| Project title | Canada Digital Adoption Program – herein after referred to in this document as the CDAP |
|---|---|
| Target implementation date | This is an evergreen update to a core PIA for a program that has been in progress since 2021 |
| Sector, directorate | Innovation Canada (Innovative Solutions Canada) |
| Lead government institution | Innovation, Science and Economic Development Canada – herein after referred to in this document as ISED |
| Other government institution | Business Development Bank of Canada – herein after referred to in this document as BDC
Note: In terms of personal information, BDC will only receive non-sensitive personal information from ISED, in the form of the contact information of individuals who self-identify as the authorized business contacts for CDAP business clients. BDC will use that personal information to establish a business relationship with the authorized representative, and will not make any decisions that relate to that representative, as an individual. Nor will BDC communicate any decisions back to ISED. Therefore this PIA is not considered to be multi-institutional in nature, and BDC is not a formal party to its creation. |
| Name and contact information of senior responsible official |
Kate Poirier Aline Dimitri |
| Legal authority for the program |
The legislative authority that permits the implementation of the CDAP and the collection and use of the correlating personal information is the Department of Industry Act, specifically:
|
| Personal Information Bank (PIB) relating to this program |
ISED PPU 201 (CDAP Clients and Digital Advisors PIB) ISED PPU 501 (Identity and Credential Management) |
| Name and contact information of project officers and relevant contacts |
Kim Deslauriers Vance W. Collier (PIA Contact for ATIP Services) |
| ATIP Services File Number | PIA-2021-00006
PIA-2022-00017 (Evergreen Update) |
| ISED Delegate for Section 10 of the Privacy Act |
Anik Meredith, |
Project description
Project overview:
Announced in Budget 2021, ISED implemented the CDAP, a $1.4-billion initiative to assist small and medium-sized enterprises (SMEs) accelerate their digital transformation over a four-year period (2021-22 through 2021-25).
The Program has two streams:
- Stream 1, Grow Your Business Online (GYBO), is delivered by third-party organizations who provide SMEs with grants to support the costs associated with the adoption of digital technologies related to e-commerce capabilities as well as access to a network of well-trained young Canadians to assist business owners in building their e-commerce capabilities.
- Stream 2, Boost Your Business Technology (BYBT), provides SMEs with more comprehensive digital transformation support through a grant for digital advisory services, a zero-interest loan from Business Development Bank of Canada (BDC) to finance technology implementation, and wage subsidies for youth work placements to assist with digital adoption.
GYBO MICRO-VIEW:
Operational Information:
GYBO provides grants of up to $2,400 to SMEs to support the adoption of e-commerce technologies and develop in-house e-commerce advisor capabilities. GYBO is delivered by 15 regional service providers (intermediaries) who provide the following services to SME clients:
- E-Commerce Advisor services: Hiring, training, and mentoring students and recent graduates as E-Commerce Advisors, who then help SMEs assess their digital needs and develop their e-commerce strategy; and
- Grant administration: Providing grants to eligible SMEs to support the costs associated with the adoption of digital technologies related to e-commerce capabilities.
Data and Personal Information Collection:
Intermediaries are responsible for the collection, storage and safeguarding of all information regarding SMEs, E-Commerce Advisors, and any other personal information (such as business contact information) relating to GYBO operations. SME-level information captured by intermediaries is forwarded to ISED, along with anonymized information on E-Commerce Advisors.
BYBT MICRO-VIEW:
Operational Information:
BYBT offers financial support to small and medium Canadian-owned enterprises (SMEs), such as small manufacturing and food processing operations, to adopt new technologies. Support for eligible businesses will be in the form of grants to offset the cost of retaining Digital Advisors who will develop Digital Adoption Plans tailored to the business. The grant will cover up to 90% of the cost to develop the digital plan, up to a maximum grant payment of $15,000.
In August 2021, ISED issued a call for Digital Advisor applications to create a Digital Advisor Registry Tracker (DART), since rebranded as the Digital Advisor Marketplace. ISED was responsible for assessing the qualifications and suitability of those wishing to be registered as Digital Advisors. DART was built into the CDAP portal which enabled eligible SMEs to search for a Digital Advisor and engage with them directly to initiate the development of their digital adoption plan. In addition, SMEs can complete a Digital Needs Assessment to assess their digital maturity before they are ready to submit their grant claim for reimbursement.
SMEs who are approved and had received their grant payment can apply for additional support to implement the digital adoption plan. SMEs will be able to apply for a zero-interest loan from the Business Development Bank of Canada (BDC) (up to $100,000). In addition, SMEs can apply for youth work placements to support their digital adoption goals, receiving a wage subsidy of up to $7,300 per participant aged 18-30.
Data and Personal Information Collection:
Most of the information to be collected from SMEs under BYBT is business information, to the exclusion of business contact information. For the purpose of assessing the qualifications and suitability of interested parties wishing to work as Digital Advisors, ISED may collect specific business information from the organizations that employ those individuals, including the curricula vitae and references of the individual digital advisor candidates, and samples of previous digital adoption plans created by the particular advisor(s).
All other information, including information about youth participating in placements, will be provided by third-party delivery organizations, in anonymized or aggregated format.
Section II – Risk area identification and categorization
The TBS requires that core PIAs include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are used as the basis for risk analysis.
The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the given risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.
| A – Type of program or activity | Risk scale |
|---|---|
| Program or activity that does not involve a decision about an identifiable individual | 1 |
| Administration of program or activity and services | 2 |
| Compliance or regulatory investigations and enforcement | 3 |
| Criminal investigation and enforcement or national security | 4 |
|
Considerations: Streams 1 and 2: CDAP related decisions are made at the business level and communicated back to the business via the authorized business contact or in some cases, though third-party delivery organizations. Personal information (in the form of business contact information) will be shared with third party delivery organizations (that might be agencies within the ISED Portfolio group of agencies). The youth placement aspect of the CDAP is entirely managed by third-party delivery organizations and ISED therefore does not collect personal information directly from youth participants. Any information provided to ISED regarding youth participants is void of personally identifying information (anonymized), and shared with ISED solely for CDAP reporting and analysis uses. Possible risks: The activity introduces minor risk that a breach of business information, for businesses that are sole proprietorships, could be potentially harmful (with low impact) to the respective individuals. For example: a breach of information that would damage the individual's competitive position in the marketplace. This risk, and its mitigation strategies are further detailed under Section VI (Summary of Analysis and Recommendations) of this PIA. Stream 2 only: Digital Advisors are businesses, or employees of businesses. All Digital Advisor candidates are required to provide ISED with their curriculum vitae—including professional references—which ISED uses as the basis for evaluating those individuals' qualifications and suitability to serve as Digital Advisors. BDC loan participation information in respect of SMEs is collected and stored by BDC. Business contact information is the only personal information that applies to BDC transactional information. |
|
| B – Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 |
|
Considerations: For streams 1 and 2, there is a collection and use of business contact information, which may belong to sole proprietorship business owners. Possible risks: The same as indicated in Section A. For stream 2 only, those wishing to participate as Digital Advisors must furnish their curriculum vitae—including professional references—either directly, or through their employers—which ISED uses as the basis for evaluating those individuals' qualifications and suitability to serve as Digital Advisors. Possible risks: The same as indicated in Section A. |
|
| C – Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | 1 |
| With other government institutions | 2 |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 |
| Private sector organizations, international organizations or foreign governments | 4 |
|
Considerations: For both streams, program delivery is conducted by third party delivery agents which are private sector organizations. Possible risks: Not applicable. This category ranks at risk-level 4, consistent with TBS-prescribed ranking methodology, solely because elements of the program are delivered by private sector organizations. However, this does not itself introduce additional risks to privacy. Pursuant to requirement 4.2.16 of the TBS Policy on Privacy Protection, "Heads of government institutions or their delegates are responsible for taking steps to ensure, when personal information is involved, that third parties under contract, agreement or arrangement with the government institution provide appropriate privacy protections". Said assurances were made at the time of program implementation in 2021. |
|
| D – Duration of program | Risk scale |
|---|---|
| One-time program or activity | 1 |
| Short-term program or activity | 2 |
| Long-term program or activity | 3 |
|
Considerations: The CDAP is presently intended to operate for four years (2021-22 through 2024-2025). At the time of this evergreen PIA, there is no stated commitment to extend the program beyond its originally planned, four-year life. Possible risks: Not applicable. |
|
| E – Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees or individuals. | 1 |
| The program's use of personal information for internal administrative purposes affects all employees or individuals. | 2 |
| The program's use of personal information for external administrative purposes affects certain employees or individuals. | 3 |
| The program's use of personal information for external administrative purposes affects all employees or individuals | 4 |
|
Considerations: Streams 1 and 2: The business contact information of SME clients, is collected by ISED and shared with third-party delivery organizations for CDAP administration. Possible risks: The same as indicated in Section A. Stream 2 only Those wishing to participate as Digital Advisors musts furnish their curriculum vitae—including professional references—either directly, or through their employer—which ISED will use as the basis for evaluating those individuals' qualifications and suitability to serve as Digital Advisors. Possible risks: The same as indicated in Section A. |
|
| F – Technology and privacy
Note: A yes response to any of the following three questions indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation. |
Yes / No |
|---|---|
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | No |
| There are no changes to IT solutions established in 2021 to support the CDAP's delivery. | |
| Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? | No |
| Considerations:
N/A |
|
| Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities: enhanced identification methods; surveillance; or, automated personal information analysis, personal information matching and knowledge discovery techniques? | No |
| Considerations:
At the time of the CDAP's Core PIA, there were plans to enter new methods of identity validation into production; however, all identity management solutions used for CDAP delivery purposes have since been covered under ISED's January 2023 PIA for Identity and Credential Management Solutions, and detailed under Personal Information Bank No. ISED PPU 501 – Identity and Credential Management. |
|
| G – Personal information transmission | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 |
| The personal information is used in a system that has connections to at least one other system. | 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 |
| The personal information is transmitted using wireless technologies. | 4 |
|
Considerations: All personal information is provided through an internet Website portal, connected to a Salesforce application, which will reside on the ISED intranet. While individual users of the CDAP internet portal may use wireless technologies to access the portal, ISED does not, itself, transmit any information wirelessly. There remains no business requirement to print any information, personal or otherwise, in hardcopy. Potential risks: Not applicable. |
|
H – Potential risk that in the event of a privacy breach, there will be an impact on an individual or employee.
Considerations:
The risk to individuals varies from low to medium:
- A certain degree of business information will be collected from SME participants which may be sole proprietors. A breach of business information in relation to a sole proprietor has the potential to cause psychological harm to the pertinent individual, in the form of embarrassment or stress, but may also carry the potential to damage an individual's business reputation or one's ability to compete in the marketplace;
- A breach of an individual's curriculum vitae carries a minimal possibility of causing minor embarrassment or stress to the concerned individual; and
The risks of a privacy breach on ISED employees could also vary widely, ranging from embarrassment over having been involved or responsible for a breach (low), to being named in litigation if deemed to be the cause of a major breach (medium, in consideration of the likelihood of occurrence).
These risks and the accompanying mitigation strategies are further detailed under Section VI (Summary of Analysis and Recommendations) of this PIA.