Section I – PIA Overview
Project Title
ISED Program Participation.
Implementation Date
For multiple ISED programs already in operation, and those to be established in the future.
Lead and Other Government Institutions
The lead Government of Canada institution is the Department of Innovation, Science and Economic Development.
Sponsoring Senior Official
(and Delegated Official for Section 10 of the Privacy Act)
Chris Parsons
Director, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5
(613)-462-3160
chris.parsons@ised-isde.gc.ca
Project Officer
Vance W. Collier
Sr. Advisor, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5
(343) 550-4660
vance.collier@ised-isde.gc.ca
Legal Authorities
The core legal authority that permit personal information to be collected and used for ISED operating programs is the Department of Industry Act.
Some 60 other acts of Parliament, administered by ISED may also support the collection and use of personal information in relation to a relative program.
Personal Information Bank (PIB) Relating to This Activity
The following new PIB is being submitted to the TBS for approval and registration in conjunction with this PIA:
- ISED PPU 999 ISED Program Participation
Project Description
The sole purpose of this PIA is to support a new PIB for multiple ISED operating programs and services; specifically:
- Where the collection and use of personal information is limited solely to the professional title, role, contact information, and in some situations, information to support gender-based analytics, of individuals who complete applications for funding (or other documentation) for ISED programs and services as the financial, legal or other business representatives of public sector companies and organizations where no other PIAs or PIBs support the collection and use of the personal information; and
- To support ISED’s “Tell-Us-Once” initiative, where individuals representing private sector businesses and organizations provide consent for their contact information to be shared with other operating programs and services across ISED, with other Government of Canada institutions, or within other levels of government, where such programs or services may be beneficial to, or of interest to the entities they represent.
ISED programs and services that have unique PIAs and PIBs are not covered by the collection and use of personal information detailed under this PIA.
Section II – Risk Identification and Categorization
Core PIAs must include a completed risk identification and categorization section as outlined under this section. To have consistent risk categories and risk measurement across Government of Canada institutions, standardized risk categories (itemized below) and a common risk scale are prescribed by TBS and used as the basis for risk analysis.
The numbered risk scale is presented in an ascending order: The first level (1) represents the lowest level of potential risk for the given risk area; the fourth level (4) [or third, where the fourth is not present] represents the highest level of potential risk. Some risk categories are may be ranked with a “yes” or “no” or a “low”, “medium” or “high” identifier.
| A) Type of Program or Activity | Risk Level |
|---|---|
|
Program or activity that does not involve a decision about an identifiable individual |
1 |
|
Administration of a program or activity and its services |
2 |
|
Compliance or regulatory investigations and enforcement |
3 |
|
Criminal investigation and enforcement or national security |
4 |
|
Program Area Comments: Personal information is limited solely to the professional title, role, contact information, and in some cases, information to support gender-based analytics, of identifiable individuals who completed documentation on behalf of the private sector companies and organizations they represent. Any ensuing decisions are therefore solely in respect of the relative business or organization, and not of the individuals who file documentation on their behalf. |
|
| B) Type of Personal Information Involved and Context | Risk Level |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 |
|
Program Area Comments: Personal information is limited solely to the professional title, role, and contact information of identifiable individuals who completed documentation on behalf of the private sector companies and organizations they represent. Individuals who act as representatives for businesses and organizations may be asked to provide personal information that would be used to report on gender-based analysis demographics; however, the provision of such information is never compulsory, and when used, is reported only in depersonalized, aggregated form. |
|
| C) Program or Activity Partners and | Risk Level |
|---|---|
| Within the institution (among one or more programs within the same institution) | 1 |
| With other government institutions | 2 |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 |
| Private sector organizations, international organizations or foreign governments | 4 |
|
Program Area Comments: Business contact and professional information will be used mainly within ISED for the purposes of communicating with the relevant business or organization via the authorized business representative and for conducting business with that individual on behalf of the business or organization. Other personal information may be used to inform gender-based analytics. There are circumstances under some ISED programs or services where information would be shared with another federal institution, with the consent of the individuals authorized as the business contacts; however, in such contexts, this involves the individual consenting to the sharing of business information. The institutions with which business and organization information is shared may have requirements for the disclosure of the identity of the individual who authorizes the sharing. Business contact information may be shared with other federal institutions and other levels of government, with the consent of the relevant individuals, when ISED deems that another institution or level of government may have an operating program or service that would be of benefit or interest to a private sector company or organization |
|
| D) Duration of the Program or Activity | Risk Level |
|---|---|
| One-time program or activity | 1 |
| Short-term program or activity | 2 |
| Long-term program or activity | 3 |
|
Program Area Comments: ISED programs and services are ongoing. As programs wind-down, new programs are created. |
|
| E) Program Population | Risk Level |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 |
|
The program's use of personal information for external administrative purposes affects all individuals |
4 |
|
Program Area Comments: When business contact information is shared with other levels of government, with the consent of the relative individual, risk level 3 applies. |
| F) Technology and Privacy
NOTE: A yes response to any of the following three questions indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation. |
Yes / No |
|---|---|
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | No |
|
Program Area Comments (optional): ISED utilizes numerous legacy IT solutions where program and related personal information may be processed. New IT solutions may be implemented for future programs when necessary. |
|
|
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? |
No |
|
Program Area Comments (optional): ISED utilizes numerous legacy IT solutions where program and related personal information may be processed. New IT solutions may be implemented for future programs when necessary. |
|
| Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities: enhanced identification methods; surveillance; or automated personal information analysis, personal information matching and knowledge discovery techniques? |
No |
|
Program Area Comments (optional): ISED utilizes numerous legacy IT solutions where program and related personal information may be processed. New IT solutions may be implemented for future programs when necessary. |
|
| G) Personal Information Transmission | Risk Level |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the internet, intranet or any other system and the circulation of hardcopy documents is controlled). | 1 |
| The personal information is used in a system that has connections to at least one other system. | 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 |
| The personal information is transmitted using wireless technologies. | 4 |
|
The personal information may received in hardcopy or electronically (either via email or through a web form). Regardless of how information is received, it may transit through the ISED intranet system that powers all IT solutions in the department. At times, documentation may be printed, or stored on portable, magnetic media or in cloud servers. All IT solutions in use at ISED meet all Government of Canada privacy and information security requirements. |
|
| H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. |
|
|---|---|
|
Program Area Comments: In consideration of the low sensitivity of the personal information being collected and used, the impacts of a privacy breach to individuals and employees is negligible. |
|