Integrity database services: Privacy impact assessment summary

On this page

Section I: Overview and privacy impact assessment initiation

Government institution

Public Works and Government Services Canada

Overview and privacy impact assessment initiation

Micheline Nehmé, Director General, Forensic Accounting Management Group

Head of the government institution or delegate for section 10 of the Privacy Act

Rachelle Delage, Manager, Policy and Governance, Access to Information and Privacy Directorate

Name of program or activity of the government institution

Integrity Programs and Services is the program and Operational Integrity Services is the sub-program

Classes of records associated with the program or activity

There are five classes of records related to this program. The classes of records and their description are as follows:

Personal information bank

Proposal to modify an existing personal information bank for the Integrity Assessment Program

Legal authority for program or activity

Summary of the project, initiative or change

As stewards of public funds and the main service provider for government procurement, Public Works and Government Services Canada has an overall duty to exercise due diligence in dealing with suppliers of goods and services and providers of space under leases.

Over time, the department has put in place numerous measures to protect the integrity of its operations. Despite these measures, concerns grew that there were instances where the department could and had inadvertently awarded contracts and leases to suppliers who had demonstrated fraudulent and unethical business practices.

To address this, in July 2012, the department consolidated oversight measures and extended the list of offences that render convicted suppliers ineligible to do business with Public Works and Government Services Canada, into a formal Integrity Framework, which was further strengthened in November 2012 and March 2014.

The objective of the Integrity Framework is to ensure that procurement and real property transactions are carried out free of influence or corruption, collusion, and fraudulent activities, and that the Government of Canada does not inadvertently support organizations or individuals with criminal convictions, or who have plead guilty but received an absolute or conditional discharge. The Integrity Framework requires, in part, the following certification:

Prior to the introduction of the department's Integrity Framework, a means to verify supplier certifications did not exist. Suppliers involved in fraudulent and unethical business conduct could still be successful in winning government contracts. Consequently, the Departmental Oversight Branch created the Integrity Database Services in 2012, to assist in this objective.

A small group of staff working in the Departmental Oversight Branch developed the integrity database and is tasked with its maintenance and update. Furthermore, they are responsible for processing requests from procurement and leasing officers to conduct supplier verifications. The database collects and stores information on specific convictions and absolute or conditional discharges of offences listed under the Integrity Framework, for which a supplier, its members of the board of directors and affiliates would be prohibited from being awarded a contract or real property transaction.

The Integrated Data System validates information from suppliers to determine if a conviction or absolute or conditional discharge exists that will deny them business on Public Works and Government Services Canada transactions. Moreover, the department will continue these validation exercises after the contract or real property agreement award to monitor the supplier throughout the lifecycle of the contract or real property agreement.

Integrity Database Services supports the Integrity Framework objectives by providing a consistent and reliable approach in verifying supplier information, to ensure that contracts are awarded to suppliers who abide by the law.

Scope of the privacy impact assessment

This privacy impact assessment is a revised version of the privacy impact assessment submitted to the Office of the Privacy Commissioner on May 29, 2012. The initial privacy impact assessment was submitted prior to the implementation of the Integrity Database Services. Although the business processes were well understood by the department, since the Integrity Database Services' inception, several changes have occurred while some work flows specified in the initial privacy impact assessment have been altered. Therefore, this privacy impact assessment aims to achieve the following goals:

Table 1: A summary of what has changed since the initial privacy impact assessment
Initial privacy impact assessment Description of changes
The program was initially identified as Integrity Assessment Program The program is a service which will be referred to henceforth as the Integrity Database Services
The description and provisions of the Integrity Framework The description of the Integrity Framework has been updated to reflect the following changes:
  • removal of the leniency exemption
  • introduction of the public interest exception
  • inclusion of nine new offences
  • introduction of a 10 year time limit from date of conviction
  • additional debarment condition to include a guilty plea with a conditional or absolute discharge
  • inclusion of offences in foreign jurisdictions that are similar to the Canadian offences listed in the provisions
Public Works and Government Services Canada may pay user fees for open source search engine services Public Works and Government Services Canada will not be using open source search engine services. The only service for which the Departmental Oversight Branch pays are for court records from various court systems, and for corporate registry searches
The Integrity Assessment Program database may be populated with information obtained from media outlets or other less reliable open sources The integrity database is and will only be populated with confirmed convictions from authentic sources. Media and other less reliable sources will not be utilized

The database has only ever stored data from such sources as:

  • Canada Revenue Agency for tax evasion
  • the Competition Bureau for convictions under the Competition Act (Provincial and territorial government sources)
  • Court conviction data, which is available through the Canadian Legal Information Institute (CanLII)Footnote 1 website and from federal, provincial and territorial courts
  • Royal Canadian Mounted Police (RCMP): criminal records obtained after consent has been provided by the individual
The Integrity Assessment Program will share a monthly report on the program's database to select individuals within Public Works and Government Services Canada A monthly report was never created. There are no proactive disclosures of information
The sharing of conviction information will be provided to Public Works and Government Services Canada branches and other government department clients The Integrity Database Services confirms a positive match for an offence; however, the sharing of conviction details is only provided to the client senior manager in circumstances in which the supplier disputes the existence of the conviction
The Integrity Assessment Program database was developed using Microsoft Access A SQL database was created in fiscal year 2013 to 2014, which is more stable and secure. In the near future, it will also support a secure web portal allowing Integrity Database Services clients to submit requests and review results ("no match" or "match confirmed"). As with the current process by email, the results available through the web portal will be restricted to a whether a match resulted from a search of the database or not
The Integrity Assessment Program may share conviction information with the Industrial Security Sector to support re-assessments of company or individual security screening levels The Integrity Database Services has not and will not share conviction information with the Industrial Security Sector to support assessments or individuals for security screening
Reference to the director general and director within the Departmental Oversight Branch responsible for the implementation and roll-out of the Integrity Framework, including their involvement in the Integrity Database Services was not originally included in the original submission A director general and a director within the Departmental Oversight Branch provide oversight on Public Works and Government Services Canada's Integrity Framework Policy and any response to questions regarding the database verification and agreements with other government departments seeking services. In this role, the director general and director may have access to any of the information collected by the Integrity Database Services, but not the database itself

Section II: Risk area identification and categorization

Table A: Description of the privacy risks associated to the type of program or activity for which the privacy impact assessment is describing the program
Type of program or activity Level of risk to privacy
Program or activity that does not involve a decision about an identifiable individual 1 (does not apply)
Administration of programs, activity and services 2 (applies)
Compliance or regulatory investigations and enforcement 3 (does not apply)
Criminal investigation and enforcement or national security 4 (does not apply)

The Departmental Oversight Branch is responsible for providing the oversight required to ensure that the department's integrity and credibility are protected through effective management practices and sound stewardship of public funds. As part of that responsibility, employees of the branch will administer the Integrity Database Services to assist the other branches of the department in ensuring that departmental operations are being carried out with prudence, probity and transparency. The Integrity Database Services will also assist other government departments or agencies and crown corporations after entering into a memorandum of understanding (MOU).

Table B: Description of the privacy risks associated to the types of personal information involved and its context
Type of personal information involved and context Level of risk to privacy
Only personal information provided by the individual, at the time of collection, relating to an authorized program and collected directly from the individual or with the consent of the individual for this disclosure/with no contextual sensitivities 1 (does not apply)
Personal information provided by the individual with consent to also use personal information held by another source/with no contextual sensitivities after the time of collection 2 (does not apply)
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual 3 (applies)
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive 4 (does not apply)

Public Works and Government Services Canada will store information in a database of individuals and companies convicted and absolutely or conditionally discharged of certain Canadian and foreign offences in the past 10 years which would render them ineligible to be awarded a procurement or real property transaction.

Table C: Description of the privacy risks associated to partners involved in the collection, use, or disclosure of personal information
Program or activity partners and private sector involvement Level of risk to privacy
Within the institution 1 (applies)
With other federal institutions 2 (applies)
With other or a combination of federal, provincial and municipal government(s) 3 (applies)
Private sector organizations, international organizations or foreign governments 4 (applies)

Information within Public Works and Government Services Canada is collected and is responsibly disseminated to internal clients to ensure the department is addressing its legislative mandated responsibility for ensuring integrity in procurement and real property transactions. Public Works and Government Services Canada will also disseminate limited verification results to other government departments with whom the Integrity Database Services has entered into a memorandum of understanding (MOU) to provide integrity verifications. Specifically, the Integrity Database Services collects data on a particular list of offences that would render a supplier ineligible from being awarded a contract or real property transaction. The Integrity database is populated from reliable, authentic and publicly available sources:

If the company or individual disputes the presence of such a conviction, the Integrity Database Services will share the conviction specifics with a senior manager of the Public Works and Government Services Canada Branch or other government department so that the company and/or individual in question can be informed.

Table D: Description of the duration of the program or activity
Duration of the program or activity Level of risk to privacy
One time program or activity 1 (does not apply)
Short-term program 2 (does not apply)
Long-term program 3 (applies)

The Integrity Database Services is designed to assist in ensuring greater integrity in procurement and real property transactions.

Table E: Description of the population affected by the program
Program population Level of risk to privacy
The program affects certain program participants (employees) for internal administrative purposes 1 (does not apply)
The program affects all employees for internal administrative purposes 2 (does not apply)
The program affects certain individuals for external administrative purposes 3 (applies)
The program affects all individuals for external administrative purposes 4 (does not apply)

Any supplier bidding for or that has entered into a contract or real property transaction issued by Public Works and Government Services Canada for which the integrity provisions are included will be affected by this program. This includes members of the board of directors of the company, parents of the company, subsidiaries or other affiliates wherein direct or indirect control can be established. Similarity, this will also affect any suppliers bidding on contracts or real property transactions with any other government department or agency who has included the Integrity Framework into their procurement documentation and has entered into an agreement with the Integrity Database Services for verification services.

A "yes" response to any of the below indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.

Table F: Description of the privacy risks associated to the use of technology
Technology and privacy Level of risk to privacy: yes or no?
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? Yes
Does the new or modified program or activity require any modifications to information technology (IT) legacy systems and services? No
Does the new or modified program or activity involve the implementation of one or more of the following technologies? N/A
Enhanced identification methods
No
Use of surveillance
No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques
Yes

Currently, the Departmental Oversight Branch manually conducts verifications against the Integrity database; however, once the system is automated, the system will perform an electronic data match to determine if any offences stored in the database match an existing or potential supplier. If a match occurs with an individual, the database will notify requesting procurement or leasing officers of a match, which will prompt the collection of a consent form so that Public Works and Government Services Canada can validate the conviction with the RCMP. In validating the conviction, the RCMP may require fingerprints. Court documents from the court of conviction will be collected to assist in validating the accuracy of the match.

Table G: Description of the privacy risks associated to the information technology transmission of personal information
Personal information transmission Level of risk to privacy
The personal information is used within a closed system 1 (applies)
The personal information is used in system that has connections to at least one other system 2 (does not apply)
The personal information is transferred to a portable device or is printed 3 (does not apply)
The personal information is transmitted using wireless technologies 4 (does not apply)

Conviction and absolute or conditional discharge information collected will be stored electronically in a database on the Public Works and Government Services Canada Protected B network (access is restricted to only those who require access). Information transmitted to or from other branches and other departments is currently conducted via email, however it will be performed through a secure web portal allowing branches and other government departments the ability to submit supplier information for a verification query and to view results. The results provided are limited to whether the supplier has been convicted or absolutely or conditionally discharged of any of the offences for which Public Works and Government Services Canada would preclude the awarding of a contract of real property transaction. If a match occurs, the individual will be asked to provide consent for a criminal records check with the RCMP. Initially, it will be a name based check; however, the RCMP may require fingerprints to validate the conviction or discharge.

Table H: Description of the potential risk that, in the event of a privacy breach, there will be an impact to the individual or employee
Risk impact to the individual or employee Level of risk to privacy
Inconvenience 1 (does not apply)
Reputation harm or embarrassment 2 (applies)
Financial harm 3 (applies)
Physical harm 4 (does not apply)

The types of personal information collected may cause embarrassment or financial harm to a company or an individual due to adverse information being collected on a company or individual which may result, if public, in a company's being denied a contract with private sector organizations. If personal information collected is released, this may cause reputation harm or embarrassment.

Table I: Description of the privacy risk impact to the institution submitting the privacy impact assessment, Public Works and Government Services Canada
Risk impact to the individual or employee  Level of risk to privacy
Managerial harm 1 (does not apply)
Organizational harm 2 (does not apply)
Financial harm 3 (applies)
Reputation harm, embarrassment or loss of credibility 4 (applies)

Consequently, Public Works and Government Services Canada may experience financial impact if it denies or cancels existing contracts or real property agreements due to inaccurate information or alternative may have cause reputational harm to the government.

Date modified: