Memorandum of Understanding regarding the Use and Disclosure of Information  with Respect to Periods of Incarceration for the Administration of the Old Age Security Act

Please refer to HRSDC's PIA Summary for their risks and recommendations for mitigation.

Overview

A joint Privacy Impact Assessment (PIA) has been conducted on the Memorandum of Understanding (MOU) regarding the Use and Disclosure of Information with Respect to Periods of Incarceration for the Administration of the Old Age Security Act. This assessment is limited to the collection, use, disclosure and retention of the information as it pertains to the agreement.

The MOU authorizes the disclosure by CSC to HRSDC of personal information regarding individuals who are aged 60 years and older who have been recently incarcerated.

Summary of Risks and Recommendations:

General

Risk

A potential unauthorized use or disclosure.

Recommendations for mitigation

CSC will ensure that HRSDC exercises due diligence with the information it receives on offenders in order to administer the changes to the OAS Act. This "due diligence" may include conducting regular privacy or security audits or reviews of the program to protect the integrity and confidentiality of the information transmitted in electronic format to HRSDC.

Risk

An increase in Access to Information Act and Privacy Act requests from offenders who are seeking to know why their personal information is being disclosed to HRSDC. They may also want details on the MOU concerning the exchange of information.

Recommendations for mitigation

CSC will prepare communication materials so that employees of those affected areas can prepare for an increase in ATIP requests and grievances. Affected areas may wish to review their existing resources to identify ways to handle an influx of offender requests.

CSC has in place a mechanism that allows for the reporting and corrective action of any privacy breaches due to improper use and disclosure of personal information. This includes written Privacy Breach Guidelines and the reporting of breaches to members of CSC's Privacy Committee, chaired by the Assistant Commissioner, Policy Sector. The Guidelines stipulate that, where appropriate, a Privacy Risk Assessment is to be completed to determine the severity of the breach and to identify those cases where the Office of the Privacy Commissioner of Canada is notified.