Description
The EEU's DFA mission is to provide a uniform and coordinated approach to handling, processing, and analyzing all Electronically Stored Information (ESI) evidence that is relevant to a Competition Bureau investigation no matter how it is acquired. To accomplish this mission, the Electronic Evidence Unit must:
- Provide the Competition Bureau and all its branches with the digital forensic expertise and capability of collecting, preserving, analysing, presenting and disposing of ESI evidence;
- Conduct digital forensic investigations and prepare ESI evidence to support Bureau investigations;
- Strive to maintain digital forensic expertise and stay at the forefront of technological advancements;
- Form collaborative partnerships with Criminal Justice and Law Enforcement agencies to further professionalism, cooperation and mutual exchange of information; and
- Adhere to a high ethical standard, respecting privacy rights and legal frameworks.
Why a privacy impact assessment was completed
This Privacy Impact Assessment (PIA) has not been conducted as the result of new or substantially modified changes; the DFA has operated, largely unchanged, since the mid-1990s. Rather, this PIA is being conducted consistent with requirement no. C.2.2.9.4 [to complete a PIA for any existing program or activity that uses personal information for an administrative purpose, that does not already have a Personal Information Bank].
This PIA is the first in a series of placeholder PIAs that will be conducted by the Competition Bureau over the next several years (2025-2030). It represents the business activities and analyzes the privacy risks of one of multiple business lines within the Competition Bureau. The Electronic Evidence Unit's (EEU) Digital Forensic Activity (DFA), is where the majority of personal information in relation to matters being investigated by the Bureau originates, or is first collected) As such this PIA is presented from a singular business line—rather than an enterprise—viewpoint. In the five-year period between 2025 and 2030, further placeholder PIAs will be conducted for the Bureau's other business lines where personal information is collected and used. Once placeholder PIAs have been conducted for all other business lines, they will be joined together to present a wholistic perspective on the use of personal information in the form of a enterprise-level PIA (2030+).
Additional information
Risks identified and corresponding mitigation measures:
| Risk No. | Risk description | Affected privacy principle(s) | Risk level | Mitigation measures |
|---|---|---|---|---|
|
1 |
Third parties (legal experts or computer specialists) will have access to personal information |
Policy – Controlled Access to Personal Information |
Negligible |
The risk is acceptable to the Bureau, and does not require mitigation, given the legal right of access to legal experts, and the low frequency of use of third party computer specialists, who, if engaged, would work under the direct supervision of an EEO. |
|
2 |
Process relating to privacy management may change or fall out-of-date |
Policy – TBS Directive on Privacy Practices (PIA Standard) |
Negligible |
Mitigation: Over the five-year period starting with 2025, the Bureau will document multiple placeholder PIAs; when all placeholder PIAs have been completed, they will be merged into a single, enterprise-level PIA that will thereafter be evaluated on a biennial basis to ensure evergreening. |
|
3 |
Incidental collection of irrelevant personal information |
Policy – Limiting collection of personal information |
Low |
This risk is acceptable to the Bureau, and does not require mitigation. The seizure of irrelevant personal information is inevitable in the ordinary seizure of ESI. Irrelevant information does not form part of the investigative file unless it is inextricably linked to other relevant information. All ESI is always protected through forensic and physical security means. |
|
4 |
Possible collection of personal information (though voluntary disclosure) without obtaining consent. Under such circumstances, consent is obtained by another team (other than the EEU) prior to the EEU collecting the information. |
Policy – Consent |
Low |
The EEU will implement a new procedure to ensure that the relevant Bureau team has collected consent prior to undertaking the collection of information that is being voluntarily disclosed (i.e., disclosed without a court order). |
|
5 |
Security Assessments were not been conducted on various forensic/surveillance tools employed by the Bureau when procured through Shared Services Canada, and such assessments will not be conducted retroactively. |
Technical Safeguards |
Negligible |
The Bureau accepts all risks associated with the use of unassessed tools. The risk is thought to be negligible in consideration of the length of time said tools have been deployed, without privacy incidents. |
Related personal information banks
ISED PPU 033 Competition Bureau – Digital Forensic Activity (Electronic Evidence Unit)
For more information about this privacy impact assessment
Contact:
Vance W. Collier (vance.collier@ised-isde.gc.ca)