Industrial Security Program—Release of personal security screening information: Privacy impact assessment summary
This Privacy impact assessment is in relation to a proposal to substantially modify personal information bank (PIB) Public Works and Government Services Canada (PWGSC) PCU 015. Among the changes to the personal information bank is a thorough description of the consistent uses of personal information collected by the Industrial Security Program of the Canadian Industrial Security Directorate. In addition to sharing personal information with the Royal Canadian Mounted Police (RCMP), Canadian Security Intelligence Service (CSIS) and credit bureaus in furtherance of determining a person's eligibility in the program, the consistent uses of personal information includes sharing some personal information (that is, screening and security clearance information) to a select group of authorized persons. Those authorized persons include Public Works and Government Services Canada's (PWGSC) procurement officers, project authority officials and authorized security officials. Authorized security officials are the following government officials: departmental security officers and unit security officers, and the following private sector officials: company security officers and alternate company security officers.
The disclosure of "screening and security clearance information" will be done via two methods, telephonically and through the future expansion of the Online Inquiry Service, a web-based application currently used by some of the authorized persons in obtaining the needed "screening and security clearance information". The expansion of the Online Inquiry Service will include the inclusion of authorized persons who are currently not users of the system. Also, it will include the release of additional information that is not currently available to existing authorized users.
Moreover, the revised personal information bank includes a reference to the sharing of personal information with the department's Controlled Goods Program, which is also referenced in their personal information bank, PWGSC PIB PCU 045.
The purpose of the Industrial Security Program is to safeguard Protected and Classified information and assets entrusted to industry for contracts administered by Public Works and Government Services Canada and, on request, for contracts administered by other government departments. Part of that mandate is to assess a person's eligibility for a screening or security clearance level to work for the government, on a government contract, or to respond to a request for proposal.
A person typically applies for a screening or security clearance level through a departmental security officer (a government authorized security official) or a company security officer (a private sector authorized security official). When applying, a person's signature authorizes the sharing of personal information to facilitate the investigation of the person's eligibility to hold a particular screening or security clearance level. Once the screening or security clearance level is granted, the person's status or clearance level is "held" by the organization (governmental department or private sector company) that submitted the application.
In furtherance of its goal to assist in facilitating the awarding of government contracts to authorized persons, it has historically been common practice for the Canadian Industrial Security Directorate to release details of a person's screening status or security clearance level regardless of which organization held the clearance. The information was released to authorized security officials, the department's procurement officers and project authority officials only, and contained the least amount of information possible for these persons to staff government contracts or respond or award bids to a request for proposal.
In October 2008, the directorate implemented a short-term solution that required consent forms from individuals, as well as attestation forms from authorized security officials (stating they would not misuse the information). While addressing this short-term solution, PWGSC PIB PCU 015 was identified as falling far short of what is required of a personal information bank.
In addition to better explaining the personal information collected and its consistent uses, the scope of this project is to eliminate the need for consent forms, while also revising PIB PCU 015 (referenced on all security forms) so that it succinctly and precisely spells out the personal information collected and how and why the directorate uses it.
In essence, this project desires "screening and security clearance information" to be released to authorized security officials, Public Works and Government Services Canada's procurement officers and project authority officials upon their request (after validation of their identity). The screening and security clearance information desired to be released to these persons would be done through the directorate's call centre, as well as the expansion of a web-based application (Online Inquiry Service) to allow users the ability to verify the information electronically. The Online Inquiry Service would be expanded, but would also include mandatory search criteria to eliminate random searching by such indiscrete fields as "first name".
This resulted in meetings between multiple agencies who have related personal information banks involving personnel security. These meetings involved Public Works and Government Services Canada (specifically the Canadian Industrial Security Directorate), Treasury Board Secretariat (TBS), the RCMP and Department of Defence (DND) in reference to the following personal information banks:
- PWGSC PIB PCU 015, Industry Personnel Clearance and Reliability Records
- TBS PIB PSU 917, Personnel Security Screening
- DND PIB PPU 834, Personnel Security Investigation File
- RCMP PIB PCU 065, Security/Reliability Screening Records
A collaborative effort is underway among these agencies to revise Treasury Board security clearance forms (TBS/SCT 330-23 and TBS/SCT 330-60) while also aligning each agency's personal information banks with similar language. Therefore, the revised personal information bank may be amended to accommodate this parallel effort with the Treasury Board Secretariat, the Department of National Defence and the RCMP. Moreover, changes to the Privacy Act statement and consent declaration of TBS/SCT 330-23 and TBS/SCT 330-60 in Annex D and E may also occur.
For private sector authorized security officials, the information is provided only if the person in whom they are inquiring about is an employee of their organization, or the person has provided an appropriate consent form.
The information is obtained by contacting the call centre, who validates the identity of the authorized individual, verifies consent is provided (if necessary) and emails the information in the following table to the authorized individual. The call centre requires the authorized security official to provide the individual's name and date or birth, or name and personnel identification number. As most individuals do not know their personnel identification number, the use of an individual's date of birth is the only means available to properly identify an individual from the 350,000+ persons in the database.
For some authorized users, the information can also be obtained through the Online Inquiry Service. For private industry persons, the security currently in place allows private sector authorized security officials access to their own employees only. The Online Inquiry Service capabilities are expanded for Public Works and Government Services Canada users, wherein they can view the name of the organization that holds the clearance.
Proposed future explanation of information and data values
The Canadian Industrial Security Directorate proposes to provide to authorized security officials, Public Works and Government Services Canada's procurement officers and project authority officials on all persons in the Industrial Security Program.
An authorized person could obtain this information from the call centre in the same manner that is used currently, or through the Online Inquiry Service. The Online Inquiry Service would be expanded to include the data fields or elements below.
To avoid private companies from randomly searching on competitors, mandatory search criteria will be used. A determination regarding the types of mandatory search criteria will be determined at a later date.
Table A: Screening and security clearance information released to authorized persons (proposed)
The table identifies the personal information proposed to be disclosed to authorized security officials, Public Works and Government Services Canada's procurement officers and project authority officials on all persons in the Industrial Security Program.
|Data field||Explanation of data field or data values|
|Name||Name of individual|
|Date of birth||Individual's date of birth|
|Personnel identification number||Number assigned to individual by the Canadian Industrial Security Directorate and associated to the directorate's file|
|Name of organization holding person's screening or clearance||
|Date initiated||Date security forms were submitted to the Canadian Industrial Security Directorate|
|Date completed||Date eligibility assessment was completed|
|Date granted||Date the level was granted|
|Date of renewal||Date the level requires renewal|
As with the current practice, it is imperative to note that the status of "denied" is not permitted to be released to anyone. Although the status is used by Canadian Industrial Security Directorate for those persons whose application was denied, privacy issues preclude the directorate from releasing that status. For those persons whose status has been denied, the directorate releases the status of "close-out".
As indicated in the table, the directorate wishes to continue using the same data elements with the addition of releasing the name of the organization that holds the individual's clearance. By including this additional data element, companies that are bidding on government requests for proposal are able to check the status of a person's screening or clearance, as well as the name of the organization that holds the clearance. This data is necessary in order for the many types of companies to submit a bid to a request for proposal, submit proposed personnel to an open contract competition and for the Government of Canada to ensure that properly cleared individuals and companies are being chosen to perform work on contracts that include security considerations. Moreover, in some fields where government contracts include a prime contractor and multiple layers of subcontractors, it is important for the prime contractor to verify security clearance information on sub-contractors.
Elimination of the consent form
Through this privacy impact assessment and the parallel effort of amending Treasury Board forms and the personal information banks of Public Works and Government Services Canada, Treasury Board Secretariat, the RCMP and the Department of National Defence, the Canadian Industrial Security Directorate desires to eliminate the need for the consent forms that have been in place since October 21, 2008.
Identification of privacy risks
During this privacy impact assessment, several privacy risks were identified. In fact, privacy risks were the driving force behind Canadian Industrial Security Directorate management's decision to halt the current, yet long-standing practices, of the Industrial Security Program. In revising the personal information bank and completing the privacy impact assessment, the following risks were identified and addressed:
- The current personal information bank's description includes an individual's social insurance number (SIN). In the past, the program has required the SIN to obtain a credit report. Since the authoring of the personal information bank, a person's SIN is not required to obtain a credit report. Therefore, the revised personal information bank in Annex C no longer includes SIN as a piece of personal information collected. All records of SINs collected in the past have been purged from the directorate's database
- The current personal information bank was not all encompassing regarding the types of information collected by directorate. The proposed revised personal information bank provides a comprehensive categorical list of information that may be collected by directorate
- The current personal information bank did not mention that sources other than Public Works and Government Services Canada can be used to collect personal information. It has long been acceptable for authorized security officials, with the consent of the individual, and on behalf of the Government of Canada, to collect personal information and provide it to the directorate. The revised personal information bank includes the collection procedures by sources other than the department
- The current personal information bank, under "classes of individuals" noted "industry personnel." That distinction is also not an exhaustive list of the classes of individuals with whom the directorate collects information. The revised personal information bank provides a complete and comprehensive list
- The current personal information bank, under "purpose", was not as explanatory as needed. The revised personal information bank provides a more thorough depiction, as well as notes that the Financial Administration Act and the Governmental Security Policy provides the authority to the department to collect and share the information obtained
- The current personal information bank provided "none" under the description of consistent uses. This was the most glaring problem with the personal information bank. The revised personal information bank provides succinct and thorough explanation of the consistent uses of the information collected. It iterates that information collected supports decisions made by the directorate regarding a person's eligibility in the program. It also reflects five areas of specific information sharing: RCMP, CSIS and credit bureau for requisite checks, as well as Public Works and Government Services Canada's Controlled Goods Program and the sharing of some personal information with authorized persons for the purpose of fulfilling personnel requirements as defined in government contracts. The proposed sharing of personal information will be provided in accordance with Section 8(2)(a) of the Privacy Act. This is the most vital of the revised personal information bank and the reason for the personal impact assessment. It will allow the directorate to disclose a person's clearance or screening status, which will aid the Government of Canada in awarding contracts. It will also allow private sector officials with the ability to verify personnel and organization security information in order to respond to government requests for proposal and real property needs
- The current personal information bank provided a retention and disposal explanation that was not exhaustive. In the revised personal information bank, the retention standard reflects two years following the last administrative use. As some clearances are valid for 10 years, the retention schedule hinges on the term "administrative use", which includes termination of the employee from a contract or employment, cancellation of the security clearance or screening or expiration of the security clearance or screening. The disposal standards have also been properly identified as being sent to Library and Archives Canada for destruction, except for copies of forms kept by private industry, which destroy their documents themselves. Regarding the records held by private industry, destruction guidelines must be done in accordance with the Industrial Security Manual, section 511
- The directorate must address the 350,000+ individuals who signed the TBS/SCT 330-23 and/or TBS/SCT 330-60 form in its current state. Representatives from Public Works and Government Services Canada and the Office of the Privacy Commissioner are in discussions to identify any necessary notification methods. Preliminary discussions have identified one likely solution: to notify the company security officers, who will notify their employees of the revisions to the Treasury Board Secretariat forms and the personal information bank. As part of their role as security officials in the program, the directorate relies on company security officers to perform myriad tasks. Enlisting their services is not only an extension of these duties, but is the most effective means available to ensure that 350,000 individuals are given notice of the changes to the personal information bank and Treasury Board Secretariat forms. Also, the directorate will be posting a communiqué in a prominent position on the website to assist in this notification effort. The communiqué in Annex G is a draft version of what will be posted on the website. It may be amended or altered completely once Treasury Board Secretariat revises their forms associated with personnel screening (TBS/SCT 330-23 and TBS/SCT 330-60)
To conclude, the privacy risks that exist with the current personal information bank and the accompanying operating procedures of the directorate are being addressed as a result of this privacy impact assessment, and the revised personal information bank and proper communication to those affected will be ensured.
- Date modified: