Computerized Mental Health Intake Screening System
Privacy impact assessment (PIA) summary
All federal offenders arriving at a reception center will be offered the Computerized Mental Health Intake Screening System (CoMHISS). CoMHISS is a mental health screening process that is comprised of a computer administered psychometric test battery that objectively measures indicators of mental health including, but not limited to depressions, suicidal ideation, anxiety, and obsessive compulsive and psychotic disorders. With respect to the computer administered psychometric test battery, once offenders complete the screening process the data will generate a report that will be placed on their confidential Psychology file. Offenders whose scores exceed a pre-determined threshold will automatically be referred to psychology for further assessment. Since CoMHISS will be implemented system-wide, offenders' identification information (i.e. age, gender) and test scores will automatically be gathered to generate institutional, regional, and national profiles of mental health needs within the Correctional Service Canada (CSC) environment. Therefore, CoMHISS will allow CSC to improve mental health treatment planning and access to institutional mental health services by identifying offenders with mental health issues during the intake assessment process.
Summary of risks and recommendations
General retention and disposal
The USB key used to transfer the information from the stand-alone computer to the network is not encrypted and a privacy breach could easily occur if it were to be lost or stolen.
Compounding this risk is the issue of varied practices by test administrators in uploading the test data from the USB to the network. Individual and identifiable test information remains on the stand-alone computers after the information has been saved to the USB key. However, the information that remains on the computer's hard drive is converted to another file name, the offender's name, FPS, DOB and gender and raw test scores will remain on the hard drive and could be accessed. The storage of this data poses a risk as is related to section 6 of the Privacy Act, which relates to retention, accuracy and disposal of personal information.
Recommendations for mitigation
Currently, USB keys provided to each CoMHISS are not encrypted as CSC Information Management (IM)/Information Technology (IT) has indicated that this is not feasible with the current CoMHISS version. The issue of encrypted keys when configuring version II of CoMHISS should be examined. In the interim however, the risk to privacy is low as the information is saved on the key contains only raw test data, and without the accompanying test answers the information is meaningless. Other information would include the offender's name, FPS, DOB and gender, which is all classified at the Protected A level, as per the Government Security Policy (GSP).
CoMHISS guidelines used by administration should be clarified to include precise direction regarding uploading of CoMHISS data from the USB key to the network application, as well as contain specific instruction to ensure CoMHISS data is properly safeguarded, as per GSP requirements.
Though the raw test data remains on the hard drive, the files are automatically renamed and the data is saved deep in the system's memory and is virtually irretrievable for non-IT type individuals. The current version of the CoMHISS application does not have the functionality to erase data automatically once the information is saved to the USB key; however, further to discussions with CSC IM/IT an added functionality can be configured for version II of CoMHISS that will allow the test administrators to delete this information on a regular basis.
Though the program involves mental health information which by way of its nature is sensitive if improperly handled, internal directives currently exist within CSC that provide clear direction regarding how mental health information must be handled.
CSC has developed privacy breach guidelines that must be adhered to by all CSC employees in the event of inappropriate handling of personal information.
- Date modified: