Integrity database services: Privacy impact assessment summary
Section I: Overview and privacy impact assessment initiation
Public Works and Government Services Canada
Overview and privacy impact assessment initiation
Micheline Nehmé, Director General, Forensic Accounting Management Group
Head of the government institution or delegate for section 10 of the Privacy Act
Rachelle Delage, Manager, Policy and Governance, Access to Information and Privacy Directorate
Name of program or activity of the government institution
Integrity Programs and Services is the program and Operational Integrity Services is the sub-program
Classes of records associated with the program or activity
There are five classes of records related to this program. The classes of records and their description are as follows:
- General procurement services
- Asset management—Parliamentary precinct
- Linguistic contracts
- Real property
- Procurement and contracting
Personal information bank
Proposal to modify an existing personal information bank for the Integrity Assessment Program
Legal authority for program or activity
- Criminal Code of Canada, subsection 750(3)
- Financial Administration Act, paragraph 42(1)(c)
- Government Contracts Regulation, paragraph 18(1)(c)
- Department of Public Works and Government Services Act, section 21
Summary of the project, initiative or change
As stewards of public funds and the main service provider for government procurement, Public Works and Government Services Canada has an overall duty to exercise due diligence in dealing with suppliers of goods and services and providers of space under leases.
Over time, the department has put in place numerous measures to protect the integrity of its operations. Despite these measures, concerns grew that there were instances where the department could and had inadvertently awarded contracts and leases to suppliers who had demonstrated fraudulent and unethical business practices.
To address this, in July 2012, the department consolidated oversight measures and extended the list of offences that render convicted suppliers ineligible to do business with Public Works and Government Services Canada, into a formal Integrity Framework, which was further strengthened in November 2012 and March 2014.
The objective of the Integrity Framework is to ensure that procurement and real property transactions are carried out free of influence or corruption, collusion, and fraudulent activities, and that the Government of Canada does not inadvertently support organizations or individuals with criminal convictions, or who have plead guilty but received an absolute or conditional discharge. The Integrity Framework requires, in part, the following certification:
- all suppliers with their bids, certify that the company, its members of the board of directors and affiliates have not been convicted or absolutely and conditionally discharged of any of those offences in Canada or abroad in the past 10 years
- suppliers must provide the names of the members of their board of directors
- suppliers are required to diligently maintain up-to-date the information requested
Prior to the introduction of the department's Integrity Framework, a means to verify supplier certifications did not exist. Suppliers involved in fraudulent and unethical business conduct could still be successful in winning government contracts. Consequently, the Departmental Oversight Branch created the Integrity Database Services in 2012, to assist in this objective.
A small group of staff working in the Departmental Oversight Branch developed the integrity database and is tasked with its maintenance and update. Furthermore, they are responsible for processing requests from procurement and leasing officers to conduct supplier verifications. The database collects and stores information on specific convictions and absolute or conditional discharges of offences listed under the Integrity Framework, for which a supplier, its members of the board of directors and affiliates would be prohibited from being awarded a contract or real property transaction.
The Integrated Data System validates information from suppliers to determine if a conviction or absolute or conditional discharge exists that will deny them business on Public Works and Government Services Canada transactions. Moreover, the department will continue these validation exercises after the contract or real property agreement award to monitor the supplier throughout the lifecycle of the contract or real property agreement.
Integrity Database Services supports the Integrity Framework objectives by providing a consistent and reliable approach in verifying supplier information, to ensure that contracts are awarded to suppliers who abide by the law.
Scope of the privacy impact assessment
This privacy impact assessment is a revised version of the privacy impact assessment submitted to the Office of the Privacy Commissioner on May 29, 2012. The initial privacy impact assessment was submitted prior to the implementation of the Integrity Database Services. Although the business processes were well understood by the department, since the Integrity Database Services' inception, several changes have occurred while some work flows specified in the initial privacy impact assessment have been altered. Therefore, this privacy impact assessment aims to achieve the following goals:
- describe the processes with regards to the Integrity Database Services
- identify processes and activities that were never implemented or were altered
- identify changes to the Integrity Framework impacting the Integrity Database Services
|Initial privacy impact assessment||Description of changes|
|The program was initially identified as Integrity Assessment Program||The program is a service which will be referred to henceforth as the Integrity Database Services|
|The description and provisions of the Integrity Framework||The description of the Integrity Framework has been updated to reflect the following changes:
|Public Works and Government Services Canada may pay user fees for open source search engine services||Public Works and Government Services Canada will not be using open source search engine services. The only service for which the Departmental Oversight Branch pays are for court records from various court systems, and for corporate registry searches|
|The Integrity Assessment Program database may be populated with information obtained from media outlets or other less reliable open sources||The integrity database is and will only be populated with confirmed convictions from authentic sources. Media and other less reliable sources will not be utilized
The database has only ever stored data from such sources as:
|The Integrity Assessment Program will share a monthly report on the program's database to select individuals within Public Works and Government Services Canada||A monthly report was never created. There are no proactive disclosures of information|
|The sharing of conviction information will be provided to Public Works and Government Services Canada branches and other government department clients||The Integrity Database Services confirms a positive match for an offence; however, the sharing of conviction details is only provided to the client senior manager in circumstances in which the supplier disputes the existence of the conviction|
|The Integrity Assessment Program database was developed using Microsoft Access||A SQL database was created in fiscal year 2013 to 2014, which is more stable and secure. In the near future, it will also support a secure web portal allowing Integrity Database Services clients to submit requests and review results ("no match" or "match confirmed"). As with the current process by email, the results available through the web portal will be restricted to a whether a match resulted from a search of the database or not|
|The Integrity Assessment Program may share conviction information with the Industrial Security Sector to support re-assessments of company or individual security screening levels||The Integrity Database Services has not and will not share conviction information with the Industrial Security Sector to support assessments or individuals for security screening|
|Reference to the director general and director within the Departmental Oversight Branch responsible for the implementation and roll-out of the Integrity Framework, including their involvement in the Integrity Database Services was not originally included in the original submission||A director general and a director within the Departmental Oversight Branch provide oversight on Public Works and Government Services Canada's Integrity Framework Policy and any response to questions regarding the database verification and agreements with other government departments seeking services. In this role, the director general and director may have access to any of the information collected by the Integrity Database Services, but not the database itself|
Section II: Risk area identification and categorization
|Type of program or activity||Level of risk to privacy|
|Program or activity that does not involve a decision about an identifiable individual||1 (does not apply)|
|Administration of programs, activity and services||2 (applies)|
|Compliance or regulatory investigations and enforcement||3 (does not apply)|
|Criminal investigation and enforcement or national security||4 (does not apply)|
The Departmental Oversight Branch is responsible for providing the oversight required to ensure that the department's integrity and credibility are protected through effective management practices and sound stewardship of public funds. As part of that responsibility, employees of the branch will administer the Integrity Database Services to assist the other branches of the department in ensuring that departmental operations are being carried out with prudence, probity and transparency. The Integrity Database Services will also assist other government departments or agencies and crown corporations after entering into a memorandum of understanding (MOU).
|Type of personal information involved and context||Level of risk to privacy|
|Only personal information provided by the individual, at the time of collection, relating to an authorized program and collected directly from the individual or with the consent of the individual for this disclosure/with no contextual sensitivities||1 (does not apply)|
|Personal information provided by the individual with consent to also use personal information held by another source/with no contextual sensitivities after the time of collection||2 (does not apply)|
|Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual||3 (applies)|
|Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive||4 (does not apply)|
Public Works and Government Services Canada will store information in a database of individuals and companies convicted and absolutely or conditionally discharged of certain Canadian and foreign offences in the past 10 years which would render them ineligible to be awarded a procurement or real property transaction.
|Program or activity partners and private sector involvement||Level of risk to privacy|
|Within the institution||1 (applies)|
|With other federal institutions||2 (applies)|
|With other or a combination of federal, provincial and municipal government(s)||3 (applies)|
|Private sector organizations, international organizations or foreign governments||4 (applies)|
Information within Public Works and Government Services Canada is collected and is responsibly disseminated to internal clients to ensure the department is addressing its legislative mandated responsibility for ensuring integrity in procurement and real property transactions. Public Works and Government Services Canada will also disseminate limited verification results to other government departments with whom the Integrity Database Services has entered into a memorandum of understanding (MOU) to provide integrity verifications. Specifically, the Integrity Database Services collects data on a particular list of offences that would render a supplier ineligible from being awarded a contract or real property transaction. The Integrity database is populated from reliable, authentic and publicly available sources:
- Public Works and Government Services Canada will collect conviction information from other departments and agencies, such as tax evasion conviction information from Canada Revenue Agency, Competition Act convictions from the Competition Bureau, and conviction information from courts
- Public Works and Government Services Canada will also collect information from provincial and territorial government sources, such as conviction information from provincial and territorial courts
- Public Works and Government Services Canada will collect court conviction data from Canadian Legal Information Institute
- Public Works and Government Services Canada will not collect open source information from blogs, non-government website, or media outlets
- Public Works and Government Services Canada will verify conviction information with provincial, territorial, and federal courts, as well as with the RCMP
- Public Works and Government Services Canada's procurement and leasing officers submit requests to the Departmental Oversight Branch for a query of the Integrity database to determine if a conviction exists according to the related Public Works and Government Services Canada's offences. In response, the Departmental Oversight Branch provides a "no match" or "match confirmed" response. In the case of a match, the supplier is told that he or she (or the company) has a conviction for one of the offences. Details such as which offence and sentence information are not provided
If the company or individual disputes the presence of such a conviction, the Integrity Database Services will share the conviction specifics with a senior manager of the Public Works and Government Services Canada Branch or other government department so that the company and/or individual in question can be informed.
- Risk Level 1 is checked as information is provided to other branches of Public Works and Government Services Canada
- Risk Level 2 is checked as information is provided to other government departments with whom the Public Works and Government Services Canada has entered into a memorandum of understanding
- Risk Level 3 is checked because the database collects information from federal and provincial governments, such as court records
- Risk Level 4 is checked because the information may, in rare circumstances, be shared with the company or individual. However, as noted above details of the conviction are only provided when the company or individual has disputed the presence of the conviction
|Duration of the program or activity||Level of risk to privacy|
|One time program or activity||1 (does not apply)|
|Short-term program||2 (does not apply)|
|Long-term program||3 (applies)|
The Integrity Database Services is designed to assist in ensuring greater integrity in procurement and real property transactions.
|Program population||Level of risk to privacy|
|The program affects certain program participants (employees) for internal administrative purposes||1 (does not apply)|
|The program affects all employees for internal administrative purposes||2 (does not apply)|
|The program affects certain individuals for external administrative purposes||3 (applies)|
|The program affects all individuals for external administrative purposes||4 (does not apply)|
Any supplier bidding for or that has entered into a contract or real property transaction issued by Public Works and Government Services Canada for which the integrity provisions are included will be affected by this program. This includes members of the board of directors of the company, parents of the company, subsidiaries or other affiliates wherein direct or indirect control can be established. Similarity, this will also affect any suppliers bidding on contracts or real property transactions with any other government department or agency who has included the Integrity Framework into their procurement documentation and has entered into an agreement with the Integrity Database Services for verification services.
A "yes" response to any of the below indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.
|Technology and privacy||Level of risk to privacy: yes or no?|
|Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?||Yes|
|Does the new or modified program or activity require any modifications to information technology (IT) legacy systems and services?||No|
|Does the new or modified program or activity involve the implementation of one or more of the following technologies?||N/A|
Enhanced identification methods
Use of surveillance
Use of automated personal information analysis, personal information matching and knowledge discovery techniques
Currently, the Departmental Oversight Branch manually conducts verifications against the Integrity database; however, once the system is automated, the system will perform an electronic data match to determine if any offences stored in the database match an existing or potential supplier. If a match occurs with an individual, the database will notify requesting procurement or leasing officers of a match, which will prompt the collection of a consent form so that Public Works and Government Services Canada can validate the conviction with the RCMP. In validating the conviction, the RCMP may require fingerprints. Court documents from the court of conviction will be collected to assist in validating the accuracy of the match.
|Personal information transmission||Level of risk to privacy|
|The personal information is used within a closed system||1 (applies)|
|The personal information is used in system that has connections to at least one other system||2 (does not apply)|
|The personal information is transferred to a portable device or is printed||3 (does not apply)|
|The personal information is transmitted using wireless technologies||4 (does not apply)|
Conviction and absolute or conditional discharge information collected will be stored electronically in a database on the Public Works and Government Services Canada Protected B network (access is restricted to only those who require access). Information transmitted to or from other branches and other departments is currently conducted via email, however it will be performed through a secure web portal allowing branches and other government departments the ability to submit supplier information for a verification query and to view results. The results provided are limited to whether the supplier has been convicted or absolutely or conditionally discharged of any of the offences for which Public Works and Government Services Canada would preclude the awarding of a contract of real property transaction. If a match occurs, the individual will be asked to provide consent for a criminal records check with the RCMP. Initially, it will be a name based check; however, the RCMP may require fingerprints to validate the conviction or discharge.
|Risk impact to the individual or employee||Level of risk to privacy|
|Inconvenience||1 (does not apply)|
|Reputation harm or embarrassment||2 (applies)|
|Financial harm||3 (applies)|
|Physical harm||4 (does not apply)|
The types of personal information collected may cause embarrassment or financial harm to a company or an individual due to adverse information being collected on a company or individual which may result, if public, in a company's being denied a contract with private sector organizations. If personal information collected is released, this may cause reputation harm or embarrassment.
|Risk impact to the individual or employee||Level of risk to privacy|
|Managerial harm||1 (does not apply)|
|Organizational harm||2 (does not apply)|
|Financial harm||3 (applies)|
|Reputation harm, embarrassment or loss of credibility||4 (applies)|
Consequently, Public Works and Government Services Canada may experience financial impact if it denies or cancels existing contracts or real property agreements due to inaccurate information or alternative may have cause reputational harm to the government.
- Date modified: