Privacy Impact Assessment for Extractive Sector Corporate Social Responsibility (CSR) Counsellor

Executive Summary

The Office of the Extractive Sector Corporate Social Responsibility (CSR) Counsellor was established in 2009 as part of the Government of Canada’sCSR Strategy for the International Extractive Sector. Broadly speaking, the Strategy is designed to help Canadian mining, oil and gas companies meet their social and environmental responsibilities when operating abroad.The Office of theCSR Counsellor has a mandate to reviewCSR practices of Canadian companies operating outside of Canada and to advise stakeholders on recognized best practices and endorsed performance standards.

The Office has built itself on the principles of transparency, completing extensive national and international stakeholder consultations and establishing (and communicating) the rights and obligations of both parties. However, once the Office determined the need for the collection of personal information (the contact information of panel members, requesters and responding parties as well as their personal opinions and life experiences), they became subject to the additional compliance obligations of the Privacy Act, Privacy Regulations and surrounding governance. Consequently, a Privacy Impact Assessment (PIA) was developed to assess the privacy implications involved, identify any privacy risks and develop mitigating measures for these risks as required.

While the principles of transparency and the obligation to safeguard confidential information remain intact, there are some administration issues that need to be addressed to be compliant to requirements of the legislation and supporting governance. All of the issues that have been identified are administrative in nature – there are no compliance issues that would prevent the Office from moving forward on its intended path.

In summary, the Office of the CSRCounsellor is collecting limited personal information from the general Canadian public. The PIA identified a few mandatory items that needed to be addressed with the program in order to be compliant to the Privacy Act. However, none of the risks identified (listed below) prevent the program from moving forward. Once these risks are mitigated, the personal information will be collected, used and disclosed in accordance with the federal Privacy Act. At the time the PIA was completed,

  1. the notice provided to individuals at the point of collection did not meet the mandatory requirements for the provision of notice and required updates to reflect the purpose of the collection and the intended disclosures.
  2. the particular Personal Information Bank registered with Treasury Board Secretariat did not reflect the intended uses and disclosures of the personal information that is collected. It also required updates to more accurately reflect the class of individuals to whom the personal information relates.
  3. the personal information submitted by participants could potentially be taken with the Counsellor or her staff across borders into countries that do not have the same privacy protections as Canada. This would be a serious risk – the program required that a formal policy be established to either NOT take the information across borders or inform individuals about this risk prior to the collection of the personal information.
  4. DFAIT had an extensive processing manual but required to update its governance in the form of a Privacy Protocol, Privacy Breach Protocol and Privacy Impact Assessment Guidelines. All three of these items are a requirement of the TBS Directives from April 2010. This was not a consideration for the Office of the Counsellor but is something that should be considered by the Coordinator for Access to Information and Privacy at DFAIT. This is currently underway.
  5. Program officers for the Office of the CSR Counsellor should work with Information Management staff and the ATIP Secretariat to identify preferred retention and destruction standards and to apply to the Chief Archivist for a Records Destruction Authority.
  6. DFAIT should update its training modules to reflect the information that is a requirement in the TBS Directives from April 2010. While it is understandable that the department is currently focussed on communicating responsibilities under the Access to Information Act, there should be priority given to train individuals that handle personal information regarding their role and responsibility in safeguarding the information.
  7. DFAIT should work with the department’s webmasters to have the link to the Access to Information and Privacy Secretariat corrected. Currently, the landing page comes up with an error statement.
  8. DFAIT should consider dating the summaries for the Privacy Impact Assessments so that individuals can gather a sense of when the programs were last assessed. This is not a mandatory requirement, but is considered an industry best practice. As a result of the PIA, please find below a list of risks and their mitigating measures for the Office of the Counsellor for CSR, and in some cases, for DFAIT on a general level.
ElementNature of riskLevel of riskMitigating Mechanisms
LowModerateHigh
1
  • Notice
  • Use
  • Disclosure
The notice that is provided at the point of collection does not accurately reflect the uses and disclosures intended for the personal information.  XThe notice statement must be updated, prior to the collection of personal information. A draft notice is being provided by way of this PIA.
2
  • Notice
  • Use
  • Disclosure
The particular personal information bank for the program does not accurately reflect all of the uses and disclosures intended for the personal information.  XProgram officers for the Office of the Counsellor should work with ATIP officials to have the PIB entry updated and published in InfoSource.
3
  • Disclosure
  • Safeguarding
There is the potential that staff from the Office of the Counsellor will carry personal information with them into countries that do not have the same privacy provisions as Canada.  XThe Counsellor is currently considering options and will choose to either 1) not take personal information with them when they are travelling to other countries or 2) provide notice of the risks associated with cross border travelling to the participants at the point of collection, allowing them to make an informed choice about participation.
4
  • Accountability
  • Safeguarding
Governance within DFAIT requires updating to meet the requirements of the new TBS Directives and the federal Privacy Act. X DFAIT should consider developing their own internal Privacy Protocol, based on the TBS model as well as creating a Privacy Breach Protocol and Privacy Impact Assessment Guidelines.
5
  • Retention
Currently, there are no defined retention standards or destruction authorities for the program, allowing the possibility that the personal information will be destroyed before authorized or held longer than is appropriate. X The Office of theCSRCounsellor should work with DFAIT Information Management and the ATIP Secretariat to define preferred retention standards and to apply to the National Archivist for a Records Destruction Authority.
6
  • Accountability
  • Use
  • Disclosure
  • Safeguarding
Currently, the training materials at DFAIT do not meet the requirements of the DFAIT Directives from April 2010. There is the risk that program officers are not aware of their responsibility to safeguard personal information.X  DFAIT should update their privacy training materials to meet the requirements of the April 2010 Directives. A formalized training plan for privacy training is recommended to ensure those handling personal information are aware of their obligations.
7
  • Openess
The link to ATIP information on the DFAIT website is not functioning, preventing individuals from researching how they can access their personal information.X  DFAIT should update the link to the Access to Information and Privacy landing page available to the public on their website as it is not currently functioning.
8
  • Openess
DFAIT does not currently date their PIA summaries on the web, so individuals would not be aware of when programs were last assessed.X  While not a requirement, dating PIA summaries is considered to be a best practice and should be considered by DFAIT.