assessment for Official Events

Executive Summary

The Office of Protocol at the Department of Foreign Affairs and International Trade (DFAIT) has the responsibility of organizing all official events and ensuring appropriate hospitality arrangements are made. The Office of Protocol receives service requests from the Prime Minister’s Office, the Privy Council Office, Geographic Sections, and Other Government Departments (OGDs).

As such, the Office of Protocol plans, coordinates and implements all official events in Canada and abroad; facilitates the presence in Canada of Foreign representatives and their dependents; plans, coordinates and implements all official visits to Canada; plans and coordinates official international travel by the Governor General of Canada, the Prime Minister and Minister’s in DFAIT’s portfolio; and provides for ministerial and officials’ representation at international conferences.

The Official Events System (OES) is used by the Office of Protocol to support the management of official events hosted by the Government of Canada. The OES replaces the Hospitality System that was originally implemented for the Office of Protocol in 1998. The new OES incorporates new features and portability requirements providing a more robust and flexible system.

The OES is a three (3) tier system composed of:

  1. a stand-alone Windows application (Fat Client) as the user interface (UI) tier;
  2. a component for business rules which run on the client Signet 3 Workstation; and
  3. the backend SQL Server 2005 used as the data repository.

The OES is used internally, by departmental staff members of the Official Events Division located at DFAIT Headquarters. The user base of the OES is restricted to nine (9) staff members. There is an administrator who manages the overall system configuration and the users who capture information about events and registration procedures.

For example, an official event may be a small luncheon, or it could be a state dinner with more than 800 invited guests. The OES user will record the address and telephone information of the guest permitting the user to prepare seating arrangements, menus, invitations and place cards. An event is an occasion for DFAIT’s Ministers on behalf of the Government of Canada to host a dinner, a reception, a luncheon, etc.

In capturing information about events, the OES user collects the following personal information of the guest(s):

  • guest name and spouse (if applicable)
  • organization name
  • title
  • address
  • telephone number
  • gender
  • language of preference
  • and any special instructions (allergies, food preferences, etc. if applicable)

The personal information is first collected by the host of the event who provides the information to the Office of Protocol, who in turn, invites the individuals identified on the guest list.

While the Office of Protocol is adequately compliant and uses best practices in ensuring the requirements of the Privacy Act are met, two (2) privacy risks have been identified as a result of the privacy Impact Assessment (PIA), all of which can be reasonably mitigated. The table below summarizes the privacy risks identified in the completed PIA, and categorizes the level of risk as low, moderate or high. Risk is defined by a factor of both impact and likelihood of occurrence. The goal of risk management is to maintain privacy risks within acceptable bounds. The higher ratings provide an indication of priority areas for implementing suggested risk mitigation mechanisms. The table presents a variety of mitigation mechanisms, some of which are posed as alternatives to others.

ElementNature of riskLevel of riskMitigating Mechanisms
There are no disposition schedules for the retention and destruction of the personal information collected via the OES.There is no established retention schedule for these records.HighRetention and disposal schedules should be established by DFAIT’s Office of Protocol in consultation with the ATIP Secretariat in order to meet Record Disposition Authority requirements.
Current practice at DFAIT places the onus on the employee to make themselves aware of the policies and procedures relating to security and privacy.There are no requirements for an employee to complete mandatory privacy training or training in the classification and designation of documents.LowIt is recommended that DFAIT put in place mechanisms to verify whether employees have taken the appropriate level of security awareness and privacy awareness training commensurate with their duties and functions. Security awareness and privacy awareness training should take place within 6 months of the employees’ start date in DFAIT.