Minister's and Deputy Minister's correspondence process: Privacy impact assessment summary
The Ministerial and Deputy Ministerial Correspondence Directorate of Public Works and Government Services Canada is the functional authority for the minister's and deputy minister's correspondence. In this role, the directorate is responsible for reporting on the privacy impact assessment. This summary assesses the privacy issues and risks associated with the directorate's procedures and the ccmMercury document tracking system, in accordance with the Privacy Act and the Treasury Board of Canada Secretariat's Privacy and Data Protection Manual.
Directorate mandate overview
The Ministerial and Deputy Ministerial Correspondence Directorate works in partnership with branches to coordinate and monitor the minister's and deputy minister's correspondence, as well as to prepare replies. The directorate not only provides editing services for the minister and deputy minister, but also for the branch correspondence that will be signed on behalf of them. In addition to its main mandate, the directorate manages the electronic document tracking system, ccmMercury, and ensures that all users receive adequate training.
The ccmMercury software is used to track all correspondence except for constituency correspondence that is not processed in the department and is usually returned to the Parliament Hill office. As for correspondence that is of non-institutional nature, it is contained is a separate database that is purged when the minister leaves and restarted when a new one arrives.
The ccmMercury tracking system has not been designated as a data collection tool. The system only collects personal information incidentally as part of tracking the receipt of, action taken on and disposition of ministerial and executive correspondence. The department has little if any control over the type of personal information it receives from the outside or from its own employees.
Correspondence received is unsolicited and is seldom marked with regard to the document's sensitivity. It is therefore virtually impossible to ascertain the actual sensitivity of the information without viewing each piece of correspondence. The following table shows the types of personal information processed by the Ministerial and Deputy Ministerial Correspondence Directorate.
Table A: Data flow table for ccmMercury
The following table shows the types of personal information processed by the Ministerial and Deputy Ministerial Correspondence Directorate.
|Personal information cluster type||Description of personal information cluster||Collected by||Format||Used by||Purpose of collection||Disclosed to||Storage or retention|
|Registration data cluster||
||Ministerial and Deputy Ministerial Correspondence Directorate||Paper and/or electronic||Potentially the Minister, the Deputy Minister or an assistant deputy minister in Public Works and Government Services Canada, if assigned to file||To reply to correspondence||Potentially the Minister, the Deputy Minister or an assistant deputy minister in Public Works and Government Services Canada, if assigned to file||Six years for original (incoming and outgoing) correspondence or six months for working files or annexes|
|Imaging data cluster||
||Ministerial and Deputy Ministerial Correspondence Directorate||Paper and/or electronic||Potentially the Minister, the Deputy Minister or an assistant deputy minister in Public Works and Government Services Canada, if assigned to file.||To reply to correspondence||Potentially the Minister, the Deputy Minister or an assistant deputy minister in Public Works and Government Services Canada, if assigned to file||Six years for original (incoming and outgoing) correspondence or six months for working files or annexes|
Privacy risk management
The following section identifies a number of privacy risks in relation to the Ministerial and Deputy Ministerial Correspondence Directorate's procedures and the ccmMercury correspondence tracking system. This information is outlined in the privacy impact assessment. The risks, which are summarized below, also describe the security and privacy measures taken to be mitigated following the Office of the Privacy Commissioner of Canada's recommendations.
- Accountability for personal information
- Personal information of third parties
- Consent to disclose personal information
- Collection of personal information
- Use, disclosure and retention of personal information
- Safeguarding personal information and training
- Security of the ccmMercury tracking system
Accountability for personal information
There are no rules in place to address what constitutes personal information and what personal information should be entered in the system.
Issue 1: Risk mitigation measures
In order to minimize privacy-related risks in the correspondence process, the Ministerial and Deputy Ministerial Correspondence Directorate has developed Security and Privacy Directives to ensure the secure handling of sensitive personal information at each stage of its life cycle.
These formal business rules establish standing operating procedures that address the types of personal information that may or may not be scanned into ccmMercury.
Specific responsibility for privacy issues has not been addressed. Multiple directorates hold different responsibilities for responses to ministerial and deputy ministerial correspondence. The accountability of information between these directorates is unclear and could lead to mismanagement of information and lack of trust.
Issue 2: Risk mitigation measures
Accountability issues have been addressed in the Security and Privacy Directives. The Ministerial and Deputy Ministerial Correspondence Directorate is the functional authority responsible for ministerial and deputy ministerial correspondence. As for the branches, rules now indicate to which extent they are responsible for the information contained in the responses (specifically for the production, marking, saving and transmission of the information).
Personal information of third parties
Personal information pertaining to third parties is sometimes included in correspondence. Scanning and retaining correspondence that contains personal information of third parties could result in the collection of information without the knowledge and consent of the individual.
Issue 3: Risk mitigation measures
The Ministerial and Deputy Ministerial Correspondence Directorate has created a definition of third party information as well as a rule on its handling, which can be found in the Security and Privacy Directives.
Consent to disclose personal information
When information is collected by the organization, without explicit consent, there is a risk that it will subsequently be used without consent. The issue of consent arises when the personal information of correspondents must be disclosed to another institution (department).
Issue 4: Risk mitigation measures
By providing required information to address their request or concern, correspondents give their implicit consent to personal information collection. As per the Ministerial and Deputy Ministerial Correspondence Directorate's mandate, it is inferred that personal information is not disclosed beyond its main purpose, which is to respond to correspondence. Consequently, the directorate is sometimes required to share personal information in accordance with paragraph 8(2)(a) of the Privacy Act, for the purpose of which it was obtained or compiled, or for a use consistent with that purpose, that is, to respond to the correspondence.
A written consent from the correspondent is therefore not necessary. The directorate is diligent in monitoring to ensure that personal information is not being shared for any other purpose.
In fact, a notice was added to the information on privacy currently on the Contact Us page, in both official languages, stating that personal information will only be used to respond to the visitors' requests, or to ensure the security of the system. It also indicates that the information is shared with another department when the inquiry relates to that department.
In the event that there is a need to disclose personal information to another department (such as in the case of a referral), the correspondent is advise in the reply that directorate will forward a copy of his/her letter/email to another department to answer the inquiry. This procedure is also indicated in the Security and Privacy Directives.
Collection of personal information
Retaining superfluous personal information increases the harm that would result from unauthorized access or from those who do not have a need-to-know.
Issue 5: Risk mitigation measures
Rules were established in the Security and Privacy Directives providing detailed procedures that define what type and level of sensitive information may or may not be included in ccmMercury. For example, all unnecessary sensitive information has to be blackened out before the document is scanned.
As for the ccmMercury upgrade, Public Works and Government Services Canada maintains a Protected A level of security profile for its information technology (IT) environment that is consistent with most government departments. It should be noted that documents marked as Protected C, Secret and Top Secret are never scanned into ccmMercury. All Protected B documents will be kept in hard copy format, unless internal clients specify to proceed with the scanning, while blanking out Protected B information. Should an upgrade to Protected B profile become a Treasury Board initiative, the Ministerial and Deputy Ministerial Correspondence Directorate will comply with the requirement.
Use, disclosure and retention of personal information
The prevention of ccmMercury users from having unauthorized access to the system.
Issue 6: Risk mitigation measures
There are no secondary uses of personal information received by the Ministerial and Deputy Ministerial Correspondence Directorate and, as far as it can be determined, no unauthorized use of the information is anticipated.
A role-based access control for ccmMercury is already in use. Access rights are established in accordance with the different access groups within the directorate. Access to sensitive information is therefore restricted by means of this role-based access. User accounts are kept current by the use of the "Request for Access to the ccmMercury Application" form that is verified and approved by the Director of the Ministerial and Deputy Ministerial Correspondence Directorate. Unauthorized access is therefore not possible.
A quarterly cleanup of ccmMercury is conducted to revise the list of users of each branch and ensure access rights are up-to-date and the levels of access are consistent with each user's function.
A warning banner has been created to advise users that information in the system should only be used, disclosed and destroyed in accordance with the Government Security Policy and subsection 8(2) of the Privacy Act. In addition to this banner, a general security notice appears regularly on each workstation requiring the user to acknowledge his or her responsibilities with regard to the proper use of the applications available in the system. Moreover, the ccmMercury application provides the possibility, upon request, of generating a historic of all users, accessions and records accessed.
There is a risk that sensitive personal information that is no longer required for an identifiable purpose may still be in the system, and employees that do not have a need-to-know may have access to it.
Issue 7: Risk mitigation measures
With regard to retention, personal information is destroyed when it is no longer required for an identifiable purpose or its maximum retention period has been reached. A file cleanup is also executed regularly.
- ccmMercury and paper copy: the National Archivist of Canada authorizes via a list the disposition of specific documents that no longer have operational or legal value and have been used in the past two years. If these documents are in ccmMercury, they are moved to its archives database, while paper copies are transferred to Library and Archives Canada, following a specific packaging procedure, for retention or destruction
- Shared drive: each section of the Ministerial and Deputy Ministerial Correspondence Directorate is responsible for the maintenance of its space on the shared drive. The files are sorted by year in order to purge them after the two-year mark, if they have not been accessed for any operational or legal use
Safeguarding personal information and training
ccmMercury user training does not address security or privacy issues, thus posing the risk that sensitive personal information may be entered into the system and be compromised.
Issue 8: Risk mitigation measures
The Ministerial and Deputy Ministerial Correspondence Directorate has provided its employees with further training in security and privacy awareness in March 2007. It also continues to offer training to its new employees and to remind its personnel of the procedures to follow through routine meetings. The Security and Privacy Directives, distributed to each employee, have been created to reinforce the directorate's security measures and provide more stringent safeguards to protect personal information. In addition, mandatory training sessions, such as the one on Access to Information and Privacy and the one on information technology (IT) security, are provided to all employees. Training on security is added to each employee's annual learning plan.
Security of the ccmMercury tracking system
The security of the ccmMercury tracking system.
Issue 9: Risk mitigation measures
The certification and accreditation process has already been initiated by Information and Technology Services Branch Security, and a letter of accreditation will be issued confirming that the actual level of risk matches the acceptable level.
In conclusion, the Ministerial and Deputy Ministerial Correspondence Directorate has implemented these measures to address the potential privacy risks during all the correspondence life cycle. The directorate has lowered the risk of access to sensitive information with proper security measures as defined within the privacy impact assessment.
- Date modified: