Privacy Impact Assessment - Electronic Financial Returns
A privacy impact assessment (PIA) was conducted to identify and mitigate any privacy risks associated with the Electronic Financial Returns (EFR) project, the goal of which was to facilitate the reporting of financial information by political parties, candidates, leadership contestants, nomination contestants and electoral district associations.
Section 1 - Overview and PIA Initiation
Government Institution Responsible for Delivering the Program or Activity:
Government Official Responsible for the Program or Activity:
Director, Regulatory Instruments and Systems
Delegate for Section 10 of the Privacy Act:
Assistant Director, Access to Information and Privacy
Name and Description of the Program or Activity:
The Regulation of Electoral Activities program provides Canadians with an electoral process that is fair, transparent and in compliance with the Canada Elections Act (the Act.) Within this program, Elections Canada is responsible for administering the political financing provisions of the Act. This includes compliance monitoring, disclosure and reporting financial activities. This program includes two sub-programs: Administration of Political Financing and Compliance.
Personal Information Bank:
Legal Authority for Program or Activity:
Parts 17 and 18, and section 541 of the Canada Elections Act; section 19 of the Referendum Act. These are the provisions that regulate the financial administration and compliance of political entities.
Summary of the Project:
The purpose of the EFR project was to deliver a new, online method (software program) for political entities to submit their statements and returns directly to Elections Canada in such a manner that they are complete, correct and have had an initial validation against the pertinent requirements of the Canada Elections Act, and give political entities the ability to provide digital consent (or approval).
Section 2 - Risk Area Identification and Categorization
A. Type of Program or Activity:
Administration of Programs / Activity and Services (Level of Risk to Privacy: 2)
B. Type of Personal Information Involved and Context:
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program (Level of Risk to Privacy: 1)
C. Program or Activity Partners and Private Sector Involvement:
Private sector organizations or international organizations or foreign governments (Level of Risk to Privacy: 4)
D. Duration of Program or Activity:
Long-term program (Level of Risk to Privacy: 3)
E. Program Population:
The program affects certain individuals for external administrative purposes (Level of Risk to Privacy: 3)
F. Technology and Privacy:
Does the new or modified program involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program in terms of the creation, collection or handling of personal information? – Yes.
Does the new or modified program require any modifications to IT Legacy Systems and/or services? – Yes.
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
- Enhanced identification methods? – No.
- Use of surveillance? – Yes.
- Use of automated data analysis, data matching and knowledge discovery techniques? – No.
G. Personal Information Transmission:
The personal information is transmitted using wireless technologies. (Level of Risk: 4)
H. Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee:
Personal information could be used for fraudulent purposes.