August 2015
In keeping with Industry Canada (IC) project management requirements, the Canadian Intellectual Property Office (CIPO) analyzed and identified a requirement to conduct a Privacy Impact Assessment (PIA) for the CDAS project and began this assessment in January 2015. Following internal consultations and analysis, the completed CDAS PIA was submitted to the Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC) in July 2015.
On , CIPO implemented CDAS. The purpose of CDAS was to make additional information about patent applications and granted patents available online through the Canadian Patent Database (CPD) and the World Intellectual Property Office's (WIPO) Centralized Access to Search and Examination (CASE) system. The Patent Office implemented these changes in order to provide the public with equitable access to CIPO's information resources and to enable work sharing between intellectual property offices internationally.
With the implementation of CDAS in June, the following changes came into effect:
- In addition to the existing patent application and granted patent information previously online, patent prosecution information (with some exceptions) is now also available for viewing in the CPD.
- Patent application, patent examination related documents, and patent information is now exported to WIPO's CASE system in addition bibliographic information that was previously exported.
Risk Area Identification and Categorization
- Type of program or activity
- Type of personal information involved and context
- Program or activity partners and private sector involvement
- Duration of the program or activity
- Program population
- Technology and privacy
- Personal information Transmission
- Risk and Impact of a Privacy Breach on Individuals or Employees
| Area of Risk | Risk Scale |
|---|---|
| A. Type of program or activity | |
| – Program or activity that does not involve a decision about an identifiable individual | 1 |
| – Administration of program or activity and services | 2 |
| – Compliance or regulatory investigations and enforcement | 3 |
| – Criminal investigation and enforcement or national security | 4 |
| CIPO Response | |
The CDAS Project supports the administration of CIPO's Patent Program by laying open for public inspection Patent Application, Patent Prosecution and Patent Case file records in accordance with section 10 of the Patent Act, which states:
Since it was established, the Patent Program has made the entire Patent Application, Patent Prosecution and Patent Case file records available to program participants and the public by allowing individuals to request and inspect records onsite at the office's location in the National Capital Region. The creation and launch of the CPD in 1996 has enabled the Patent Program to share Patent Application Case file records (i.e. cover page, abstract, claims, description, drawings, representative drawings) online and make them accessible to the program participants and the public regardless of geographic location. Following the implementation of the CDAS project, the Patent Program will expand the amount of Patent Application, Patent Prosecution and Patent Case file records that it shares with program participants and the public and will export additional Patent Application, Patent Examination Related case file and Patent Case file records to the WIPO CASE system. | 2 |
| Area of Risk | Risk Scale |
|---|---|
| B. Type of personal information involved and context | |
| – Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| – Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 |
| – Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| – Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 |
| CIPO Response | |
The records that are found in Patent Application, Patent Prosecution and Patent Case file are created by the Patent Program over the course of administering applications for patents and granted patents. In support of these administrative processes, the Patent Program collects personal information directly from program participants who have been defined as:
The Patent Program's authority for collection and use of this information is established by sections 49 and 50 of the Patent Act and is further prescribed by sections 27.1, 37 and 42 of the Patent Rules and, in the case of patent applications that are submitted under the Patent Cooperation Treaty (PCT), article 4 of the PCT and rule 4 of the PCT Regulations. It should be noted that the Patent Program actively collects only a limited amount of personal information for the purpose of administering patent applications and granted patents. In addition to this, the Patent Program also receives a variety of records that program participants submit at their own discretion. These records may contain personal or sensitive information that is not explicitly requested by the Patent Program, but is added to the Patent Application, Patent Prosecution and Patent Case file in accordance with the patent regulations cited above. In order to reduce the risk and impact of a privacy breach on program participants, assignment typed records, which may include documents that contain sensitive personal information, have been excluded from the scope of the CDAS project and will therefore not be disseminated online. | 1 |
| Area of Risk | Risk Scale |
|---|---|
| C. Program or activity partners and private sector involvement | |
| – Within the institution (among one or more programs within the same institution) | 1 |
| – With other government institutions | 2 |
| – With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 |
| – Private sector organizations, international organizations or foreign governments | 4 |
| CIPO Response | |
The design and implementation of the CDAS Project is being carried out by CIPO with assistance from the Industry Canada's information technology sector, the Chief Information Office (CIO). | 1 |
| Area of Risk | Risk Scale |
|---|---|
| D. Duration of the program or activity | |
| – One-time program or activity | 1 |
| – Short-term program or activity | 2 |
| – Long-term program or activity | 3 |
| CIPO Response | |
The Patent Program has a long-term mandate to make Patent Application, Patent Prosecution and Patent Case file records available for public inspection in accordance with section 10 the Patent Act. Therefore, while the CDAS Project itself will have a definite end date, the outcome of the project, which is the dissemination of additional Patent Prosecution and Patent Case file records on the internet via the CPD and, the export of additional Patent Application, Patent Examination Related case file and Patent Case file records to WIPO, will be long-term. | 3 |
| Area of Risk | Risk Scale |
|---|---|
| E. Program population | |
| – The program's use of personal information for internal administrative purposes affects certain employees. | 1 |
| – The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| – The program's use of personal information for external administrative purposes affects certain individuals. | 3 |
| – The program's use of personal information for external administrative purposes affects all individuals. | 4 |
| CIPO Response | |
The Patent Program collects information for external administrative purposes, i.e. the examination of patent applications and the granting and maintenance of patents, which affects program participants, namely:
| 3 |
| Area of Risk | Risk Scale |
|---|---|
| F. Technology and privacy | N/A |
| CIPO Response | |
Question: Answer: Explanation: Question: Answer: Explanation: The addition of Patent Prosecution and Patent Case file records to the CPD is possible as a result of modifications to the TechSource system, the Patent Program's internal system for administering patent applications and patents. Screens are being added to TechSource so that additional metadata can be assigned to Patent Application and Patent Case file records to ensure that these records are accurately identified in TechSource. Specific technological issues and privacyQuestion:
Answer: | |
| Area of Risk | Risk Scale |
|---|---|
| G. Personal information Transmission | |
| – The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 |
| – The personal information is used in a system that has connections to at least one other system. | 2 |
| – The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 |
| – The personal information is transmitted using wireless technologies. | 4 |
| CIPO Response | |
The CPD is an online database and is therefore connected to the internet. TechSource, the system from which Patent Application, Patent Prosecution and Patent Case file records are downloaded to the CPD sits on a secure mainframe and has no direct connections to the CPD. The same applies for the Patent Application, Patent Examination Related case file and Patent Case file records that are exported to the WIPO CASE system; no direct connection between TechSource and the WIPO CASE systems is made. | 2 |
| Area of Risk | Risk Scale |
|---|---|
| H. Risk and Impact of a Privacy Breach on Individuals or Employees | N/A |
| CIPO Response | |
Question: Answer: Very Low Treasury Board Secretariat (TBS) defines a privacy breach as the:
The Patent Program has taken several precautions to reduce the risk and impact of a privacy breach on program participants that could occur as a result of implementing the CDAS project. These precautions include:
Assignment records relate to the ownership of a patent application or patent. In order for an assignment to be registered, program participants are required to submit documents to the Patent Program as proof that there has been a transaction regarding the ownership of the patent application or patent. As section 50(3) of the Patent Act states: " CIPO will also develop a policy and process to remove sensitive personal information from the CPD and communicate it to the program participants, where it may inadvertently been published. CIPO collects financial information, such as deposit account numbers and credit card numbers which are submitted from program participants in order to administer patent applications and patents. More than 85% of program participants use a payment form to submit this information. These payment forms are not loaded into the Patent Program's systems; rather they are entered in CIPO financial systems (FITT/IFMS) and are stored in paper in a locked vault at CIPO. When these forms are not used by program participants, credit card numbers are redacted from the incoming pieces of correspondence and therefore the numbers cannot be read; deposit account numbers are unique CIPO internal numbers and are not manually redacted. These numbers can only be used internally by authorized and registered payers who have received usernames and passwords allowing them to use these numbers to pay fees. Without proper credentials, a deposit account number won't work. | |