Privacy Impact Assessment for Summits

Executive Summary

As the federal government’s center of expertise on foreign affairs and international trade, DFAIT provides ongoing benefits to Canadians by leading a government wide approach to formulating and implementing policies on foreign affairs and international trade, as well as related programs; concentrating on the department’s core business in order to advance Canada’s global agenda as it relates to the key issues of peace and security, trade and investment, and international law and human rights, while making full use of the department’s geographic expertise worldwide; promoting international trade and commerce through initiatives such as negotiation of agreements to open and/or expand markets, facilitation of two way trade and investment, and encouragement of innovation by means of international partnerships for science and technology commercialization; offering passport, consular and international commercial services, as well as timely and practical information on international issues and managing Canada’s missions worldwide (i.e. the Government of Canada’s international platform).

More specifically, one of DFAIT’s program activities is to engage Canadian stakeholders and partners as well as foreign governments and international players; raise awareness and understanding of Canada’s policies, interests and deliver international programs onCanada’s behalf to address specific international issues. Officers from the political/economic and trade commissioner streams of the Foreign Service and non-rotational officers at headquarters perform these duties.

When hosted byCanada, DFAIT is the lead department for all types of summits:

  • Asia-Pacific Economic Cooperation (APEC)Summit
  • Economic Summits (G6, G7, G8, G20)
  • Arab League Summits
  • Earth Summits
  • Youth Summits
  • CommonwealthSummit
  • La Francophonie Summit
  • European Summits
  • North American Leaders’Summit
  • Summitof theAmericas
  • South American Summits
  • Inter-Korean Summits

DFAIT is, and has been for many years, responsible for organizing and/or participating in approximately 3 to 4 summits per year.

To meet this responsibility the Summits Management Office (SMO) was set up by the Government of Canada to coordinate and organize summits.  The SMO is responsible for coordinating the activities required for the planning and executing of summits, such as: liaison with various DFAIT bureaus and divisions, protocol, accommodation, overall logistics, communication, and accreditation and transportation.  The SMO works in parallel with the relevant DFAIT bureaus and divisions involved in the architecture of the summit; as well as other government departments (OGDs) such as the Royal Canadian Mounted Police, and the Department of National Defense for other aspects such as security, and accreditation. Most of these activities involve the collection, use and disclosure of personal information.

Given that there are common aspects in the organization of summits such as logistics, communications, guest arrangements etc., DFAIT, in consultation with the Office of the Privacy Commissioner, agreed to the development of a general Privacy Impact Assessment (PIA) for all types of summits in lieu of developing a PIA each time a summit must be organized.

As such the completed PIA only examined the common aspects of the program delivery that involved the collection, use, retention or sharing of the personal information collected to administer any and all summits hosted by the Prime Minister of Canada. Further, since the planning of summits tends to involve both Canadians and the international public, various governmental departments here in Canada and abroad, the scope of the PIA covered only what DFAIT collects, uses and stores (with mention of others for clarity and perspective).

Through the PIA process, it was confirmed that the requirements of the Privacy Act were adequately met.  However, two (2) privacy risks were identified as a result of the PIA, all of which can be reasonably mitigated.  The table below summarizes the privacy risks identified in the PIA, and categorizes the level of risk as low, moderate or high.  Risk is defined by a factor of both impact and likelihood of occurrence.  The goal of risk management is to maintain privacy risks within acceptable bounds.  The higher ratings provide an indication of priority areas for implementing suggested risk mitigation mechanisms.

ElementNature of riskLevel of riskMitigating Mechanisms
Individuals must be informed about how their personal information is collected, used and disclosed.The SMO provides for an Application Declaration that is completed by an individual prior to providing personal information.  While the Applicant Declaration informs the individual about how their personal information is collected, used and disclosed, it does not provide information about the Personal Information Bank that the information is described in.  This presents a risk that the individual is unaware of where they might look for their information should they wish to request it.LowIt is recommended that the SMO amend its Application Declaration notices at all points of collection to include the current PIB number (DFAIT PPU 904).
Retention and disposition authorities are under developmentTo date the retention and disposition for correspondence and communications relative to the SMO and its mandate is 2 years and then destroyed.  Accreditation information is retained during the period of the summit and then it is destroyed or purged from the third party contractor’s accreditation system upon completion of the summit final report and the authorization from the SMO.

Although the SMO is looking to update its current retention and disposal practices, some SMO staff is unsure/unaware of the retention and disposal standards that should be applied to the personal information within their custody and control.

LowIt is to be noted that DFAIT Information Management Services provides their expertise and support to SMO staff that are unsure of the correct procedure for the retention and disposal of SMO records, however, it is recommended that retention and disposal schedules be formalized and staff be trained in the proper handling and disposal of summit records.