Minister's and Deputy Minister's Correspondence Process

Public Summary

  1. Introduction
  2. Directorate Mandate Overview
  3. Data Analysis
  4. Privacy Risk Management
  5. Conclusion

1. Introduction

The Ministerial and Deputy Ministerial Correspondence Directorate (MDMCD) of Public Works and Government Services Canada (PWGSC) is the functional authority for the minister's and deputy minister's correspondence. In this role, MDMCD is responsible for reporting on the Privacy Impact Assessment. This summary assesses the privacy issues and risks associated with MDMCD's procedures and CCM document tracking system, in accordance with the Privacy Act and the Treasury Board of Canada Secretariat's Privacy and Data Protection Manual.

2. Directorate Mandate Overview

MDMCD works in partnership with branches to co-ordinate and monitor the minister's and deputy minister's correspondence, as well as to prepare replies. The Directorate not only provides editing services for the minister and deputy minister, but also for the branch correspondence that will be signed on behalf of them. In addition to its main mandate, MDMCD manages the electronic document tracking system CCM Mercury and ensures that all users receive adequate training.

CCM Mercury software is used to track all correspondence except for constituency correspondence that is not processed in the Department and is usually returned to the Parliament Hill office. As for correspondence that is of non-institutional nature, it is contained is a separate database that is purged when the minister leaves and restarted when a new one arrives.

3. Data Analysis

The CCM tracking system has not been designated as a data collection tool. The system only collects personal information incidentally as part of tracking the receipt of, action taken on and disposition of ministerial and executive correspondence. The Department has little if any control over the type of personal information it receives from the outside or from its own employees.

Correspondence received is unsolicited and is seldom marked with regard to the document's sensitivity. It is therefore virtually impossible to ascertain the actual sensitivity of the information without viewing each piece of correspondence. The following table shows the types of personal information processed by MDMCD.

Data Flow Table for CCM
Description of personal information cluster Collected
by
Format Used by Purpose of collection Disclosed to Storage or retention
Registration Data Cluster
Author; position;
organization; address;
phone number; e-mail address; and abstract.
MDMCD Paper and/or electronic Potentially the Minister, the DM or an ADM in PWGSC if assigned to file. To reply to correspondence Potentially the Minister, the Deputy Minster or ADM in PWGSC if assigned to file. Six (6) years for original (incoming and outgoing) correspondence or six (6) months for working files or annexes.
Imaging Data Cluster
All the registration data cluster; age;
marital status; medical history; employment history; financial transactions; personal identifying numbers and other particulars assigned to the individual, such as the personal record identifier; information that is implicitly or explicitly of a private or confidential nature; name of the individual where it appears with other personal information; opinions and view of the individual; medical, employment history; and personal history.
MDMCD Paper and/or electronic Potentially the Minister, the DM or an ADM in PWGSC if assigned to file. To reply to correspondence Potentially the Minister, the Deputy Minster or ADM in PWGSC if assigned to file. Six (6) years for original (incoming and outgoing) correspondence or six (6) months for working files or annexes.

4. Privacy Risk Management

The following section identifies a number of privacy risks in relation to MDMCD's procedures and the CCM correspondence tracking system. This information is outlined in the Privacy Impact Assessment. The risks, which are summarized below, also describes the security and privacy measures taken to be mitigated following the Office of the Privacy Commissioner of Canada's recommendations.

  • Accountability for personal information;
  • Personal information of third parties;
  • Consent to disclose personal information;
  • Collection of personal information;
  • Use, disclosure and retention of personal information;
  • Safeguarding personal information/training; and
  • Security of the CCM tracking system.

4.1 Accountability for Personal Information

Issue 1

There are no rules in place to address what constitutes personal information and what personal information should be entered in the system.

Issue 1 - Risk Mitigation Measures

In order to minimize privacy-related risks in the correspondence process, MDMCD has developed Security and Privacy Directives to ensure the secure handling of sensitive personal information at each stage of its life cycle.

These formal business rules establish standing operating procedures that address the types of personal information that may or may not be scanned into the CCM system.

Issue 2

Specific responsibility for privacy issues has not been addressed. Multiple directorates hold different responsibilities for responses to ministerial and deputy ministerial correspondence. The accountability of information between these directorates is unclear and could lead to mismanagement of information and lack of trust.

Issue 2 - Risk Mitigation Measures

Accountability issues have been addressed in the Security and Privacy Directives. MDMCD is the functional authority responsible for ministerial and deputy ministerial correspondence. As for the branches, rules now indicate to which extent they are responsible for the information contained in the responses (specifically for the production, marking, saving and transmission of the information).

4.2 Personal Information of Third Parties

Issue 3

Personal information pertaining to third parties is sometimes included in correspondence. Scanning and retaining correspondence that contains personal information of third parties could result in the collection of information without the knowledge and consent of the individual.

Issue 3 - Risk Mitigation Measures

MDMCD has created a definition of third party information as well as a rule on its handling, which can be found in the Security and Privacy Directives.

4.3 Consent to Disclose Personal Information

Issue 4

When information is collected by the organization, without explicit consent, there is a risk that it will subsequently be used without consent. The issue of consent arises when the personal information of correspondents must be disclosed to another institution (department).

Issue 4 - Risk Mitigation Measures

By providing required information to address their request/concern, correspondents give their implicit consent to personal information collection. As per MDMCD's mandate, it is inferred that personal information is not disclosed beyond its main purpose, which is to respond to correspondence. Consequently, MDMCD is sometimes required to share personal information in accordance with paragraph 8(2)(a) of the Privacy Act, for the purpose of which it was obtained or compiled, or for a use consistent with that purpose, i.e. to respond to the correspondence.

A written consent from the correspondent is therefore not necessary. MDMCD is diligent in monitoring to ensure that personal information is not being shared for any other purpose.

In fact, a notice was added to the information on privacy currently on the Contact Us page, in both official languages, stating that personal information will only be used to respond to the visitors' requests, or to ensure the security of the system. It also indicates that the information is shared with another department when the inquiry relates to that department.

In the event that there is a need to disclose personal information to another department (such as in the case of a referral), the correspondent is advise in the reply that MDMCD will forward a copy of his/her letter/e-mail to another department to answer the inquiry. This procedure is also indicated in the Security and Privacy Directives.

4.4 Collection of Personal Information

Issue 5

Retaining superfluous personal information increases the harm that would result from unauthorized access or from those who do not have a need-to-know.

Issue 5 - Risk Mitigation Measures

Rules were established in the Security and Privacy Directives providing detailed procedures that define what type and level of sensitive information may or may not be included in CCM. For example, all unnecessary sensitive information has to be blackened out before the document is scanned.

As for the CCM upgrade, Public Works and Government Services Canada maintains a Protected A level of security profile for its IT environment that is consistent with most government departments. It should be noted that documents marked as Protected C, Secret and Top Secret are never scanned into CCM. All Protected B documents will be kept in hard copy format, unless internal clients specify to proceed with the scanning, while blanking out Protected B information. Should an upgrade to Protected B profile become a Treasury Board initiative, MDMCD will comply with the requirement.

4.5 Use, Disclosure and Retention of Personal Information

Issue 6

The prevention of CCM users from having unauthorized access to the system.

Issue 6 - Risk Mitigation Measures

There are no secondary uses of personal information received by MDMCD and, as far as it can be determined, no unauthorized use of the information is anticipated.

A role-based access control for CCM is already in use. Access rights are established in accordance with the different access groups within MDMCD. Access to sensitive information is therefore restricted by means of this role-based access. User accounts are kept current by the use of the ''Request for Access to the CCM Mercury Application'' form that is verified and approved by the Director of MDMCD. Unauthorized access is therefore not possible.

A quarterly cleanup of CCM is conducted which revise the list of users of each branch to ensure access rights are up to date and the levels of access are consistent with each user's function.

A warning banner has been created to advise users that information in the system should only be used, disclosed and destroyed in accordance with the Government Security Policy and subsection 8(2) of the Privacy Act. In addition to this banner, a general security notice appears regularly on each workstation requiring the user to acknowledge his/her responsibilities with regard to the proper use of the applications available in the system. Moreover, the CCM application provides the possibility, upon request, of generating a historic of all users, accessions, and records accessed.

Issue 7

There is a risk that sensitive personal information that is no longer required for an identifiable purpose may still be in the system, and employees that do not have a need-to-know may have access to it.

Issue 7 - Risk Mitigation Measures

With regard to retention, personal information is destroyed when it is no longer required for an identifiable purpose or its maximum retention period has been reached. A file cleanup is also executed regularly.

  • CCM and paper copy: the National Archivist of Canada authorizes via a list the disposition of specific documents that no longer have operational or legal value and have been used in the past two years. If these documents are in the CCM, they are moved to its archives database, while paper copies are transferred to Library and Archives Canada, following a specific packaging procedure, for retention or destruction.
  • Shared drive: each section of MDMCD is responsible for the maintenance of its space on the shared drive. The files are sorted by year in order to purge them after the two-year mark, if they have not been accessed for any operational or legal use.

4.6 Safeguarding Personal Information/Training

Issue 8

CCM user training does not address security or privacy issues, thus posing the risk that sensitive personal information may be entered into the system and be compromised.

Issue 8 - Risk Mitigation Measures

MDMCD has provided its employees with further training in security and privacy awareness in March 2007. It also continues to offer training to its new employees and to remind its personnel of the procedures to follow through routine meetings. The Security and Privacy Directives, distributed to each employee, have been created to reinforce MDMCD's security measures and provide more stringent safeguards to protect personal information. In addition, mandatory training sessions, such as the one on Access to Information and Privacy and the one on Information Technology Security, are provided to all employee. Training on security is added to each employee annual learning plan.

4.7 Security of the CCM Tracking System

Issue 9

The security of the CCM tracking system.

Issue 9 - Risk Mitigation Measures

The certification and accreditation process has already been initiated by Information and Technology Services Branch Security, and a letter of accreditation will be issued confirming that the actual level of risk matches the acceptable level.

5. Conclusion

In conclusion, MDMCD has implemented these measures to address the potential privacy risks during all the correspondence life cycle. MDMCD has lowered the risk of access to sensitive information with proper security measures as defined within the Privacy Impact Assessment.