Privacy impact assessment – Case management system

Executive summary

Background

The Canadian Transportation Agency (Agency) is an independent, quasi-judicial tribunal and economic regulator. It makes decisions and determinations on a wide range of matters involving air, rail and marine modes of transportation under the authority of Parliament, as set out in the Canada Transportation Act and other legislation.

The Agency's responsibilities include:

  • Economic regulation, to provide approvals, issue licences, permits and certificates of fitness, and make decisions on a wide range of matters involving federal air, rail and marine transportation.
  • Dispute resolution, to resolve complaints about federal transportation services, rates, fees and charges.
  • Accessibility, to ensure Canada's national transportation system is accessible to all persons, particularly those with disabilities.

In delivering its mandate, the Agency must interact with many parties – federal, provincial and territorial transportation departments; and various partner organizations such as Transport Canada, Canada Border Services Agency, and the Transportation Safety Board, all of whom have a role in transportation.  However, most of the Agency's business processes are triggered by requests from the public.  Individuals can submit requests to the Agency using a variety of methods: Web forms, email, in person, or via regular mail, courier, and facsimile.

For many years, the Agency's business processes have been managed through a case management system called "AppInfo".  This system lacks functionality, and is built on technology that is now considered to be outdated.

The Agency has, therefore chosen to implement a new case management system: Microsoft Dynamics CRM (CRM).   CRM is a flexible business solution that can be customized depending on business needs.  Once fully configured, the Agency will utilize the CRM for all of its formal and informal case-related files starting with a proof of concept for:

  • Air travel complaints; and
  • Railway crossing filed agreements. 

Once the CRM is fully developed and operational, other internal and external services will have the potential to be on-boarded to the CRM.

It is important to note that the Agency's programs and activities will not change as a result of the CRM implementation.  No new types of personal information will be collected, used or disclosed in relation to the CRM.  Rather, the CRM provides the Agency with a more efficient and harmonized way of managing the Agency's business processes.

As the CRM is scheduled to be rolled out in fiscal year 2015-2016, for the above processes, the Agency has initiated this PIA to meet its obligations under the Privacy Act and the Treasury Board of Canada Secretariat's (TBS) policies, directives, standards and guidelines regarding privacy, information management and security; as well as the factors set out by the Office of the Privacy Commissioner of Canada (OPC) in Expectations: A Guide for Submitting Privacy Impact AssessmentsFootnote 1.

Main findings and privacy risks identified

The Agency takes privacy and security of individuals' information very seriously, and this is confirmed by the processes, policies and procedures in place to protect and safeguard personal information Agency-wide.

This PIA therefore provides an informed assessment of the privacy risks associated with the implementation of the CRM and provides recommendations to mitigate identified privacy risks to an acceptable levelFootnote 2.

The PIA process found that the Agency is reasonably compliant and uses best practices to ensure the requirements of the Privacy Act and that TBS policies, directives and guidelines are met.  Once privacy risks identified in this process have been mitigated, there is likely to be minimal risk to the privacy of individuals.

Section I: Overview and PIA initiation

The following module provides a broad overview of the initiative, a description of personal information banks affected, and a discussion of legal authorities.

1. Senior official responsible

For the purposes of the Privacy Act, the Chair and Chief Executive Officer is the head of the Canadian Transportation Agency, including the requirement for the creation of Personal Information Banks (PIBs) as described in subsection 10(1) of the Privacy Act.  The Chair and Chief Executive Officer has delegated the authorities found in section 10 of the Act to the Coordinator, Access to Information and Privacy.

Government Official Responsible for the Privacy Impact Assessment (PIA) Delegate for section 10 of the Privacy Act
Director General, Communications, Information Management Branch Senior Manager, Information Services, Shared Services Projects & ATIP Coordinator

 

2. Description of the initiative

To date, the Agency's business processes have been managed through a case management system called "AppInfo".  This system lacks functionality, and is built on technology that is now considered to be outdated, resulting in:

  • inefficiencies;
  • poor alignment with use of shared services within government;
  • poor user experience for staff; and
  • inability to accommodate changing requirements.

The Agency has worked closely with other organizations to help choose a shared, government-wide case management system, which was identified through an RFP process as the Microsoft Dynamics CRM, a flexible business solution that can be customized to business needs.  Once fully configured, the Agency will utilize the CRM for all of its formal and informal case-related files beginning with air travel complaints and railway filed agreements.  Once the CRM is fully developed and operational, other programs such as air, rail, marine and accessibility-related complaints, as well as internal operations such as human resources, and financial services will have the potential to be on-boarded to the CRM.  As additional programs are added, this PIA will be revised. 

It is important to note that the Agency's programs and activities will not change as a result of the CRM implementation.  No new types of personal information will be collected, used or disclosed in relation to the CRM.  Rather, the CRM provides a more efficient and harmonized way of managing the Agency's business processes.

To ensure the integrity of data captured by the current case management software, the Agency has opted for a start-over approach for the CRM.  With the exception of the Agency's listing of air carriers, which contains no personal information; and the manual transfer (i.e. data input) of selected adjudication case files, no other information will be transferred from AppInfo to CRM.   During the implementation phase both AppInfo and CRM will be in operation until all processes have been converted to CRM, at which time AppInfo will be placed in a read-only format until such time that it is completely disabled.  

The CRM will connect with other supporting systems/software within the Agency:

  • Web forms: custom-built forms developed using Drupal software, an open source content management software. Web forms reside on the Agency's dedicated website server.
  • Secured shared folders: shared folders within the Agency's internal environment.  Data from Web forms is scanned for viruses using McAfee antivirus software and then transferred inside the internal environment to the secured shared folders
  • Scribe software: data integration and migration software used by the Agency to capture Web form data.  The Scribe process is triggered when a new file is detected in the shared folder.
  • Records, Document and Information Management System (RDIMS):  The official document management system used by the Agency. Once a file has been transferred to CRM, a case file is automatically created, and the files (including any attachments that have been uploaded with the files) are migrated to RDIMS.
  • Microsoft Exchange/Outlook: The Agency's email system for internal and external communications. The CRM system has been configured to use common e-mail queues directly.  Individual users' messages may be tracked in CRM using the integration feature with Outlook by the user. Users are responsible for initiating the tracking process.

As the CRM is scheduled to be rolled out in a limited capacity within the Agency beginning in June 2015, the Agency has initiated this PIA to meet its obligations under the Privacy Act and the Treasury Board of Canada Secretariat's (TBS) policies, directives, standards and guidelines regarding privacy, information management and security; as well as the factors set out by the OPC in Expectations: A Guide for Submitting Privacy Impact AssessmentsFootnote 3.

3. Scope of work and approach

The PIA approach imposed by TBS is iterative in nature and PIA updates should be undertaken at various milestones throughout the project's development life cycle. The methodology and approach outlined in the TBS’ Directive on Privacy Impact Assessment was used as the basis for this document.

This PIA focuses on mapping the business model and data flows, identifying privacy issues, and providing strategies for mitigating the identified risks relating to the Agency's collection, use, retention, and disclosure of personal information through the CRM.

The approach for completing the PIA included:

  • Meetings with the Agency's representatives
  • Review of TBS publications such as the Agency's submission to Info Source:  Sources of Federal Government Information; and of the Agency's website
  • Review of legislation and policies pertaining to the Agency's programs.

This data gathering approach allows for the summarization of the proposed business model for the purposes of conducting the PIA.  Furthermore, this PIA relies on information provided by the Agency and therefore, does not constitute an audit of the Agency's privacy compliance mechanisms.

4. Institution-specific personal information banks (PIBs) for the CRM

The implementation of the CRM does not impact the types of personal information collected, used, disclosed, retained and disposed of at the Agency.  Rather, the medium in which it is managed will consist of a new technology platform. The collection of personal information remains at the responsible program level, and under the authority of the Canadian Transportation Act, and other applicable legislation (see Section 2 below titled "legal authorities").  The personal information collected, used, disclosed and retained by Agency programs is appropriately identified in the institution's Info Source chapter.

5. Classes of records

A review of the Agency's current Info Source chapter appropriately shows the classes of records in support of the Agency's programs and activities.      

6. Classes of personal Information

While personal information collected is used primarily by the Agency for administrative purposes, the use of the CRM also involves the use of personal information that is not intended for an administrative purpose (or to be retrieved by a personal identifier). This information is used to perform planning, statistical, evaluation, and reporting activities.  The Agency should ensure that any classes of personal information, under the control of the Agency and not used for an administrative purpose, is covered by internal privacy protocols and handled in a manner consistent with the Policy on Privacy Protection and the Agency's retention and disposition rules. 

7. Legal authorities for the collection of personal information

  • Canada Transportation Act
  • A complaint under section 52 or 94 of the Canada Marine Act
  • A complaint under section 13 of the Shipping Conferences Exemption Act, 1987
  • An appeal under subsection 42(1) of the Civil Air Navigation Services Commercialization Act
  • An application under section 3 of the Railway Relocation and Crossing Act
  • A reference under sections 16 and 26 of the Railway Safety Act
  • A notice of objection under subsection 34(2) of the Pilotage Act
  • Air Transportation Regulations
  • Canadian Transportation Agency Rules (Dispute Proceedings and Certain Rules Applicable to All Proceedings)

Section II: Risk area identification and categorization

As set out in Appendix C – Core PIA of the TBS Directive on Privacy Impact Assessment, the core PIA must include a completed risk identification and categorization section. To have consistent risk categories and risk measurement across government institutions, standardized risk areas and a common risk scale are to be maintained as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. The risk analysis was conducted as part of the PIA and these are the results:

a) Type of program or activity

Score -2:  Administration of program or activity and services

The Agency is an independent, quasi-judicial tribunal and economic regulator. It makes decisions and determinations on a wide range of matters involving air, rail and marine modes of transportation under the authority of Parliament, as set out in the Canada Transportation Act and other legislation. The Agency's responsibilities include:

  • Economic regulation, to provide approvals, issue licences, permits and certificates of fitness, and make decisions on a wide range of matters involving federal air, rail and marine transportation.
  • Dispute resolution, to resolve complaints about federal transportation services, rates, fees and charges.
  • Accessibility, to ensure Canada's national transportation system is accessible to all persons, particularly those with disabilities.

The implementation of the CRM will be rolled out in a limited capacity in June 2015, starting with: air travel complaints and railway filed agreements. It is important to note that the Agency's programs and activities will not change as a result of the CRM implementation.  No new types of personal information will be collected, used or disclosed in relation to the CRM.  Rather, the medium in which it is managed will consist of a new technology platform.

b) Type of personal information involved and context

Score - 2: Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

Personal information collected by the Agency is done so in accordance with its legally authorized activities and responsibilities.  Some of the information submitted to the Agency is part of a quasi-judicial decision-making process and as such, considered public record and therefore available to the public.  Therefore, the personal information types collected and used by the Agency that have the potential to appear within case files in the CRM are as follows:

  • Complaints: individual's name, home, business, mailing and/or email address, telephone number, medical condition, disability, age, personal opinions or views, financial information, nationality and marital status
  • Disputes: name, home, business, mailing and/or email address, telephone number, financial information, opinions and views and signature
  • Licensing: personal information relating to the applicant or other parties of record in the form of an individual's name; home, business, mailing and/or email address, telephone number, nationality, age, identifying numbers and financial information
  • Enforcement: depending on the nature of the investigation, personal information in the form of an individual's name, home, business, mailing and/or email address,  telephone number; investigation details, and opinions and views.

These personal information types will not change as a result of the implementation of CRM Rather, the medium in which it is managed will consist of a new technology platform. 

c) Program or activity partners and private sector involvement

Score - 2: With other government institutions

The CRM is an internal case management system that will replace the Agency's current case management system: AppInfo.  Agency staff with user access to the CRM will be authorized to use it and limited access granted to Transport Canada and Statistics Canada once memorandums of understanding are in place.

d) Duration of the program or activity

Score - 3: Long-term program or activity

The Agency's activities are ongoing existing activities.  The implementation of the CRM will not change this.

e) Program population

Score - 3: The program's use of personal information for external administrative purposes affects certain individuals.

As an independent, quasi-judicial tribunal and economic regulator, the Agency makes decisions and determinations on a wide range of matters involving air, rail and marine modes of transportation under the authority of Parliament, as set out in the Canada Transportation Act and other legislation. The programs and activities of the Agency affect those individuals and organizations submitting personal information to the Agency in respect of its programs and activities.  For example, decisions made as a result of the complaints process may affect the individuals involved, as well as the other party that is the subject of the complaint. Decisions can result in changes to a service provider's policies, procedures, equipment, etc. and can have a broad impact on persons, shippers, service providers, etc.  

f) Technology and privacy

Yes: the new or substantially modified program or activity involves implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information.

The Agency has chosen to replace its current case management software, AppInfo, with the CRM, a flexible business solution that can be customized depending on business needs.  Once configured, the Agency will utilize the CRM for all of its formal and informal case-related files starting with air travel complaints and railway filed agreements.  Once the CRM is fully developed and operational, other external programs as well as internal operations such as human resources, and financial services will have the potential to be on-boarded to the CRM.

Yes: the new or substantially modified program or activity requires modifications to information technology (IT) legacy systems.

Only minor modifications to legacy systems have been required for the implementation of the CRM.

Specific technological issues and privacy

Yes: the new or substantially modified program or activity involves implementation of new technologies or one or more of the following activities:

  • enhanced identification methods;
  • surveillance; or
  • automated personal information analysis, personal information matching and knowledge discovery techniques

There will be a link between records:  Individuals upload information via secure file transfer via Scribe, and key personal information such as: name, case ID, date and a sequential number will be matched and attached to the corresponding case in CRM and RDIMS. 

g) Personal information transmission

Score - 2: The personal information is used in a system that has connections to at least one other system.

The information submitted to the Agency will be transferred to the CRM, which will work in cooperation with the Agency's RDIMS. CRM will have access to the email system limited to general queues and tracking e-mails designated by the owner.

h) Privacy Breach

Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Because the Agency has little control over what information is uploaded by individuals, the sensitivity of information utilized through the CRM is treated as high (Protected B).  Unauthorized use or disclosure of this information could result in loss of privacy, inconvenience, harm or embarrassment to the individual to whom the information relates.

Potential risk that in the event of a privacy breach, there will be an impact on the institution

In the event of privacy breach (accidental/deliberate), the Agency could suffer damage to its reputation, which in turn could potentially attract negative public interest or criticism. The Agency could also be subject to civil litigation and liability for privacy breaches that result in harm to an individual.  

Ensuring that appropriate safeguards are in place to protect personal information is an ongoing process as security issues (administrative, physical and technical) evolve and change. The Agency follows the TBS Directive on Privacy Practices and as such has developed documented processes for the elements listed above. The Agency further provides Agency-wide information management and privacy and security training and awareness on an ongoing basis.

With regards to the implementation of the CRM, the Agency should develop formal procedures and guidance for staff through help functionality, user manuals, and specific training related to the management and safeguarding of personal information transmitted to and maintained within the CRM.  The development of guidance tailored to the specific roles and activities of system administrators and users will help to assure their understanding of privacy requirements.

Notes

Footnote 1

Office of the Privacy Commissioner of Canada, Expectations: A Guide for Submitting Privacy Impact Assessments to the Privacy Commissioner of Canada, Ottawa, October 2011 (OPC Expectations Guide), www.priv.gc.ca.

Return to footnote 1 referrer

Footnote 2

An acceptable level of risk is the maximum overall exposure to risk that should be accepted by an organization, based on the benefits and costs involved.

Return to footnote 2 referrer

Footnote 3

Office of the Privacy Commissioner of Canada, Expectations: A Guide for Submitting Privacy Impact Assessments to the Privacy Commissioner of Canada, Ottawa, October 2011 (OPC Expectations Guide), www.priv.gc.ca.

Return to footnote 3 referrer

Date modified: