Controlled Goods Program's Enhanced Security Strategy: Privacy impact assessment summary
Section I: Overview and privacy impact assessment initiation
Public Works and Government Services Canada
Government official responsible for the privacy impact assessment
Simona Wambera, Director, Controlled Goods Program
Delegate for section 10 of the Privacy Act
Rachelle Delage, A/Manager, Access to Information and Privacy
Name of program or activity of the government institution
Controlled Goods Program's Enhanced Security Strategy
Description of program or activity
Specialized programs and services
This program activity provides federal organizational with high quality, timely and accessible specialized services and programs to federal institutions in support of sound, prudent and ethical management and operations.
Industrial Security Program
This program sub-activity supports the government's obligations to protect sensitive and classified information entrusted to the private sector through government contracts awarded by Public Works and Government Services Canada and to safeguard controlled goods within Canada from unauthorized possession, examination or transfer. This program is the government's primary service provider for the delivery of contract security and controlled goods activities. It also supports Canada's economic growth by ensuring security in government contracts and enabling Canadian industry to access classified and sensitive domestic and international opportunities.
Description of the class of records associated with the program or activity
Description: Information on all persons registered or exempted from registration (such as visitors and temporary workers) examining, possessing or transferring controlled goods in Canada. Personal information may include: name, contact information, other identification number (such as the registration number); biographical information, date of birth, gender; information on criminal history, fingerprints provided by the Royal Canadian Mounted Police (RCMP); information on type of business; expiry date; and certification.
Document types: Agreement and exchanges (information between Public Works and Government Services Canada and other government agencies); registrations (also include renewals and amendments); security assessments or checks; application for exemption; and consent to use a Government of Canada security clearance.
Class of record number: Public Works and Government Services Canada Consulting, Information and Shared Services Branch 455
Note: A new class of record is pending review and approval (PWGSC CISSB 455).
Note: A class of record will be reviewed as the Industrial Security Sector was transferred from CISSB to the Departmental Oversight Branch effective August 15, 2011.
- Proposal for a new personal information bank (PIB)
- Proposal to modify an existing PIB: identify PIB registration number and current description
Amendments to PIB PWGSC particular bank–general public (PPU) 045 were recently approved by Treasury Board Secretariat and the following represents what is to appear in Info Source 2011:
Controlled Goods Program
Description: Under the authority of the Defence Production Act (DPA) and of the Controlled Goods Regulations (CGR), the program is mandated to conduct a security assessment, the extent to which the person poses a risk of transferring controlled goods to someone who is not registered or exempt.
This bank describes information on any persons, applying for registration, amendment or exemption, registered, exempt, denied, suspended or revoked, examining, possessing, or transferring controlled goods in Canada.
Personal information may include: name, contact information, telephone number; biographical information, biometric information (fingerprints), place and date of birth, citizenship, information on criminal history, education, travel, and current and former employment.
Class of individuals: Individuals conducting business in Canada as defined by s. 2 of the CGR, who apply for registration or submit exemption request to lawfully examine, possess or transfer controlled goods in Canada (s. 37 of the DPA). Individuals may include sole proprietors, part-owners, directors, officers, Designated Officials within companies as per CGR s. 10(d), as well as visitors, and temporary workers defined in s. 1 for exemption under s. 17.
Purpose: Prior to any examining, possessing, or transferring controlled goods in Canada, individuals must be assessed against security risks and be registered or exempted from registration per DPA and Controlled Goods Regulations (CGR).
Based on the personal information obtained from the applicant, an evaluation of the risk of transferring controlled goods by the applicant to someone who is not registered or exempt is made and registration or exemption is either granted or denied. The information is also reviewed on the basis of a security assessment to deny, suspend, amend or revoke existing registration or exemption. The name and contact information may be used or disclosed for corresponding with registrants or validation in a search capacity on the Controlled Goods program website.
Consistent uses: The Controlled Goods Program may share information with other federal institutions to assist in evaluating the risk of persons wishing to register in the program, transferring controlled goods to persons who are not registered or exempt. As the Department of National Defense has chief interest in the DPA, CGP may exchange personal information described in the related Department of National Defence (DND) PIB, DND Particular Banks (Employees) (PPE) 835.
For the purpose of verifying individuals and companies they represent possess the required import and export permits as well as authority identified on the Department of Foreign Affairs and International Trade (DFAIT) Export Control List used to determine the list of controlled goods, some data is shared with DFAIT.
For the purpose of validating and assessing the risk of illegal transfers of importers and exporters and to validate the risk of illegal transfer of controlled goods by foreign visitors and temporary workers, data may be exchanged with Canada Border Services Agency (CBSA) PIB CBSA PPU 016, Security Intelligence Analysis Division (SIAD) Reports are shared with the Canadian Security Intelligence Services in PIB Canadian Security Intelligence Service (CSIS) PPU 016.
For the purposes of s. 30 of the DPA, information may be shared with other government departments, or any person authorized by a government department, requiring the information for the discharge of the functions of that department.
For the purpose of conducting investigations under the DPA, or any other offences against a Canadian law that requires this information, CGP may share with the RCMP PPU 005 or National Defence, DND PPE 835.
Retention and Disposal Standards: Under development. Operational files are retained by Controlled Goods Directorate until an RDA is approved.
RDA Number: Under development.
Related to Program Number: PWGSC CISSB 455
TBS Registration: 005093
Bank Number: PWGSC PPU 045
Legal authority for program or activity
- Defence Production Act, sections 38 and 39.1
- Controlled Goods Regulations, sections 15, 18 and 19
Summary of the project, initiative or change
A threat assessment was performed on the Controlled Goods Program to determine the security gaps in the program in a post-9/11 environment. In addition, the Controlled Goods Directorate performed a risk assessment of the business processes and practices of the directorate. In total, these assessments provide overwhelming evidence that the directorate needs significant security enhancements to enhance the security posture of the program in a post-9/11 environment.
To support the recommendations of the threat assessment and address internal risks identified, the directorate developed the Enhanced Security Strategy to not only address the security gaps, but to streamline business processes and better educate registrants in doing their part to protect controlled goods.
In the end, these threat and risk assessments identified four key risk indicators wherein the directorate was lacking sufficient robust processes and procedures:
- criminal history
- travel (frequency and duration)
- significant and meaningful associations
The changes as a result of the Enhanced Security Strategy will require an enhanced security assessment procedure, which will include the following changes:
Criminal history check: The Controlled Goods Directorate will require all designated officials (DO) to be fingerprinted. The directorate prefers fingerprints for all employees but industry expressed concerns about the costs and administrative burden that would come from mandatory fingerprints. What the program desires most is unique identification, to ensure that all criminal history information is being taken into consideration during a security assessment. However, to quell the concerns from industry, the Enhanced Security Strategy will begin with a requirement that fingerprints are not mandatory as long as the DO takes mandatory steps to ensure unique identification. A criminal records name check will continue to be allowed as long as these identity verification steps are taken and that a check with the Canadian Police Information Centre (CPIC) is performed. The directorate will monitor this strategy in the coming months and years to determine its necessity to continue. It is possible that the directorate will require fingerprints from all individuals accessing controlled goods.
Credit checks: For cause, some individuals will be required to undergo a credit report to address honesty, reliability and other security risk indicators.
Risk assessment: DOs will be required to document a risk assessment level for each individual. Based on that risk assessment, individuals may be required to undergo additional checks to determine the risk they pose to the unauthorized transfer of controlled goods. These additional checks will be performed by directorate as they will require personal information to be shared to other government departments and agencies, which will use it to query particular intelligence and criminal databases. The risk assessment performed by directorate (on DOs, owners, authorized individuals, temporary workers and visitors) and DOs (on officers, directors and employees) must abide by the risk assessment guide (see Appendix D). All risk assessments will undergo a quality control review process by the directorate.
List of persons accessing controlled goods: All DOs will provide the directorate with limited personal information on all individuals allowed to have access to controlled goods.
Students: The directorate will be notifying registrants that students, both foreign and domestic, are to be security assessed in the same manner as employees (domestic students) and temporary workers (foreign students).
Amended security assessment application: To assist in performing a risk assessment, the directorate has amended its security assessment application to ensure that it is addressing all of the four risk indicators identified in the threat assessment and internal risk assessment. The amended security assessment application has been reviewed by Department of Justice's Information Law and Privacy (ILAP) lawyers.
In addition to enhancing the security assessment procedures used by the Controlled Goods Directorate and DOs, the directorate will be augmenting the services provided to its registrants by creating a program management and learning unit. This unit will create internal and external curriculum to ensure that both the directorate and the DOs are performing their duties as required. Moreover, this unit will stress the need for individual privacy, including the DOs obligation to safeguard the personal information of their employees.
When the DO or a Controlled Goods Directorate analyst determines an individual's risk of unauthorized transfer of controlled goods exceeds a risk threshold (provided by the directorate), a quality assurance process will be mandatory before any additional checks are performed. If the quality control process determines that the risk assessment was correct, for all Level 3 and some Level 2 risk assessments, the directorate will send personal information to the Canadian Security Intelligence Service (CSIS) and the RCMP for checks with their intelligence databases. The query results will be analyzed by Controlled Goods Directorate analysts. The response from the directorate will not include the further disclosure of information maintained by CSIS or the RCMP, but a confirmation or denial of the risk assessment initially made by the DO. It is the DO's responsibility, as outlined in the Controlled Goods Regulations, to make the final determination as to whether the individual poses a high risk of unauthorized transfer of controlled goods.
The queries to the RCMP and CSIS are governed by memoranda of understandings (MOU). For the RCMP, the MOU will become effective on April 1, 2012, while a letter of interest (LOI) has been signed that will govern the information sharing from October 1, 2011, through March 31, 2012.
The directorate has the authority under the regulations and the Defence Production Act to suspend, deny or revoke the registration of a company. If a DO were to permit a high risk individual access to controlled goods, the directorate may utilize this authority to restrict the company's access to controlled goods.
The Enhanced Security Strategy not only addresses the threats and risks identified, but it also allows Canadian industry to remain compliant with the United States International Trafficking in Arms Regulations (ITAR). The ramifications of the Enhanced Security Strategy to the United States ITAR is explained in detail in Appendix A.
Section II: Risk area identification and categorization
Type of program or activity
Level of risk to privacy
|Program or activity that does not involve a decision about an identifiable individual||1 (does not apply)|
|Administration of programs or activity and services||2 (applies)|
|Compliance or regulatory investigations and enforcement||3 (applies)|
|Criminal investigation and enforcement or national security||4 (does not apply)|
The decisions made by the Controlled Goods Directorate in reference to designated officials (DO), owners (20% or more voting shares), authorized individuals, visitors and temporary workers (which includes foreign students) are a "determination". The directorate will collect all information, including intelligence database information from the RCMP and CSIS, and make a determination that these individuals are not permitted access to controlled goods or the company is not permitted to be registered in the program. However, the directorate cannot issue a "determination" on employees that are security assessed by the DO. The Controlled Goods Regulations are not worded in such a fashion that provides the directorate with the authority to make a determination. Therefore, the directorate's response to a DO's high risk referral will either affirm the DO's risk assessment, or state that the directorate's analysis contradicts the DO's risk assessment.
The directorate can deny, suspend or revoke a company's registration in the program if the risk associated with a particular individual being allowed access to controlled goods is permitted.
The directorate has the authority to refer cases to the RCMP for investigation and potential prosecution, but it most often relates to companies (or sole proprietors) who appear to be in violation of section 37 of the Defence Production Act by possessing, examining or transferring controlled goods to a person who is not registered in the Controlled Goods Program. However, for the purposes of the amended security assessment application it will likely never result in a referral to the RCMP for investigation or prosecution of the individual. The end result is a determination to deny registration in the program, a determination to not allow access to controlled goods, or an affirmation or contradiction to the DO regarding the risk assessment of a particular employee's access to controlled goods. There does not appear to be a scenario wherein the directorate would foresee a security assessment resulting in referral to the RCMP for investigation or prosecution purposes.
|Type of personal information involved and context||Level of risk to privacy|
|Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program||1 (does not apply)|
|Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source||2 (does not apply)|
|Social insurance number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual||3 (does not apply)|
|Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples or the context surrounding the personal information is particularly sensitive||4 (applies)|
In addition to collecting criminal history information and intelligence information from the RCMP and CSIS, the amended security assessment application contains personal information that is directly linked to the four key risk indicators that have been developed after the threat assessment and internal risk assessment. The amended security assessment application contains information on the individual's demographics, travel history, financial status, criminal history, residential and employment history, and personal references that are called to assess the veracity of the individual's statements and assist in assessing for the risk of unauthorized transfer of controlled goods. The amended security assessment application also includes a risk statement section (Part N), which includes a number of personal risk statements to which the individual will respond "Yes" or "No". For some "Yes" answers, details are required. Part N may result in a great deal of personal information that could be considered very sensitive. Moreover, information obtained from the RCMP and CSIS may be very sensitive regarding allegations or suspicions. For these reasons, the risk is 4.
|Program or activity partners and private sector involvement||Level of risk to privacy|
|Within the institution (amongst one or more programs within the same institution)||1 (does not apply)|
|With other federal institutions||2 (does not apply)|
|With other or a combination of federal, provincial or municipal government(s)||3 (applies)|
|Private sector organizations or international organizations or foreign governments||4 (applies)|
To determine an individual's risk of unauthorized transfer of controlled goods and potential ties to organized crime, terrorist organizations or similar concerns, queries of some individuals will be performed with the RCMP and CSIS. As the Enhanced Security Strategy continues to develop, the Controlled Goods Directorate may enter into other memoranda of understanding with other government departments if it is determined that information held by that other government departments will assist the directorate in providing a more thorough assessment of an individual's risk of unauthorized transfer of controlled goods.
In addition, designated officials (DO) are responsible for the initial risk assessment of their employees. For all level 2 risks (Moderate), the DO must make a determination based on the information provided if additional checks are required. A guideline is provided. While some level 2 risks may warrant additional checks, others may not. Assigning a definitive guideline to fit all employees is not practical and would result in unwarranted checks or a failure to obtain checks on individuals who should have additional checks performed. Therefore, the directorate has determined that allowing the designated official with the responsibility to provide an objective assessment of information on all level 2 risks was appropriate, as long as there was justification to support the DO's decision to not divert the individuals for additional checks, as well as justification to support why the DO decided to divert files to the directorate for additional checks. These justifications are required to be recorded in the security assessment file. The directorate will perform quality assurance on all files sent to the directorate for additional checks to determine if an appropriate assessment was made by the DO. Likewise, Controlled Goods Directorate inspectors will perform checks on level 2 security assessments wherein the DO decided not to divert the file to the directorate for additional checks.
In some cases, the DO will have to obtain a credit report which may require personal information to be shared with a credit bureau agency.
The DO may use the services of a third-party service provider in submitting fingerprints or criminal records name check requests to the RCMP for a criminal records check.
Information may also be obtained from the United States Directorate of Defense Trade Controls (DDTC); however, this information will likely be limited to times when the directorate has reason to believe that an individual or company have violated the Controlled Goods Regulations, Defence Production Act or other acts of Parliament.
Because the DO has these responsibilities, the risk is determined as 4.
|Duration of the program or activity||Level of risk to privacy|
|One time program or activity||1 (does not apply)|
|Short-term program||2 (does not apply)|
|Long-term program||3 (applies)|
The Enhanced Security Strategy is designed to address security gaps that are present within the Contract Goods Program; therefore, once it begins in October, 2011, it is considered to be a permanent solution. However, the Controlled Goods Directorate has informed industry and government stakeholders that during the three-year phased-in rollout of the Enhanced Security Strategy, various aspects of the strategy may change based on such factors as impact on industry, security gaps not appropriately addressed and the need to streamline Enhanced Security Strategy processes or procedures. If any of these modifications are deemed to be significant, an amendment to this privacy impact assessment will be authored. One aspect that is being assessed for change over the initial stages of the Enhanced Security Strategy is the continued use of the criminal records name check versus mandatory fingerprints. The directorate will assess the success of that strategy to determine if mandatory fingerprints are necessary for all individuals accessing controlled goods.
|Program population||Level of risk to privacy|
|The program affects certain employees for internal administrative purposes.||1 (does not apply)|
|The program affects all employees for internal administrative purposes.||2 (does not apply)|
|The program affects certain individuals for external administrative purposes.||3 (applies)|
|The program affects all individuals for external administrative purposes.||4 (does not apply)|
Any company (including sole proprietors) desiring registration in the program and employees of applying or registered companies must be security assessed before they are permitted access to controlled goods. The decisions made by the Controlled Goods Directorate and designated officials (DO) are restricted to those individuals who require access and consent to a security assessment, as required by the Controlled Goods Regulations.
|Technology and privacy||Yes or no?|
|1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?||No|
|2. Does the new or modified program or activity require any modifications to information technology (IT) legacy systems or services?||No|
|3. Does the new or modified program or activity involve the implementation of one or more of the following technologies:||N/A|
|3.1 Enhanced identification methods
|3.2 Use of surveillance:
|3.3 Use of automated personal information analysis, personal information matching and knowledge discovery techniques:
Designated officials (DO) will perform personal information matching if they employ the use of criminal records name check to determine employees' criminal history. If an individual is determined to require additional checks with the RCMP or CSIS (high risk), their personal information will be provided to these entities so that a query can be performed in their intelligence databases. Both the RCMP and CSIS will ensure that the accuracy of the information is verified before any results are provided to the Controlled Goods Directorate. If the accuracy of the information is called into question, these entities will either withhold the information or will provide the caveat that they are unsure if the results are accurate
The directorate will collect copies of fingerprints from individuals (through the DO) and collect fingerprints results from the RCMP. All fingerprint queries, and criminal records name check checks are the responsibility of the DO. The directorate will not submit fingerprints or names to the RCMP unless it has determined that a criminal history report (CPIC result) appears to be a forged document or has been tampered with
A "yes" response to any of the above indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.
|Personal information transmission||Level of risk to privacy|
|The personal information is used within a closed system||1 (does not apply)|
|The personal information is used in system that has connections to at least one other system||2 (applies)|
|The personal information is transferred to a portable device or is printed||3 (does not apply)|
|The personal information is transmitted using wireless technologies||4 (does not apply)|
Information on the amended security assessment application is submitted by industry to the Controlled Goods Directorate via mail or fax. If any personal information matching is performed with the RCMP it is done via encryption methods that meet RCMP standards for the electronic transmission of Protected B information. If for some reason, the information the RCMP would provide is Secret information, the directorate would obtain the information personally from the RCMP.
The Enhanced Security Strategy also calls for a new database and portal that will allow for the transmission of the information to be done electronically. However, a new information management system is only in the early planning stages.
Information from CSIS will either be performed in-person or through the use of government approved electronic transmission protocol that is designed to handle Secret and Top secret information. Currently, the directorate is not equipped with this system but is seeking funding for its construction and implementation. In the interim, one of two solutions will be instituted:
- Public Works and Government Services Canada Corporate Security maintains the appropriate system and often accepts transmissions on behalf of the directorate. It is possible that a Controlled Goods Directorate employee could be assigned to Place du Portage to address these transmissions
- In-person transfer of requests and responses
|Risk impact to the individual or employee||Level of risk to privacy|
|Inconvenience||1 (does not apply)|
|Reputation harm, embarrassment||2 (applies)|
|Financial harm||3 (does not apply)|
|Physical harm||4 (does not apply)|
The types of personal information collected may cause embarrassment to an individual as his or her employer will be privy to the personal information collected on the amended security assessment application. While it is possible that an individual could lose his or her job if adverse information is obtained, the Controlled Goods Program is designed through the Defence Production Act and Controlled Goods Regulations to restrict access to controlled goods. If an employer chooses to terminate an employee as a result of a security assessment, it is not mandated through a Controlled Goods Directorate response to high risk checks or a determination. The directorate response to high risk checks is limited to access to controlled goods; not to whether the individual should remain an employee or be terminated.
|Risk impact to the institution||Level of risk to privacy|
|Managerial harm||1 (applies)|
|Organizational harm||2 (does not apply)|
|Financial harm||3 (does not apply)|
|Reputation harm, embarrassment, loss of credibility||4 (does not apply)|
The Controlled Goods Directorate is moving to a more security robust program. Internal processes and procedures must be changed, but the overall view of the program by industry and the government's security and intelligence community will be an increase in confidence.
- Date modified: