Privacy Impact Assessment – ATIP Services at ISED

Section I – PIA Overview

Project Title

ATIP Services at Innovation, Science and Economic Development Canada (ISED).

Implementation Date

PIA update to a program that has operated since 1985, which underwent substantial modifications in 2022.

Lead and Other Government Institutions

The lead Government of Canada institution is the Department of Innovation, Science and Economic Development. The Treasury Board of Canada Secretariat (TBS) is a supporting institution.

Sponsoring Senior Official
(and Delegated Official for Section 10 of the Privacy Act)
Chris Parsons
Director, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5
(613)-462-3160
chris.parsons@ised-isde.gc.ca

Project Officer
Vance W. Collier
Sr. Advisor, ATIP Services
235 Queen St., 2nd Floor – West Tower
OTTAWA ON K1A 0H5
(343) 550-4660
vance.collier@ised-isde.gc.ca

Legal Authorities
The core legal authorities that permit ATIP Services operations at ISED are:

The Access to Information Act (paragraphs 6 and 11);
The Access to Information Regulations (paragraph 4);
The Privacy Act (paragraph 13); and
The Privacy Regulations (paragraphs 8 and 11).

Numerous other Acts of Parliament supporting activities conducted by ISED's ATIP Services Branch, including:

The Lobbying Act;
The Parliament of Canada Act;
The Financial Administration Act;
The Department of Industry Act; and
Some 60 other acts that are administered by ISED or that found one or more operating programs or services of the department.

Personal Information Bank (PIB) Relating to This Activity
PSU 901 – Access to Information Act and Privacy Act Requests; and
PSU 924 – Public Communications.

Project Description
ATIP Services is a branch of the Office of the Corporate Secretary of ISED (formerly, Industry Canada). The ATIP Services Program has been in operation at ISED, in one iteration or another, since 1985's passing of the Access to Information Act and the Privacy Act.

In July, 2022, ISED migrated to the ATIP Online Management Tools (AOMT) System, the IT solution prescribed by TBS for receiving and responding to requests under the Access to Information Act and the Privacy Act.

The TBS Directive on Privacy Impact Assessment (PIA) requires Government of Canada institutions that are subject to the Privacy Act to conduct PIAs when launching new programs that collect and use personal information or when existing such programs undergo substantial changes. ISED's migration to the AOMT represents a substantial change in its ATIP Services Program, and is the primary reason for conducting this PIA.

This PIA is also a requirement of the MOU between the TBS and ISED for the AOMT System.

Further, as ISED's ATIP Services Program has been in operation for 38 years, the decision was taken to use this opportunity to expand on this PIA to include not only those changes brought about by migration to the AOMT, but also, to document the full operations of the entire ATIP Services Branch, as well as the risks to privacy that service delivery presents, and the correlating strategies to mitigate any risks identified. This PIA therefore includes and documents the following ATIP Services Branch activities:

Requests made pursuant to the Access to Information Act;
Requests made pursuant to the Privacy Act (for access and for correction or annotation to personal information);
Informal requests for copies of previously released responses to requests made pursuant to the Access to Information Act;
Ad hoc coordination of responses to requests for information made by the Commissioner of Lobbying;
Ad hoc coordination of responses to requests for information made by Committees of Parliament;
Pre-release reviews of proposed responses to Enquiries of Ministry made by Members of the House of Commons and the Senate; and
Pre-publication reviews of ISED Audit & Evaluation Reports and of information required to be proactively published pursuant to part II of the Access to Information Act.

This exercise will provide ISED with a modern, core PIA for its ATIP Services Program, which can be used to document updates arising from ongoing AOMT or policy changes, on an evergreen basis.

It must be noted that the ATIP Services Program at ISED currently utilizes numerous legacy IT solutions already deemed to meet all Government of Canada information security and privacy requirements. The following legacy systems are therefore not included, justified or re-explored by this PIA:

Microsoft 365, including:
- MS Outlook;
- MS Active Directory Service (shared network drives)
GCdocs;
AccessPro Suite 2.5 Case Management (and Redaction) Systems;
Axcess-1 Case Management System;
ePost Connect, by Canada Post Corporation; and
Blackberry Workspaces.

Section II – Risk Identification and Categorization

Core PIAs must include a completed risk identification and categorization section as outlined under this section. To have consistent risk categories and risk measurement across Government of Canada institutions, standardized risk categories (itemized below) and a common risk scale are prescribed by TBS and used as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: The first level (1) represents the lowest level of potential risk for the given risk area; the fourth level (4) [or third, where the fourth is not present] represents the highest level of potential risk. Some risk categories are may be ranked with a "yes" or "no" or a "low", "medium" or "high" identifier.

A) Type of Program or Activity	Risk Level
Program or activity that does not involve a decision about an identifiable individual	1
Administration of a program or activity and its services	2
Compliance or regulatory investigations and enforcement	3
Criminal investigation and enforcement or national security	4
Program Area Comments: Under the Access to Information Act, ISED receives requests for government information from Canadian citizens, permanent residents, and representatives of private sector companies that conduct business in Canada. In processing of these requests, ISED makes no decisions about identifiable individuals. Rather, the only decisions made in respect of these requests are (a) whether a requesting individual (or entity) has the right of access, pursuant to the relevant act, and (b) whether to release the requested information or to protect it against disclosure pursuant to one or more provisions of the act. Under the Privacy Act, ISED receives requests for personal information from individuals, and may also receive requests for the correction or annotation of personal information. In processing requests for personal information, no decisions are made about the individuals making the requests. Rather, the only decisions made in respect of these requests are (a) whether the applicant has the right of access to the information, and (b) whether to release the requested information or to protect it against disclosure pursuant to one or more provisions of the act. In the processing of requests for the correction or annotation of personal information, ISED will make a decision in respect of the requesting individual by virtue of deciding to confirm or deny the correction or annotation request made by the concerned individual. ISED receives informal requests for copies of previously released responses to requests made pursuant to the Access to Information Act. Under such requests, the only personal information involved is the identity of the applicant in relation to the subject matter requested. Such requests are not themselves pursuant to the Access to Information Act; as such there is no requirement to validate the right of access, as any individual acting on behalf of themselves or another individual or entity, may file such a request, and no request is ever refused. Due to its pre-established contact network and information call-out-and-retrieval mechanisms, the ATIP Services Branch is sometimes asked to coordinate the gathering of information in response to requests made by the Commissioner of Lobbying. Such information may at times contain negligible amounts of personal information (in the form of business contact information of individuals who are not Public Servants). Due to the Commissioner's powers to summon any information—including personal information—these activities are limited to facilitating the information gathering and delivery, and the ATIP Services Branch makes no decisions with respect to any personal information that may be contained in responsive documentation. Due to its pre-established contact network and information call-out-and-retrieval mechanisms, the ATIP Services Branch is sometimes asked to coordinate the gathering of information in response to requests made by Committees of Parliament and to review the responsive information to identify the presence of personal information, negligible amounts of which, (such as the business contact information, or the actions of individuals who are not Public Servants) is sometimes present. The ATIP Services Branch identifies any personal information present in responsive documentation of this nature, and makes recommendations for the information to be redacted—to the exclusion of that personal information where the public interest in disclosure outweighs the privacy rights of the relevant individuals—prior to releasing the responsive information to the relevant Committee via the King's Privy Council for Canada. Due to its expertise in identifying information that must be protected pursuant to the Access to Information Act and the Privacy Act, the ATIP Services Branch conducts pre-release reviews of proposed responses to Enquiries of Ministry received from Members of the House of Commons and the Senate to ensure that any personal information appearing in these responses (which can include the business contact information or business dealings with the Government of Canada of individuals who are not Public Servants) is redacted prior to being released to the relevant Parliamentarian. Though Enquiries of Ministry are not pursuant to ATIP legislation, efforts are nevertheless taken to ensure that personal information is protected against disclosure in a manner that is consistent with the protection provisions contained in the acts. The ATIP Services Branch conducts pre-publication reviews of ISED's Audit and Evaluation Branch reports, as well as various types of information slated for proactive publication pursuant to part II of the Access to Information Act, to ensure that any personal information appearing in such material is redacted prior to publication.

B) Type of Personal Information Involved and Context	Risk Level
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.	1
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.	2
Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.	3
Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive.	4
Program Area Comments: Under the Access to Information Act, ISED receives requests for government information from Canadian citizens, permanent residents and representatives of private sector companies that conduct business in Canada. The extent of personal information in this regard is generally limited to the identity of the applicant in relation to the subject matter requested, which is considered and treated as personal but is not, however, sensitive beyond that context. Under the Privacy Act, ISED receives requests for personal information from individuals, and may also receive requests for the correction or annotation of personal information. The vast majority of such requests received by ISED typically involve matters relating to employee compensation, pay, grievances, harassment, discrimination, performance, allegations of workplace incidents—including violence—and a range of other human resources-related information. The balance of such requests received by ISED involve issues which are inherently personal and sensitive, including intellectual property applications, personal bankruptcy and insolvency particulars, criminal histories, and other interactions with various programs and program officials from every area of the department. The nature, level and sensitivity of the personal information collected by ATIP Services is therefore unusually broad, such that it is limited only by the legislative authorities of each departmental operating program that permit the collection and use of personal information, and by the particular personal circumstances that cause individuals to make requests concerning their personal information. Personal information pertaining to informal requests for copies of previously released responses to requests made pursuant to the Access to Information Act is limited to the identity of the applicant, in relation to the subject matter requested. The personal information appearing in responses to requests received from the Lobbying Commissioner and from Committees of Parliament, as well as that which may appear in responses to Enquiries of Ministry and materials intended for proactive publication is generally limited to business contact information and may, in rare cases, also be in relation to the subject matter that is revelatory of identifiable individuals' interests or dealings with ISED in one capacity (such as lobbying) or another (such as a vendor or service provider).

C) Program or Activity Partners and Private Sector Involvement	Risk Level
Within the institution (among one or more programs within the same institution)	1
With other government institutions	2
With other institutions or a combination of federal, provincial or territorial, and municipal governments	3
Private sector organizations, international organizations or foreign governments	4
Program Area Comments: Under the Access to Information Act, ISED receives requests for government information from Canadian citizens, permanent residents and representatives of private sector companies that conduct business in Canada. The only personal information that typically pertains to these such requests is the identity of the requesting individual in correlation to that individual's interest in the requested subject matter. Responsive information may be present within information when it pertains to the applicant themselves. It is sometimes necessary to consult with other Government of Canada institutions on the release of information, such as when ISED is not the only interested institution. Under the Privacy Act, ISED receives requests for personal information from individuals, and may also receive requests for the correction or annotation of personal information. In processing such requests, external consultations with other Government of Canada institutions is sometimes required, such as when ISED is not the only interested institution. Personal information in respect of informal requests for copies of previously released responses to requests made pursuant to the Access to Information Act is not shared outside of the ATIP Services Branch. Personal information that appears in information requested by the Commissioner of Lobbying is shared with the Commissioner, consistent with the Commissioner's right to compel information pursuant to the Lobbying Act. Personal information that appears in information requested by Committees of Parliament is removed prior to releasing the information to Parliament, to the exclusion of those instances where it is deemed that the public interest in the disclosure of the information outweighs the individual's right to privacy. Personal information contained in proposed responses to Enquires of Ministry and in material slated for proactive publication is removed prior to release to Parliament, or prior to publication.

D) Duration of the Program or Activity	Risk Level
One-time program or activity	1
Short-term program or activity	2
Long-term program or activity	3
Program Area Comments: ISED's ATIP Services Program is a continuing, permanent activity. As such, this PIA should be reviewed, at least annually, to ensure it remains in an evergreen state.

E) Program Population	Risk Level
The program's use of personal information for internal administrative purposes affects certain employees.	1
The program's use of personal information for internal administrative purposes affects all employees.	2
The program's use of personal information for external administrative purposes affects certain individuals.	3
The program's use of personal information for external administrative purposes affects all individuals	4
Program Area Comments: All activities conducted in the ATIP Services Branch are in respect of making disclosures of information to individuals external to ISED, including: The public-at-large; The Parliament of Canada; The Commissioner of Lobbying; and Other government departments or investigative bodies that have the right of access to personal information pursuant to legislation. As such, the disclosure of information affects the individuals external to ISED to whom the information pertains.

F) Technology and Privacy NOTE: A yes response to any of the following three questions indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.	Yes / No
Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?	Yes
Program Area Comments (optional): ISED was required by TBS to migrate to the new, web-based, AOMT System for receiving and responding to requests under the Access to Information Act and the Privacy Act. ISED's two ATIP case management systems, Axcess-1 and AccessPro Suite 2.5, are legacy software and while this PIA will document information process flows—including information that flows through those legacy systems—it will not explore, justify or discuss any IT-related issues involving these legacy solutions, which remain unchanged, except to indicate that Axcess-1 is slated for decommissioning and that AccessPro Suite 2.5 has previously met all IT security requirements of the Government of Canada as prescribed by TBS.
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?	No
Program Area Comments (optional): Axcess-1 is slated for decommissioning and AccessPro Suite 2.5 will not be further modified by ISED. AccessPro Suite 2.5 may be subject to periodic updates its vendor makes at the request of TBS, but such updates never constitute substantial changes to how personal information is collected and used and are therefore not relevant to this PIA.
Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities: enhanced identification methods; surveillance; or automated personal information analysis, personal information matching and knowledge discovery techniques?	No
Program Area Comments (optional): Not applicable.

G) Personal Information Transmission	Risk Level
The personal information is used within a closed system (i.e., no connections to the internet, intranet or any other system and the circulation of hardcopy documents is controlled).	1
The personal information is used in a system that has connections to at least one other system.	2
The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed.	3
The personal information is transmitted using wireless technologies.	4
Program Area Comments: Under the Access to Information Act, ISED receives requests for government information from Canadian citizens, permanent residents and representatives of private sector companies that conduct business in Canada. The only personal information that typically pertains to these such requests is the identity of the requesting individual in correlation to that individual's interest in the requested subject matter. When ISED responds to applicants using the AOMT System, the responsive correspondence is depersonalized so that the requester's personal information is not contained therein. Responsive information—which typically does not contain personal information—is transmitted through the AOMT System directly to the applicant. When ISED responds to applicants using means other than the AOMT System, responsive correspondence containing the requester's personal information is sent to the requester, along with the relevant responsive information, in the format requested by the requester, which may be electronic (email, ePost Connect or Blackberry Workspaces) or hardcopy. When any response is sent via postal mail or courier that contains personal information, the response is double-enveloped, with the inner envelope containing relevant ISED information security identifiers, and the outer envelope void of any such markings. Under the Privacy Act, ISED receives requests for personal information from individuals, and may also receive requests for the correction or annotation of personal information. When ISED responds to applicants using the AOMT System, the responsive correspondence is depersonalized so that the requester's personal information is not contained therein. Responsive information is transmitted through the AOMT System directly to the applicant. When ISED responds to applicants using means other than the AOMT System, responsive correspondence containing the requester's personal information is sent to the requester, along with the relevant responsive information, in the format requested by the requester, which may be electronic (email, ePost Connect or Blackberry Workspaces) or hardcopy. When any response is sent via postal mail or courier that contains personal information, the response is double-enveloped, with the inner envelope containing relevant ISED information security identifiers, and the outer envelope void of any such markings. When ISED responds to requesters (for requests for the correction or annotation of personal information), such responses are either in hardcopy, sent through postal mail or courier, or in electronic format, sent through electronic mail. Records of such requests are maintained in a case management system, pursuant to the TBS Directive on Personal Information Requests and Correction of Personal Information. Annotations of personal information are noted in the records of the relevant operating programs or services to which the personal information request is pertinent; such notations may be in hardcopy or electronic format, subject to the operations of the relevant program or service area. For all information requests received prior to April, 2020—whether under the Access to Information Act or the Privacy Act—a full, hardcopy of the request, the analysis and the responsive information, was created and will be maintained by ISED's Records Management office for a period of five years following the last administrative action taken on the file (two years for a request pursuant to the Privacy Act). The hardcopy file is in addition to the same information set which is maintained in case management systems. Since April, 2020, ISED has not created or maintained any hardcopy files for information requests—to the exclusion of those instances where hardcopy information is provided by program areas in response to requests—relying solely on the records maintained in its case management systems. Responsive information in respect of informal requests for copies of previously released responses to requests made pursuant to the Access to Information Act may be transmitted to the applicant via email, or via postal mail (which may include hardcopies or information on DVD). Responsive information in respect of requests for information made by the Lobbying Commissioner are transmitted via courier on DVD. In some circumstances the information is hand-delivered to an official from the Office of Commissioner of Lobbying. When any response is sent via postal mail or courier that contains personal information, the response is double-enveloped, with the inner envelope containing relevant ISED information security identifiers, and the outer envelope void of any such markings. Responsive information in respect of requests for information made by Committees of Parliament are transmitted via encrypted email to the Kings Privy Council for Canada for distribution to the relevant Committee. Responses to Enquiries of Ministry are transmitted by email to the relevant Parliamentarian, via the King's Privy Council for Canada. Information exchanged within the department that is slated for proactive publication, is exchanged via email.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.
Program Area Comments: An inadvertent breach of personal information has the potential to cause serious, negative consequences, and even harm to the individual to whom the information pertains, subject to the nature of the information that is breached. Such harm could range from simple, minor embarrassment, to identity theft or a loss of income, or employability. However, due to well established information and privacy management processes, the risk that such a breach would occur is very low and has traditionally been limited to rare disclosures of the identities of information applicants, to internal employees who should did not have the need to know. The introduction of the AMOT System introduced new risks that personal information could be inadvertently shared with incorrect individuals. The ATIP Service Branch responded to these new risks by depersonalizing the correspondence that is distributed to information applicants with their responsive information, by implementing new requirements to re-confirm that correct responsive information packages are attached to outgoing electronic communications, and by frequently re-iterating these requirements at regularly scheduled team meetings. For an ISED employee who is involved in a privacy breach, the impact of a privacy breach would be commensurate with the volume and sensitivity of the information breached, and would be incumbent on the circumstances of the breach. An accidental breach, for example, would likely be met with a minimum of a discussion between the employee responsible for the breach, and a possible requirement for the employee to undergo additional privacy training, in order to mitigate the risk of future re-occurrences of the same type of breach, whereas an employee found to be responsible for an intentional breach of privacy would likely face disciplinary measures consistent with the severity of the circumstances. Risks are further detailed under Section VI – Summary of Risk Analysis and Recommendations, of this PIA.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

Program Area Comments:

An inadvertent breach of personal information has the potential to cause serious, negative consequences, and even harm to the individual to whom the information pertains, subject to the nature of the information that is breached. Such harm could range from simple, minor embarrassment, to identity theft or a loss of income, or employability.

However, due to well established information and privacy management processes, the risk that such a breach would occur is very low and has traditionally been limited to rare disclosures of the identities of information applicants, to internal employees who should did not have the need to know.

The introduction of the AMOT System introduced new risks that personal information could be inadvertently shared with incorrect individuals. The ATIP Service Branch responded to these new risks by depersonalizing the correspondence that is distributed to information applicants with their responsive information, by implementing new requirements to re-confirm that correct responsive information packages are attached to outgoing electronic communications, and by frequently re-iterating these requirements at regularly scheduled team meetings.

For an ISED employee who is involved in a privacy breach, the impact of a privacy breach would be commensurate with the volume and sensitivity of the information breached, and would be incumbent on the circumstances of the breach. An accidental breach, for example, would likely be met with a minimum of a discussion between the employee responsible for the breach, and a possible requirement for the employee to undergo additional privacy training, in order to mitigate the risk of future re-occurrences of the same type of breach, whereas an employee found to be responsible for an intentional breach of privacy would likely face disciplinary measures consistent with the severity of the circumstances.

Risks are further detailed under Section VI – Summary of Risk Analysis and Recommendations, of this PIA.

Language selection

WxT Search form