The implementation of the Receiver General Buy Button on Secure Channel clearly demonstrates the commitment of Public Works and Government Services Canada (PWGSC) toward security and the protection of privacy and personal information collected from individuals. The publication of this summary of the Privacy Impact Assessment (PIA) will help to assure Canadians that the Government of Canada has undertaken significant measures to maintain the privacy of their personal information while using the Receiver General Buy Button.
The Treasury Board's Privacy Impact Assessment Policy requires that the PIA completed for the Receiver General Buy Button (RGBB) be provided to and reviewed by the Office of the Privacy Commissioner (OPC). With the formal review process now complete, the response from the Office of the Privacy Commissioner has confirmed that, with the commitments given to address specific privacy concerns raised in the PIA, the OPC is satisfied that the RGBB poses few material privacy risks to Canadians. The Privacy Risk Management Plan addresses all privacy concerns raised in the PIA in a satisfactory and appropriate manner.
The Privacy Impact Assessment for the RGBB identifies five privacy concerns, all of which are considered to be low in severity as they relate mostly to process documentation. These risks have been avoided or mitigated with the implementation of the recommendations in the Privacy Risk Management Plan.
The Receiver General Buy Button (RGBB) is a common service used by federal departments and agencies, and potentially other levels of government, for the electronic acceptance of payments and secure storage of related payment information. The RGBB also provides convenient, reliable and secure payment services to Canadians and businesses during their on-line dealings with the federal government. Departments selling goods and services online can integrate their web storefronts with the RGBB for the collection, authorization and secure storage of payment information provided by the public to complete business transactions.
The only personal information collected from the public by the RGBB is their credit card number and expiry date. The RGBB also collects and retains transaction data that is required for processing the transaction from the selling government department. This includes the selling department's ID, transaction type, departmental reference number, transaction amount and the language last used by the customer on the selling department's website (so that the RGBB webpages can be presented in the same language for consistency). Transaction data collected from the department is assigned a RGBB transaction ID and the data collected from the customer is appended to that record.
Once the customer has chosen the goods and services to purchase on the selling department's web storefront, they can choose to pay on-line by credit card, in which case the RGBB payment process will be invoked. Upon selecting this method of payment, the customer will be redirected to the RGBB website to provide payment information in a secure format. At the same time, the selling department will send transaction information, such as department name, transaction ID and amount, to the RGBB to display and append to the payment information provided by the customer.
The customer will then be prompted to provide a credit card number and expiry date for the payment, and must select the "Proceed with Payment" button to continue. When the "Proceed with Payment" button is chosen, the RGBB generates and sends a payment authorization request to the Payment Service Provider (PSP). Upon receipt of a response from the PSP, the RGBB displays the appropriate receipt to the customer (approved or declined), and notifies the selling department of the results. The customer is then prompted to print the receipt and return to the selling department's web storefront to complete the business transaction or select another payment method.
The payment process requires a Secure Socket Layer (SSL) version 3 session using 128-bit encryption throughout. Once the customer's personal information has been provided securely, the credit card number is immediately encrypted by the RGBB in secure transaction storage and no longer retrievable in an unencrypted format.
The customer's credit card number is masked (xxx'd out) during all administrative functions, screen displays and reports. In addition, refunds and other related transactions are performed by referencing the original purchase transaction, without having to provide the credit card number, so that the RGBB can process the transaction using the encrypted credit card number already securely stored.
The objectives for the RGBB, pertinent to privacy considerations, are to ensure that no unauthorized data matching, data sharing, data aggregation or access to personal information is permitted. These objectives are directly congruent with the basic infrastructure design and building requirements of the Secure Channel. In addition, the RGBB provides administrative tools that facilitate responding to Access to Information requests and provide the ability to maintain a legally binding audit trail.
Using the RGBB payment process is a matter of choice by the customer and, therefore, consent is inherent with that choice. Nevertheless, the customer is provided with the opportunity to review the RGBB Privacy and Security Statement and the Privacy Notice prior to submitting personal information. Furthermore, the customer has the option of canceling the transaction and returning to the selling department's website to choose other methods of payment, should they be available.
The Privacy and Security Statement describes the purpose of collection, use, and disclosure of all personal information obtained by the site, and the Personal Information Bank (PIB) where the information is securely stored. The Privacy Notice summarizes the privacy policy and practices adhered to on the site.
As previously noted, the only personal information collected from the public by the RGBB are credit card numbers and expiry dates. This information is appended to the transaction data received from the selling government department and disclosed to the Payment Service Provider (PSP) solely for the purpose of obtaining payment authorization during transaction processing. The credit card number is encrypted and stored securely by the RGBB, along with the appended transaction data, as a record. An individual's credit card number is masked (xxx'd out) in all reports, administrative functions and screen displays.
The privacy concerns and risks identified during the RGBB Privacy Impact Assessment are summarized below. This section also outlines how these risks have been avoided or mitigated with the implementation of the corresponding mitigation strategies recommended in the Privacy Risk Management Plan.
Privacy Concern #1:
There is no indication that privacy issues and obligations on data sharing are addressed in third-party contracts and agreements between the Receiver General, Secure Channel, Financial Institutions and individual departments and agencies.
The PIA identifies a risk that the obligation to protect, limit the use of and restrict access to personal information may not be explicitly communicated with all participating parties.
Ensuring privacy and the protection of personal information is of paramount importance to both the Receiver General and Secure Channel. The existing credit card services contract for the federal government requires the Payment Service Provider to provide levels of data and processing security and integrity that are standard within the banking industry. In addition, with the existing contract set to expire on December 31, 2005, the Receiver General is currently taking action to ensure that the new contract for credit card services will include specific security and privacy clauses to promote compliance with Crown policy.
Public Works and Government Services Canada (PWGSC) has more recently detailed extensive requirements in the Secure Channel contract with its third party service provider for the protection and non-disclosure of personal information. Specific clauses are included to ensure the Contractor complies with all provisions of the Privacy Act and protects any personal information collected, handled or stored during the course of the contract.
Privacy Concern #2:
The accountability for privacy, as opposed to security and confidentiality, and specific responsibilities of owners and custodians of personal information has not been identified, documented and communicated.
There is a risk that owners and custodians who collect personal information from individuals may not be fully aware of their legal responsibilities to protect the information. Similarly, they may not know or understand the nature and sensitivity of the personal information being collected.
The responsibility for safeguarding personal information which is managed, collected, used, disclosed, retained or disposed of by the RGBB has been specifically identified in the Secure Channel contract between PWGSC and its third party service provider. The Contractor, as custodian of the personal information collected on behalf of the Crown, must ensure that its employees, agents and subcontractors are aware of the confidential nature of the personal information being handled, bound to hold the information in confidence and deal with it in accordance to the provisions set out in the Privacy Act.
Privacy Concern #3:
Safeguards to ensure that administrative staff in departments and agencies cannot link personal data collected by the department when providing goods and services are not readily identifiable.
Administrative staff in departments may collect additional personal information during transaction processing, such as name and address, which could be used in conjunction with payment information to facilitate identity theft and credit card fraud. There may be an additional risk when a departmental administrator collects an individual's credit card number by telephone to process the transaction using the virtual point of sale function within the RGBB.
To mitigate this risk, access to sensitive personal information collected from individuals by the RGBB (credit card number) is prohibited by using encryption within secure data transmission and storage. Once the credit card number has been collected and encrypted by the RGBB, the information cannot subsequently be retrieved. An individual's credit card number is masked (xxx'd out) in all reports, administrative functions and screen displays.
To further address this concern, the departments' responsibility to properly administer the Privacy Act and the Financial Administration Act (FAA) by ensuring, for example, the separation of administrative duties, is highlighted to program departments prior to and during integration to the RGBB.
Privacy Concern #4:
Data retention and disposal procedures and the corresponding physical safeguards of data have not been developed and documented.
There is a risk that personal data collected from individuals may become accessible if not stored and disposed of securely and in a timely manner.
Personal information collected by the RGBB is stored securely within the Secure Channel infrastructure and the secure data storage has been registered as a Personal Information Bank. The physical safeguards for the protection of data contained within the secure data storage have been developed, implemented and tested successfully. In addition, data retention and disposal procedures have been developed in accordance with the standards identified in the National Archives Act and the Privacy Act.
Privacy Concern #5:
Although Internet Protocol (IP) addresses are considered to be personal information, the collection, retention and/or use of static Internet Protocol (IP) addresses by the RGBB has not been identified.
The public must be informed of the collection, use and disclosure of all personal information obtained from the public by the RGBB. Furthermore, the collection and retention of static IP addresses may pose a privacy risk to the extent that these addresses could be used to identify specific individuals.
The RGBB website uses software to monitor network traffic to detect intrusions into the network and to identify unauthorized attempts to upload or change information, or otherwise cause damage. This software receives and records the IP address of the computer that has contacted the website, the date and time of the visit, and the pages visited.
Network monitoring consists of the temporary capture of all network traffic and security analysis of this traffic by automated tools (no individuals can see all traffic). Only malicious activity is recorded and retained. There is no recording or retention of IP addresses deemed to be legitimate activity.
The Privacy Notice on the RGBB website has been updated to identify to the public that IP addresses are temporarily recorded by software used to monitor network traffic for malicious activity. The Notice further indicates that no attempt is made to link these addresses with the identity of individuals visiting the website unless a specific act to damage the site has been detected.
To further mitigate risk, PWGSC will continue to ensure that either static IP addresses are not collected and retained or, if the information is deemed necessary for the effective delivery of the service, the necessary steps to advise individuals of the purpose of collection, use and disclosure of this information are taken.