Receiver General Buy Button (RGBB) Upgrade Privacy Impact Assessment Summary

Introduction and background

The RGBB service modernization will continue to enable RGBB clients to use the RGBB for credit card and now also Interac as payment processing methods. The payment information is processed electronically using the RGBB service from RGBB clients' web sites (also known as storefronts) that accept electronic payments.

RGBB clients will continue to use the RGBB service as a means to process payments from individuals of the general public. The RGBB provides the necessary tools to allow RGBB clients to manage online, mail orders and /or in-person payment for goods or services, through the provision of authentication, and administration processes. The use of these processes facilitates secure and private exchange of customer payment data with payment processing service providers on behalf of RGBB clients.

The user community for the RGBB Service consists of:

• RGBB clients including any government department/agency or other levels of government who want to use the RGBB service to accept payments from their web storefront for goods or services procured by customers; and,
• Customers wanting to make payments to RGBB client for goods or services

Personal information collected by existing RGBB Service

The different clusters of personal information collected or used during the various RGBB business processes are as follows:

• CCN: Identifies the Credit Card Number required to process the customer's request to pay for the goods or services using their credit card.
• Expiry Date: Identifies the credit card expiration date to confirm if the credit card is active or expired.
• Address: Identified the address of the cardholder for billing or address verification purposes.
• Reason Codes: Reason codes collected by the RGBB are personal information since they are linked to the CCN or cardholder name. The reason codes are contained in the RGBB relational database repository, and are accessed by the application components to verify the validity of payment processing details presented by the RGBB clients' customers, but does not contain any information that identifies an individual. The reason codes are displayed in plain text.

The application also collects and retains transaction data from the selling department that is required for processing the transaction. This information includes the selling department's ID, transaction type, departmental reference number, transaction amount and the language last used by the customer on the department's website (so that the RGBB web pages can be presented in the same language for consistency). Transaction data collected from the department is assigned a RGBB transaction ID and the data collected from the customer is appended to that record.

New Personal information collected by upgrade RGBB Service

The new personal information collected or used during the various upgraded RGBB business processes is as follows: 

• Name: Identifies the name of the credit card holder buying the service/product from the RGBB client storefront.
• Address: Email or physical address of the cardholder as required for transaction receipt purposes.

Other information elements pertaining to the customers' online transactions are also collected or used, such as customer session logs, content of temporary cookies and signature verification logs. The architecture design specifications, however, do not permit these information elements to identify individuals or to be linked to individuals.

The customer is provided with the opportunity to review the RGBB privacy statement on the payment page where they are required to submit personal information. The privacy statement describes the reason for collection, the specific use, the retention period, disposal procedures and Personal Information Bank (PIB) where the personal information is stored.

The RGBB administrative web interface is used to perform the following:

• Initiate credit card sales or authorization (possibly Interac sales in the future);
• Perform refund or void of transactions previously completed by a merchant;
• Automate end-of-day processing of funds settlement and deposit;
• Securely store transaction data; and
• Support execution of Adhoc queries and reports as well as profile maintenance related activities.

Privacy risks

Privacy risks and potential risk mitigation measures have been identified in the PIA report. These risks are summarized below.

• Ensuring that personal information is maintained in a secure and robust infrastructure and physical location.
• Ensuring that privacy and security obligations on data are addressed in third-party agreements (Terms of Engagement and Set-up Forms) between the PWGSC, OGDs, and the RGBB Service vendor via interface information exchange or supporting the related services.
• Publishing a harmonized retention and disposal procedures that meet Government requirements, PIPEDA and PCI DSS including the physical safeguards of that data until disposal.
• Documenting the changes and updating the PIB to reflect the updated RGBB service data collection requirements.
• Developing a harmonized privacy notice that reflects the Privacy Act and PIPEDA requirements adequately.

Conclusion

A number of privacy risks have been identified with the RGBB upgrade service and are evaluated at 'low' in severity with a plan to mitigate these risks within an acceptable timeframe.

It is important to note that the RGBB basic business model has not changed only the service provider and the collection of two additional pieces of personal information which will ensure accurate and secure payments are processed. The introduction of a payment gateway with multiple options within the RGBB may raise privacy concerns. In that context, customers should be reminded that privacy protection was and remains a pivotal factor for the RGBB's choice of subcontracting to a PCI DSS Level 1 certified processing vendor. Customers who wish to further protect their privacy can also elect to procure RGBB client services using different payment options such as credit card and Interac, thereby rendering the Credit Card Number a payment processing specific identifier, and not a common identifier.