Privacy Impact Assessment Summary

Electronic Sharing of Offenders' Information with Provincial Governments

Overview

Historically, the sharing of offender information between Correctional Service Canada (CSC) and provincial correctional organizations has been done verbally and in writing. Both of these methods rely heavily on effective communications between the parties involved and on their appropriate exercise of judgement.

The new proposed information sharing method will involve the establishment of a virtual private network (VPN) using an internet connection between CSC and the computer network of each participating provincial institution. The network will allow the provincial institutions to gain secure and timely access to some of the personal information about offenders that is kept in CSC's Offender Management System (OMS) based on the terms of the agreement between CSC and each provincial government.

The assessment demonstrates that the proposed information sharing method was developed in accordance with the requirements of the Privacy Act, the Corrections and Conditional Release Act and the Government of Canada Security Policy.

Summary of Risks and Recommendation:

General Collection

Risk

Because the employees of provincial institutions will not be able to enter information in OMS, the privacy related risks associated with the collection of information are limited to the quality of the offender personal information that CSC will extract from the provincial databases.

Recommendations for mitigation

These risks are mitigated by the existence of privacy legislation in all jurisdictions from which CSC will obtain that information and the right of offenders to request access to, and the correction of their own personal information kept in those systems

Use

Risk

The privacy related risks associated with the use of the personal information that they will extract from OMS are rather low.

There is the potential of embarrassment for CSC should a provincial institution misuse the personal information of an offender that came from OMS

Recommendations for mitigation

The terms of the agreements to be signed between CSC and the privacy authorities, provide for the implementation of security and privacy controls as well as for the establishment of training/awareness programs for the authorized users of the system.

CSC should develop an effective communications plan to explain the limitations of the responsibility should questions ever be raised by the public concerning a possible misuse of the personal information that has been extracted from OMS.

The PIA team believes that the best way to respond potential embarrassment would be to ensure that the public is aware of, and understands the limitations of CSC's action and responsibility in that regard.

Retention & Disposal

Risk

The possibility that the employees of provincial institutions may reproduce and/or print some of the information to which they will have access and that they retain those copies beyond the scheduled period for their disposition; the possibility that the employees of provincial institutions improperly remove information from the system before the expiry of its retention schedule.

Recommendations for mitigation

The contractual and policy framework established by CSC for the retention and the disposal of the personal information that will be involved in the proposed sharing method meets the requirements of the Privacy Act. The risks associated with the retention and the disposal aspects of the proposed sharing method will not be significantly higher than they are under the current manual sharing arrangement.

Safeguarding

Risk

CSC conducted a TRA in relation to the proposed system in January 2003 in order to identity any potential security risks that the proposed approach may pose and determine ways to mitigate them.

Recommendations for mitigation

At the time of this PIA report, CSC authorities were in the process of addressing the technical security issues that were identified during the course of the TRA.