Receiver General Buy Button: Privacy impact assessment summary

On this page

Introduction

The implementation of the Receiver General Buy Button on Secure Channel clearly demonstrates the commitment of Public Works and Government Services Canada toward security and the protection of privacy and personal information collected from individuals. The publication of this summary of the privacy impact assessment will help to assure Canadians that the Government of Canada has undertaken significant measures to maintain the privacy of their personal information while using the buy button.

The Treasury Board's Privacy Impact Assessment Policy requires that the privacy impact assessment completed for the buy button be provided to and reviewed by the Office of the Privacy Commissioner. With the formal review process now complete, the response from the Office of the Privacy Commissioner has confirmed that, with the commitments given to address specific privacy concerns raised in the privacy impact assessment, the Office of the Privacy Commissioner is satisfied that the buy button poses few material privacy risks to Canadians. The Privacy Risk Management Plan addresses all privacy concerns raised in the privacy impact assessment in a satisfactory and appropriate manner.

The privacy impact assessment for the buy button identifies five privacy concerns, all of which are considered to be low in severity as they relate mostly to process documentation. These risks have been avoided or mitigated with the implementation of the recommendations in the Privacy Risk Management Plan.

Business model

The Receiver General Buy Button is a common service used by federal departments and agencies, and potentially other levels of government, for the electronic acceptance of payments and secure storage of related payment information. The buy button also provides convenient, reliable and secure payment services to Canadians and businesses during their online dealings with the federal government. Departments selling goods and services online can integrate their web storefronts with the buy button for the collection, authorization and secure storage of payment information provided by the public to complete business transactions.

The only personal information collected from the public by the buy button is their credit card number and expiry date. The buy button also collects and retains transaction data that is required for processing the transaction from the selling government department. This includes the selling department's identification (ID), transaction type, departmental reference number, transaction amount and the language last used by the customer on the selling department's website (so that the buy button web pages can be presented in the same language for consistency). Transaction data collected from the department is assigned a buy button transaction ID and the data collected from the customer is appended to that record.

Once the customer has chosen the goods and services to purchase on the selling department's web storefront, they can choose to pay online by credit card, in which case the buy button payment process will be invoked. Upon selecting this method of payment, the customer will be redirected to the buy button website to provide payment information in a secure format. At the same time, the selling department will send transaction information, such as department name, transaction ID and amount, to the buy button to display and append to the payment information provided by the customer.

The customer will then be prompted to provide a credit card number and expiry date for the payment, and must select the "proceed with payment" button to continue. When the "proceed with payment" button is chosen, the buy button generates and sends a payment authorization request to the payment service provider. Upon receipt of a response from the payment service provider, the buy button displays the appropriate receipt to the customer (approved or declined), and notifies the selling department of the results. The customer is then prompted to print the receipt and return to the selling department's web storefront to complete the business transaction or select another payment method.

The payment process requires a Secure Socket Layer (SSL) version 3 session using 128-bit encryption throughout. Once the customer's personal information has been provided securely, the credit card number is immediately encrypted by buy button in secure transaction storage and no longer retrievable in an unencrypted format.

The customer's credit card number is masked (that is, marked out with a series of x's) during all administrative functions, screen displays and reports. In addition, refunds and other related transactions are performed by referencing the original purchase transaction, without having to provide the credit card number, so that the buy button can process the transaction using the encrypted credit card number already securely stored.

The objectives for the buy button, pertinent to privacy considerations, are to ensure that no unauthorized data matching, data sharing, data aggregation or access to personal information is permitted. These objectives are directly congruent with the basic infrastructure design and building requirements of the Secure Channel. In addition, the buy button provides administrative tools that facilitate responding to access to information requests and provide the ability to maintain a legally binding audit trail.

Using the buy button payment process is a matter of choice by the customer and, therefore, consent is inherent with that choice. Nevertheless, the customer is provided with the opportunity to review the buy button and security statement and the privacy notice prior to submitting personal information. Furthermore, the customer has the option of canceling the transaction and returning to the selling department's website to choose other methods of payment, should they be available.

The privacy and security statement describes the purpose of collection, use, and disclosure of all personal information obtained by the site, and the personal information bank (PIB) where the information is securely stored. The privacy notice summarizes the privacy policy and practices adhered to on the site.

Data analysis

As previously noted, the only personal information collected from the public by the Receiver General Buy Button are credit card numbers and expiry dates. This information is appended to the transaction data received from the selling government department and disclosed to the payment service provider solely for the purpose of obtaining payment authorization during transaction processing. The credit card number is encrypted and stored securely by the buy button, along with the appended transaction data, as a record. An individual's credit card number is masked (that is, marked out with a series of x's) in all reports, administrative functions and screen displays.

Privacy risk management

The privacy concerns and risks identified during the Receiver General Buy Button privacy impact assessment are summarized below. This section also outlines how these risks have been avoided or mitigated with the implementation of the corresponding mitigation strategies recommended in the Privacy Risk Management Plan.

Privacy management

Privacy concern #1

There is no indication that privacy issues and obligations on data sharing are addressed in third-party contracts and agreements between the Receiver General, Secure Channel, financial institutions and individual departments and agencies.

Privacy risk #1

The privacy impact assessment identifies a risk that the obligation to protect, limit the use of and restrict access to personal information may not be explicitly communicated with all participating parties.

Privacy risk avoidance or mitigation measure

Ensuring privacy and the protection of personal information is of paramount importance to both the Receiver General and Secure Channel. The existing credit card services contract for the federal government requires the payment service provider to provide levels of data and processing security and integrity that are standard within the banking industry. In addition, with the existing contract set to expire on December 31, 2005, the Receiver General is currently taking action to ensure that the new contract for credit card services will include specific security and privacy clauses to promote compliance with Crown policy.

Public Works and Government Services Canada has more recently detailed extensive requirements in the Secure Channel contract with its third party service provider for the protection and non-disclosure of personal information. Specific clauses are included to ensure the contractor complies with all provisions of the Privacy Act and protects any personal information collected, handled or stored during the course of the contract.

Privacy concern #2

The accountability for privacy, as opposed to security and confidentiality, and specific responsibilities of owners and custodians of personal information has not been identified, documented and communicated.

Privacy risk #2

There is a risk that owners and custodians who collect personal information from individuals may not be fully aware of their legal responsibilities to protect the information. Similarly, they may not know or understand the nature and sensitivity of the personal information being collected.

Privacy risk avoidance or mitigation measure

The responsibility for safeguarding personal information which is managed, collected, used, disclosed, retained or disposed of by the Receiver General Buy Button has been specifically identified in the Secure Channel contract between Public Works and Government Services Canada and its third-party service provider. The contractor, as custodian of the personal information collected on behalf of the Crown, must ensure that its employees, agents and subcontractors are aware of the confidential nature of the personal information being handled, bound to hold the information in confidence and deal with it in accordance to the provisions set out in the Privacy Act.

Inappropriate access

Privacy concern #3

Safeguards to ensure that administrative staff in departments and agencies cannot link personal data collected by the department when providing goods and services are not readily identifiable.

Privacy risk #3

Administrative staff in departments may collect additional personal information during transaction processing, such as name and address, which could be used in conjunction with payment information to facilitate identity theft and credit card fraud. There may be an additional risk when a departmental administrator collects an individual's credit card number by telephone to process the transaction using the virtual point of sale function within the Receiver General Buy Button.

Privacy risk avoidance or mitigation measure

To mitigate this risk, access to sensitive personal information collected from individuals by the Receiver General Buy Button (credit card number) is prohibited by using encryption within secure data transmission and storage. Once the credit card number has been collected and encrypted by the Receiver General Buy Button, the information cannot subsequently be retrieved. An individual's credit card number is masked (that is, marked out with a series of x's) in all reports, administrative functions and screen displays.

To further address this concern, the departments' responsibility to properly administer the Privacy Act and the Financial Administration Act by ensuring, for example, the separation of administrative duties, is highlighted to program departments prior to and during integration to the buy button.

Retention and disposal

Privacy concern #4

Data retention and disposal procedures and the corresponding physical safeguards of data have not been developed and documented.

Privacy risk #4

There is a risk that personal data collected from individuals may become accessible if not stored and disposed of securely and in a timely manner.

Privacy risk avoidance or mitigation measure

Personal information collected by the Receiver General Buy Button is stored securely within the Secure Channel infrastructure and the secure data storage has been registered as a personal information bank (PIB). The physical safeguards for the protection of data contained within the secure data storage have been developed, implemented and tested successfully. In addition, data retention and disposal procedures have been developed in accordance with the standards identified in the National Archives Act and the Privacy Act.

Monitoring

Privacy concern #5

Although Internet Protocol (IP) addresses are considered to be personal information, the collection, retention and use of static IP addresses by the Receiver General Buy Button has not been identified.

Privacy risk #5

The public must be informed of the collection, use and disclosure of all personal information obtained from the public by the Receiver General Buy Button. Furthermore, the collection and retention of static IP addresses may pose a privacy risk to the extent that these addresses could be used to identify specific individuals.

Privacy risk avoidance or mitigation measure

The Receiver General Buy Button website uses software to monitor network traffic to detect intrusions into the network and to identify unauthorized attempts to upload or change information, or otherwise cause damage. This software receives and records the IP address of the computer that has contacted the website, the date and time of the visit, and the pages visited.

Network monitoring consists of the temporary capture of all network traffic and security analysis of this traffic by automated tools (no individuals can see all traffic). Only malicious activity is recorded and retained. There is no recording or retention of IP addresses deemed to be legitimate activity.

The privacy notice on the buy button website has been updated to identify to the public that IP addresses are temporarily recorded by software used to monitor network traffic for malicious activity. The notice further indicates that no attempt is made to link these addresses with the identity of individuals visiting the website unless a specific act to damage the site has been detected.

To further mitigate risk, Public Works and Government Services Canada will continue to ensure that either static IP addresses are not collected and retained or, if the information is deemed necessary for the effective delivery of the service, the necessary steps to advise individuals of the purpose of collection, use and disclosure of this information are taken.

Date modified: