Privacy Impact Assessment – Political Entities Services Centre
A privacy impact assessment (PIA) was conducted to identify and mitigate any privacy risks associated with the Political Entities Services Centre (PESC) project.
Section 1 – Overview and PIA Initiation
- Elections Canada
Government Official Responsible for the PIA:
- Senior Director, Operations and Field Governance, Electoral Events and Innovation
Delegate for Section 10 of the Privacy Act:
- Assistant Director, Access to Information and Privacy
Description of the Program or Activity:
The Electoral Operations program allows Elections Canada to deliver fair and efficient electoral events whenever they may be required so that Canadians are able to exercise their democratic right to vote during a federal general election, by-election or referendum. The program provides an accessible and constantly improved electoral process responsive to the needs of electors. This program includes three sub-programs: Electoral Boundaries Readjustment; Electoral Event Delivery; and Electoral Preparedness.
The PESC is Elections Canada's secure, convenient, easy-to-use online portal for candidates, their campaigns, and political entities. The PESC portal gives political entities online access to a variety of electoral services and documents.
Personal Information Banks (PIB):
- Candidates and Members Elected – Elections PPU 005
- Public Communications – PSU 914
- Electronic Network Monitoring Logs – PSU 905
- Sections 16, 66, 477.3 and Part 15 of the Canada Elections Act
- Sections 7 and 161 of the Financial Administration Act, and Part 6 of the Policy on Communication and Federal Identity
Project / Activity Summary:
The purpose of the PESC is to establish a secure, single point, self-serve portal that provides political entities access to online electoral services, products and support as well as assistance in streamlining the nomination process. The portal can be accessed from any device that is connected to the internet.
Specifically, the PESC serves to modernize and unify the Elections Canada products and services used to support candidates and political entities. The PESC project is structured around the following three deliverables:
- a secure portal which will host and support a variety of online applications that are currently not available online;
- an online repository to host Elections Canada products for political entities such as lists of electors, maps, statutory notices, etc.;
- an e-nomination application that will enable candidates to submit their Nomination Paper online.
Section 2 - Risk Area Identification and Categorization
A. Type of Program or Activity:
Administration of Programs / Activity and Services
Personal information is used to make decisions that directly affect the individual (determining eligibility for programs, including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.). (Level of Risk to Privacy: 2)
B. Type of Personal Information Involved and Context:
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. (Level of Risk to Privacy: 2)
C. Program or Activity Partners and Private Sector Involvement:
Within Elections Canada (EC, amongst one or more programs within EC) (Level of Risk to Privacy: 1)
D. Duration of the Program or Activity:
Long-term program (Level of Risk to Privacy: 3)
E. Program Population:
The program affects certain individuals for external administrative purposes. (Level of Risk to Privacy: 3)
F. Technology and Privacy:
Does the new or modified program involve the implementation of a new electronic system, software or application program, including collaborative software (or groupware) that is implemented to support the program in terms of the creation, collection or handling of personal information? – Yes.
Does the new or modified program require any modifications to IT legacy systems and/or services? – Yes.
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
- Enhanced identification methods? – No.
- Use of surveillance? – No.
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques? – No.
G. Personal Information Transmission:
- The personal information is used in a system that has connections to at least one other system. (Level of Risk to Privacy: 2)
- The personal information is transferred to a portable device or is printed. (Level of Risk to Privacy: 3)
H. Potential risk that, in the event of a privacy breach, there will be an impact on the individual or employee:
- Embarrassment, inconvenience and reputational harm