Identity and Credential Management Solutions at ISED

PIA Overview

Project Title
Identity and Credential Management Solutions at Innovation, Science and Economic Development Canada (ISED).

Implementation Date
January, 2023. The purpose of this PIA is to formalize privacy analysis around multiple identity management solutions presently in use at ISED across multiple program areas, and support a new Personal Information Bank (PIB) in respect of all of these solutions, collectively. See additional information under Project Description.

Lead and Other Government Institutions
This is not a multi-institutional PIA. The lead Government of Canada institution is ISED. Other federal institutions provide services to ISED for some of the identity management services detailed in this PIA, but are not partners or signatories.

Sponsoring and Recommending Senior Officials
Kathleen Fraser
Director – Strategy, Policy and Data Governance Directorate
Digital Transformation Service Sector
235 Queen St.
OTTAWA ON K1A 0H5

(613) 301-6716
kathleen.fraser@ised-isde.gc.ca

and

Barry Antle
Director, Business Lines Solutions
Digital Transformation Service Sector
235 Queen St.
OTTAWA ON K1A 0H5

(343)-291-1778
barry.antle@ised-isde.gc.ca

Approving Senior Official
(and Delegated Official for Section 10 of the Privacy Act)

Chris Parsons
Director, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5

(613)-462-3160
chris.parsons@ised-isde.gc.ca

Project Officer for Privacy Analysis
Vance W. Collier
Sr. Advisor, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5

(343) 550-4660
vance.collier@ised-isde.gc.ca

Legal Authorities
The legal authority that permits any and all identity management solutions for ISED programs is found in the following subsections of Part I of the Department of Industry Act:

  • 4 (1) Powers, Duties and Functions;
  • 4 (2) Additional Powers, Duties and Functions;
  • 5 Objectives;
  • 6 Functions; and
  • 7 Inspection Services

Personal Information Bank (PIB) Relating to This Activity
A new PIB to support Identity and Credential Management Solutions at ISED is being submitted with this PIA for TBS approval, titled:

  • ISED PPU 501 – Identity and Credential Management

Project Description
Identity fraud is one of the biggest risks to the secure operation of online business processes offered by the Government of Canada. To counter it, ISED has implemented multiple identity management and credential solutions for individuals accessing its programs and services as the representatives of their respective businesses and organizations.

All of the solutions covered by this PIA are either presently deployed at ISED, or are about to be deployed. They ensure that:

  • government services are delivered to the correct person and/or business;
  • the correct individual has access to government information, programs, benefits and services; and
  • the risk of identity fraud is reduced.

The use of these solutions allows ISED to positively identity individuals wishing to conduct business with ISED operating programs (on behalf of themselves or their respective businesses and organizations), and to issue digital credentials to those individuals to permit them to interact with the department (file applications, provide documents, information or regulatory filings, or conduct other business transactions) over the internet portals ISED has established for each of its programs.

The identity and credential management solutions in use at ISED all relate to one or more operating programs of the department and do not represent new collections of personal information, unless expressly noted in this PIA.
Some of these operating programs have existing PIAs, which will be targeted for future updates, to align them with the results of this PIA and to reflect the new PIB for Identity and Credential Management Solutions.

Many of the solutions documented under this PIA are intended to be widely deployed by ISED and the Government of Canada at large. This PIA and correlating PIB are intended to be effective until the Treasury Board of Canada Secretariat (TBS) establishes a new, government-wide, standard PIB for identity and credential management over the next several years.

The following solutions are covered by this PIA (to be expanded as additional solutions are deployed):

  1. Canada Post Validation Service:

    This service allows individuals wishing to do business with ISED to positively identify themselves to an employee at a Canada Post Corporation outlet. Upon identification to a Canada Post Corporation employee, Canada Post issues digital tokens to ISED, which provide assurance to ISED that the individuals wishing to conduct business with the department have been positively identified.

  2. Interac Identity Validation Services (Financial Institutions):

    This service allows individuals wishing to do business with ISED to positively identify themselves through their financial institution, via Interac Canada technology. Upon positive identification with individuals’ financial institutions, Interac Canada issues digital tokens to ISED, which provide assurance to ISED that the individuals wishing to conduct business with the department have been positively identified.

  3. Interac Identity Validation Services (Document Validation Service):
    This service allows individuals wishing to do business with ISED to submit identity-bearing documents and web cam photographs of themselves to Interac Canada, which uses digital technology to validate the individuals’ identities. Upon successful validation of identity, Interac Canada issues digital tokens to ISED, which provide assurance to ISED that the individuals wishing to conduct business with the department have been positively identified.
  4. Fraud Detection Service:

    [REDACTED] – Pursuant to paragraph 16(2)(c) [Security] of the Access to Information Act.

  5. Simplified Credential for the Canada Digital Adoption Program (an interim solution, pending implementation of the government-wide solution, Sign-in Canada, presently under development by Shared Services Canada):

This service allows individuals to provide personal information in order to be provided with digital credentials to be used to conduct business with the Canada Digital Adoption Program.

The aforementioned solutions are further detailed, on an individual basis, under Section IV (Flow of Information) of the PIA document.

Section II – Risk Identification and Categorization

Core PIAs must include a completed risk identification and categorization section as outlined under this section. To have consistent risk categories and risk measurement across Government of Canada institutions, standardized risk areas (itemized below) and a common risk scale are prescribed by TBS and used as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the given risk area; the fourth level (4) represents the highest level of potential risk.

A) Type of Program or Activity

Risk Level

Program or activity that does not involve a decision about an identifiable individual 1
Administration of a program or activity and its services 2
Compliance or regulatory investigations and enforcement 3
Criminal investigation and enforcement or national security 4

Program Area Comments:

The solutions covered by this PIA are for the purposes of:

  • Confirming the identity of an individual wishing to conduct business with one or more of ISED’s operating programs;
  • Issuing credentials that allow individuals to conduct business with ISED electronically; and
  • [REDACTED] – Pursuant to paragraph 16(2)(c) [Security] of the Access to Information Act.

Risk level 2 applies to all five of the solutions covered by this PIA.

The particulars of all five solutions are further detailed, individually, under Section IV (Flow of Information) of the PIA.

B) Type of Personal Information Involved and Context

Risk Level

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. 1
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. 2
Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. 3
Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. 4

Program Area Comments:

For the Canada Post Validation Service, and the two Interac Identity Validation Services, risk level 2 applies, in that individuals will provide a minimal set of personal information elements for validation to a third party (Canada Post or Interac Canada) and the third party will respond in the affirmative or the negative as to the identity of the relevant individual, and provide additional, incidental personal information.

For the Simplified Credential for the CDAP, risk level 1 applies, as ISED will only collect and store an individual’s email address, along with the individual’s chosen password, both of which comprise the CDAP user account credential.

However, for the Fraud Detection Service solution, risk level 3 applies. [REDACTED] – Pursuant to paragraph 16(2)(c) [Security] of the Access to Information Act.

C) Program or Activity Partners and Private Sector Involvement

Risk Level

Within the institution (among one or more programs within the same institution) 1
With other government institutions 2
With other institutions or a combination of federal, provincial or territorial, and municipal governments 3
Private sector organizations, international organizations or foreign governments 4

Program Area Comments:

For the Simplified Credential for the CDAP solution, risk level 1 applies, as all information collected will be retained and used solely by ISED.

For the Canada Post Validation Service solution, risk level 2 applies, as ISED will exchange personal information with Canada Post Corporation, a federal crown corporation.

For the two Interac Identity Validation Services and the Fraud Detection Service solutions, risk level 4 applies, as ISED will exchange personal information with private sector organizations.

D) Duration of the Program or Activity

Risk Level

One-time program or activity 1
Short-term program or activity 2
Long-term program or activity 3

Program Area Comments:

All five solutions covered by this PIA represent long-term solutions. Therefore, risk level 3 applies to all.

E) Program Population

Risk Level

The program's use of personal information for internal administrative purposes affects certain employees or individuals. 1
The program's use of personal information for internal administrative purposes affects all employees and individuals. 2
The program's use of personal information for external administrative purposes affects certain employees or individuals. 3
The program's use of personal information for external administrative purposes affects all employees and individuals 4

Program Area Comments:

For all five solutions covered by this PIA, the use of the personal information collected is solely for internal administrative purposes (assuring identity and issuing credentials for ISED operating programs). In all cases, the use of the information only affects the employees working in the relevant ISED program areas and the relevant individuals wishing to conduct business with those programs. Therefore, for all solutions, risk level 1 applies.

F) Technology and Privacy

NOTE: A yes response to any of the following three questions indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.

Yes / No

Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? Yes

Program Area Comments (optional):

All five solutions covered by this PIA require the use of new or modified web-based solutions for operation; however, all will use web technology and be powered by the ISED intranet, which is compliant with all Government of Canada IT Security requirements.

Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? No

Program Area Comments (optional):

There is no impact to any existing legacy systems in respect of the five solutions covered by this PIA.

Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities: enhanced identification methods; surveillance; or automated personal information analysis, personal information matching and knowledge discovery techniques? Yes

Program Area Comments (optional):

The Simplified Credential for the CDAP solution does not involve any of the aforementioned technologies of activities. The remaining four solutions covered by this PIA all include some degree of the aforementioned technologies or activities, as follows:

Canada Post Validation Service and Interac Identity Validation Services (Financial Institutions) solutions:

  • Enhanced identification methods and personal information matching.

Interac Identity Validation Services (Document Validation Service) solution:

  • Enhanced identification methods, automated personal information analysis and personal information matching.

Fraud Detection Service solution:

  • [REDACTED] – Pursuant to paragraph 16(2)(c) [Security] of the Access to Information Act.

G) Personal Information Transmission

Risk Level

The personal information is used within a closed system (i.e., no connections to the internet, intranet or any other system and the circulation of hardcopy documents is controlled). 1
The personal information is used in a system that has connections to at least one other system. 2
The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. 3
The personal information is transmitted using wireless technologies. 4

Program Area Comments:

For all five solutions covered by this PIA, risk ranking 2 applies, as all solutions are connected to the internet and to the respective third party’s own system (such as in the cases of the Canada Post, Interac and Fraud Detection Service solutions).

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

Program Area Comments:

An inadvertent breach of personal information has the potential to cause negative consequences, and some harm to the individual to whom the information pertains, subject to the nature of the information that is breached. The harm ranges from a simple revelation of identity in the context of doing business with ISED (such as for the Canada Post Validation Service solution and the Interact Identity Validation Services – Financial Institutions) to a breach of other identity demographics, depending on the type of identity document an individual chooses to use (such as for the Interact Identity Validation Services – Document Validation Service.

The risk of harm increases for breaches involving the other solutions. For example, a breach involving the Simplified Credential for the CDAP could give control to a malicious actor to file erroneous or fraudulent information on behalf of a business or organization, while a breach involving the Fraud Detection Service solution could [REDACTED] – Pursuant to paragraph 16(2)(c) [Security] of the Access to Information Act.

Any breach of personal information could lend itself to psychological harm in the form of embarrassment, or to attempted identity theft.

However, all of the solutions covered by this PIA are approved for Government of Canada use and as such, are required to meet all relevant Government of Canada IT security policies. Therefore the risk of a privacy breach occurrence exists only insofar as an ISED employee would cause it, due to negligence or impropriety, and is considered to be low.