Privacy Impact Assessment on the Access to Information and Privacy Request Processing Software Solution
Title of the PIA
Privacy Impact Assessment on the Access to Information and Privacy Request Processing Software Solution
Government Institution
Infrastructure Canada (INFC)
Head of INFC or Delegate for Section 10 of the Privacy Act
Melanie Davis, Director, ATIP and Executive Correspondence, Corporate Secretariat
Senior Official or Executive Responsible for the New Initiative
Melanie Davis, Director, ATIP and Executive Correspondence, Corporate Secretariat
Name of the Program or Activity of the Government Institution
Access to Information and Privacy
Legal Authority
The legal authority for the collection of personal information is the Financial Administration Act, the Access to Information Act and the Privacy Act.
Personal Information Bank
Access to Information Act and Privacy Act Requests
Security Incidents and Privacy Breaches
Short Description of the New Initiative
The Access to Information and Privacy (ATIP) Request Processing Software Solution (the software) is a suite of features bundled into one software solution to support Infrastructure Canada (INFC) in managing their ATIP requests. The software is a case management system that will be used to track the processing of access, privacy, and consultation requests, complaints, and informal ATIP files as well as a redaction software to aide in the processing of requests. In addition, INFC, like each federal institution, is required to prepare and table in each House of Parliament an annual report on the administration of the Acts, a process for which the ATIP request processing software solution is an essential tool in ensuring compliance. The implementation of this new software solution will assist in the overall efficiency of request processing and reporting at INFC.
Risk Area Identification and Categorization
The following section contains risks identified in the PIA for the new or modified program. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.
Type of Program or Activity
Administration of program or activity and services – Personal information is used to make decisions that directly affect the individual (i.e., determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
Level of risk to privacy: 2
Type of Personal Information Involved and Context
Social Insurance Number, medical, financial or other sensitive personal information, or a sensitive context surrounding the personal information; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Program or Activity Partners and Private Sector Involvement
Within the institution (among one or more programs within the same institution), with other government institutions, with other institutions or a combination of federal, provincial or territorial, and municipal governments, private sector organizations, international organizations or foreign governments.
Level of risk to privacy: 4
Duration of the Program or Activity
Long‑term program or activity.
Level of risk to privacy: 3
Program Population
For external administrative purposes affects all individuals.
Level of risk to privacy: 4
Technology and Privacy
The program or activity involves the implementation of new technologies and one or more of the following activities:
- automated personal information analysis, personal information matching and knowledge discovery techniques (use of automated technology to analyze, create, compare, cull, identify or extract personal information; it includes personal information matching, record linkage, personal information mining, comparison, knowledge discovery, and information filtering or analysis; such activities involve artificial intelligence and/or machine learning to uncover intelligence, trends/patterns or to predict behaviour).
Level of risk to privacy: 4
Personal Information Transmission
The personal information is used in a system that has connections to at least one other system, may be printed and/or transmitted using wireless technologies.
Level of risk to privacy: 4
Risk Impact to the Individual or Employee in the Event of a Privacy Breach
Inconvenience, reputation harm, embarrassment, financial harm.
Level of risk to privacy: 3
Report a problem on this page
- Date modified: