Privacy Impact Assessment – Managed Contact Centre Services
A privacy impact assessment (PIA) was conducted to identify and mitigate any privacy risks associated with the Managed Contact Centre Services (MCCS) project.
Section 1 – Overview and PIA Initiation
- Elections Canada
Government Official Responsible for the PIA:
- Executive Director, Policy and Public Affairs
Delegate for Section 10 of the Privacy Act:
- Assistant Director, Access to Information and Privacy
Description of the Program or Activity:
Electoral Engagement promotes and sustains the Canadian electoral process. It provides Canadians with electoral education and information activities so that they can make informed decisions about their engagement in the electoral process. It also aims to improve the electoral framework by consulting and sharing electoral practices with other stakeholders. This program includes two sub-programs: Civic Education and Outreach; and Electoral Development.
Internal services constitute groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These groups are management and oversight services, communications services, legal services, human resources management services, financial management services, information management services, information technology services, real property services, materiel services, acquisition services and travel and other administrative services. Internal services include only those activities and resources that apply across an organization and not to those provided specifically to a program.
The MCCS provides Tier 2 call centre services to Elections Canada as part of the agency’s contact centre framework and responds to general or frequently asked questions. The Tier 2 services are provided by an external supplier who provides contact centre services during the federal general election.
Personal Information Banks (PIB):
- Sections 7 and 161 of the Financial Administration Act, and Part 6 of the Policy on Communication and Federal Identity
Project / Activity Summary:
The specific scope of the MCCS PIA is the recording of calls and screen captures by the outsourced contact centre provider for training and quality assurance purposes.
Section 2 - Risk Area Identification and Categorization
A. Type of Program or Activity:
Administration of Programs / Activity and Services
Program or activity that does not involve a decision about an identifiable individual. (Level of Risk to Privacy: 1)
B. Type of Personal Information Involved and Context:
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. (Level of Risk to Privacy: 1)
C. Program or Activity Partners and Private Sector Involvement:
Within Elections Canada (EC, amongst one or more programs within EC) (Level of Risk to Privacy: 1)
Private sector organizations or international organizations or foreign governments (Level of Risk to Privacy: 4)
D. Duration of the Program or Activity:
Long-term program (Level of Risk to Privacy: 3)
E. Program Population:
The program affects certain individuals for external administrative purposes. (Level of Risk to Privacy: 3)
F. Technology and Privacy:
Does the new or modified program involve the implementation of a new electronic system, software or application program, including collaborative software (or groupware) that is implemented to support the program in terms of the creation, collection or handling of personal information? – Yes.
Does the new or modified program require any modifications to IT legacy systems and/or services? – No.
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
- Enhanced identification methods? – No.
- Use of surveillance? – No.
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques? – No.
G. Personal Information Transmission:
- The personal information is used in a system that has connections to at least one other system. (Level of Risk to Privacy: 2)
- The personal information is transferred to a portable device or is printed. (Level of Risk to Privacy: 3)
- The personal information is transmitted using wireless technologies. (Level of Risk to Privacy: 4)
H. Potential risk that, in the event of a privacy breach, there will be an impact on the individual or employee:
- Embarrassment, inconvenience and reputational harm