Public Works and Government Services Canada
Symbol of the Government of Canada

Publications Website Privacy Impact Assessment Summary

  1. Introduction
  2. Benefits
  3. Report Objective
  4. Description
  5. Data Analysis
  6. Privacy Risk Management
  7. Conclusion

Introduction

Part of the mandate of the Public Works and Government Services Canada (PWGSC) – Consulting, Information and Shared Services Branch (CISSB) is to inform Canadians about the federal programs and services available to them. To assist in this mandate, CISSB – Publishing and Depository Services Program (PDS) has created a Web application to provide an integrated computerized solution for the management, publishing, promotion and sales of Government of Canada (GoC) publications.

The Government of Canada Publications Web site is designed to leverage the publishing, marketing and cataloguing expertise of the PWGSC's Publishing and Depository Services Program to create "one-stop-shopping" for GoC publications.

This web site supports other Government of Canada Primary Portals – the Canada Site, 1-800 O-Canada, and the Service Canada in-person centres - through providing e-access to bibliographical information, publication availability, distribution sources and ordering information.

Benefits

Visitors benefit from end-to-end services for searching, ordering, and purchasing Government of Canada publications.

Credit card purchasing activities are accomplished through the use of the Receiver General Buy Button (RGBB), a secure shared government service.

PDS employs external service providers to deliver its services such as shipping, warehousing and distribution services.

Information about the Crown Copyright and Licensing section and its activities is also made available on the Government of Canada Publications Web site. Visitors may request permission to reproduce, adapt, revise and/or translate any Government of Canada works by downloading the application form accessible from the web site in PDF format or by applying on-line using the web form. The web form provides a fast and easy way to fill out and submit requests for copyright clearance on Government of Canada works.

Report Objective

A privacy impact assessment (PIA) for this on-going initiative was conducted to determine if there were any privacy, confidentiality and security issues associated with the Government of Canada Publications Web site and its various components/interfaces, and if so, to make recommendations for their resolution or mitigation.

Description

For information on Government of Canada Publications, customers can send their questions or their comments through the GoC Publications Web site using the Contact Us form or call directly the PDS Customer Service. Personal information collected includes name, telephone number and e-mail address if the visitor wants to receive an answer.

Customers can purchase Government of Canada Publications through the GoC Publications Web site in addition to traditional channels (i.e. mail, fax, and phone).

Only personal information needed for order fulfillment is requested from individuals.

Personal information collected by the web order form is the same information that PDS has been collecting via paper form, and is typical of personal information collected for order fulfillment. The personal information includes individual's name, and either the individual's home or office contact details such as mailing address, e-mail address, fax number and telephone number.

Ordering from the Government of Canada Publications Web site is a matter of choice by the customer and, therefore, consent is inherent with that choice.

Customers who select to pay by credit card through the GoC Publications Web site are directed to the Receiver General Buy Button (RGBB) Web interface. This secure Web interface collects and validates the customer's credit card information. If the credit card payment is accepted, the RGBB Web interface returns the authorization number for the payment.

The authorized credit card order is then submitted via an automated interface to the Inventory / Order / Sales management application for order fulfillment. The authorization number is stored in the Inventory / Order / Sales management application and used to process the payment.

The GoC Publications Web application does not process, capture or store any credit card information.

Existing customers who have pre-established credit with PDS can charge their order on account through the GoC Publications Web site. Such orders are automatically submitted to the Inventory / Order / Sales management application for order fulfilment. The customer's shipping data is then sent to the external warehouse.

At any time prior to confirm their online order/payment, customers have the option of canceling the transaction and can choose another channel such as mail, fax or telephone to submit their order.

Customers who select to pay by cheque or money order through the GoC Publications Web site are informed to print the completed order form and mail it along with their payment to Publishing and Depository Services Program.

Customers who prefer to use the paper-based order form can mail or fax their order to PDS Customer Service. Customers may also contact the Customer Service Desk directly to request publications of their choice. Faxes are received in a restricted access room.

RGBB also provides a Web console service where telephone, mail or FAX orders with credit card payments are authorized and captured. The authorization number returned from RGBB is recorded with the order. All correspondence received is secured in a locked cabinet with restricted access.

PDS discloses personal information in accordance with section 8(2)(a) of the Privacy Act, for the completion of inquiries and orders pertaining to GoC Publications.

Financial transactions such as sales and account receivables are submitted to the departmental finance system. Customer information such as name, address, telephone number and E-Mail is also provided and stored in the departmental financial system for the purpose of adjustments and reconciliation, should the customer need to be contacted.

Visitors are being informed of the purpose for which their personal information is being collected at every point of collection throughout the Publications website.

Occasionally, PDS promotes Government of Canada publications to subscribers to its mailing list. New customers as well as current ones are being informed of the Government of Canada Publication's mailing list for promotional material and have the opportunity to sign up to receive promotional material while they place an order.

Data Analysis

The different types of personal information collected or used during the various stages of the business process are as follows:

Personal Information elements by cluster Collected
by
Type of format (e.g. paper, electronic) Purpose of collection Used by
or Disclosed to
Storage or retention site Retention Schedule (Subject to LAC Document Mgmt review)
Call-back information (Name, title, phone number, comments) Government Enquiry Services call centre

PDS Customer Services

Electronic (via e-mail or telephone)

Paper (faxes, mailings)

Call back PDS Customer Services

PWGSC Finance

E-Mail server account

PDS Customer Services restricted access room and locked cabinets

1 year

1 year

Contact Information (Name, mailing address, shipping address, invoicing address, telephone) Government Enquiry Services call centre

PDS Customer Services

Publications Website application

Electronic (via e-mail or telephone)

Paper (faxes, mailings)

Web (via Publications Website application)

GoC publications orders fulfillment

GoC publications promotions

Application for Crown Copyright Licencing

Updates to contact information from Client Centre function

PDS Customer Services

PWGSC Finance

GoC Publications Warehouse

GoC publications distributors (mailing lists)

CCL Officer

Other GoC author department for CCL. request.

E-Mail server account

Axapta backend application database

PDS Customer Services restricted access room and locked cabinets

CCL backend application.

1 year

2 years after inactive

1 year

Indefinite

Credit Card (Number, Expiry Date)

Entered manually via RGBB online console.

Government Enquiry Services call centre

PDS Customer Services

Telephone

Paper (faxes, mailings)

Payment for GoC Publications orders PDS Customer Services

RGBB for verification

PDS Customer Services restricted access room and locked cabinets 1 year
Email addresses Government Enquiry Services call centre

PDS Customer Services

Publications Website Web application

Electronic (via e-mail or telephone)

Paper (faxes, mailings)

Web (via Publications Website application)

To respond to queries

To confirm GoC publications order details to customer

To send notices

PDS Customer Services

CCL

E-mail box (server)

Axapta backend application database

CCL application

1 year

2 years after inactive

Indefinite

Payments (Name, address, payment details) Government Enquiry Services call centre

PDS Customer Services

Publications Website Web application

Telephone

Paper (faxes, mailings)

Web (via Publications Website application)

For payment of GoC Publications orders. PDS Customer Services

PWGSC Finance

PDS Customer Services restricted access room and locked cabinets

Axapta backend application database

1 year

5 years

Privacy Risk Management

Privacy risks raised in the Publications Website Privacy Impact Assessment are the following (since many of the risks are currently under mitigation a status is also reported):

Privacy Risk Level Status
Purpose for which Personal Information (PI) is collected has not been documented. Low Implementation completed in the 1st quarter 2008-09.
Consent for secondary purpose not obtained. Low Secondary purpose identified at all collection points and a process to obtain consent has been developed. Implementation completed in the 1st quarter 2008-09.
Lack of GoC Publications specific data retention and disposal policies Low Records Disposition Authority (RDA) number is to be requested by PWGSC - CISSB for the branch.

PWGSC - CISSB to develop policy relating to the retention and disposal of PI.

The adequacy of existing safeguards on personal information has not been systematically addressed Low System security procedures are scheduled to be developed in fiscal 2009-10.
Update privacy notices on the GoC Publications web sites to conform to Treasury Board of Canada Secretariat (TBS) standards on Privacy Notices Statements. Low Implementation completed in the 1st quarter 2008-09.

Conclusion

This privacy impact assessment of the GoC Publications Web application did not identify any privacy risks that cannot be managed using either current safeguards or others that have been specifically developed for the implementation of the system.

The GoC Publications Web application poses few privacy risks to Canadians, all of which are considered to be low in severity as they relate mostly to process documentation.

These risks have been mitigated with the implementation of the recommendations in the Privacy Risk Management Plan.