Integrity database services

Section I - Overview and privacy impact assessment initiation

Government institution:

  • Public Works and Government Services Canada (PWGSC)

Overview and privacy impact assessment initiation

  • Micheline Nehmé
    Director General, Forensic Accounting Management Group

Head of the government institution / Delegate for section 10 of the Privacy Act

  • Rachelle Delage
    Manager, Policy and Governance
    Access to Information and Privacy Directorate

Name of program or activity of the Government institution

Integrity programs and services is the program and Operational integrity services is the sub program.

Classes of records associated with the program or activity

There are five classes of records (COR) related to this program. The CORs and their description are as follows:

Personal information bank

check Proposal to modify an existing personal information bank for the Integrity assessment program

Legal authority for program or activity

  • Criminal Code of Canada, subsection 750(3)
  • Financial Administration Act, paragraph 42(1)(c)
  • Government Contracts Regulation 18(1)(c)
  • Department of Public Works and Government Services Act (DPWGSA), section 21

Summary of the project/initiative/change

As stewards of public funds and the main service provider for government procurement, Public Works and Government Services Canada has an overall duty to exercise due diligence in dealing with suppliers of goods and services and providers of space under leases.

Over time, PWGSC has put in place numerous measures to protect the integrity of its operations. Despite these measures, concerns grew that there were instances where the department could and had inadvertently awarded contracts and leases to suppliers who had demonstrated fraudulent and unethical business practices.

To address this, in July 2012, the department consolidated oversight measures and extended the list of offences that render convicted suppliers ineligible to do business with PWGSC, into a formal Integrity Framework, which was further strengthened in November 2012 and March 2014.

The objective of the Integrity Framework is to ensure that procurement and real property transactions are carried out free of influence or corruption, collusion, and fraudulent activities, and that the Government of Canada does not inadvertently support organizations or individuals with criminal convictions, or who have plead guilty but received an absolute or conditional discharge. The Integrity Framework requires, in part, the following certification:

  • All suppliers with their bids, certify that the company, its members of the board of directors and affiliates have not been convicted or absolutely and conditionally discharged of any of those offences in Canada or abroad in the past 10 years;
  • Suppliers must provide the names of the members of their board of directors; and
  • Suppliers are required to diligently maintain up-to-date the information requested.

Prior to the introduction of the department's Integrity Framework, a means to verify supplier certifications did not exist. Suppliers involved in fraudulent and unethical business conduct could still be successful in winning government contracts. Consequently, the Departmental Oversight Branch (DOB) created the Integrity Database Services (IDS) in 2012, to assist in this objective.

A small group of staff working in the DOB developed the Integrity Database and is tasked with its maintenance and update. Furthermore, they are responsible for processing requests from procurement and leasing officers to conduct supplier verifications. The database collects and stores information on specific convictions and absolute or conditional discharges of offences listed under the Integrity Framework, for which a supplier, its members of the board of directors and affiliates would be prohibited from being awarded a contract or real property transaction.

The Integrated Data System (IDS) validates information from suppliers to determine if a conviction or absolute or conditional discharge exists that will deny them business on PWGSC transactions. Moreover, PWGSC will continue these validation exercises after the contract/real property agreement award to monitor the supplier throughout the lifecycle of the contract/real property agreement.

Integrity Database Services supports the Integrity Framework objectives by providing a consistent and reliable approach in verifying supplier information, to ensure that contracts are awarded to suppliers who abide by the law.

Scope of the Privacy impact assessment

This privacy impact assessment (PIA) is a revised version of the PIA submitted to the Office of the Privacy Commissioner on May 29, 2012. The initial PIA was submitted prior to the implementation of the IDS. Although the business processes were well understood by the department, since the IDS's inception several changes have occurred while some work flows specified in the initial PIA have been altered. Therefore, this PIA aims to achieve the following goals:

  • Describe the processes with regards to the IDS;
  • Identify processes and activities that were never implemented or were altered;
  • Identify changes to the Integrity Framework impacting the IDS.

For ease of use, the following table provides a summary of what has changed since the initial PIA:

No. Initial PIA Description of changes
1 The program was initially identified as "Integrity Assessment Program". The program is a service which will be referred to hence forth as the "Integrity Database Services".
2 The description and provisions of the Integrity Framework. The description of the Integrity Framework has been updated to reflect the following changes:
  • Removal of the leniency exemption
  • Introduction of the Public Interest Exception
  • Inclusion of 9 new offences
  • Introduction of a 10 year time limit from date of conviction
  • Additional debarment condition to include a guilty plea with a conditional or absolute discharge
  • Inclusion of offences in foreign jurisdictions that are similar to the Canadian offences listed in the provisions
3 PWGSC may pay user fees for open source search engine services. PWGSC will not be using open source search engine services. The only service for which DOB pays are for court records from various court systems, and for corporate registry searches.
4 The Integrity assessment program (IAP) database may be populated with information obtained from media outlets or other less reliable open sources.

The Integrity database is and will only be populated with confirmed convictions from authentic sources. Media and other less reliable sources will not be utilized.
The database has only ever stored data from such sources as:

  • Canada Revenue Agency for tax evasion
  • The Competition Bureau for convictions under the Competition Act. Provincial and territorial government sources.
  • Court conviction data, which is available through the Canadian Legal Information Institute (CanLII) Footnote 1 website and from federal/provincial/territorial courts.
  • Royal Canadian Mounted Police (RCMP): criminal records obtained after consent has been provided by the individual.
5 The IAP will share a monthly report on the IAP database to select individuals within PWGSC. A monthly report was never created. There are no proactive disclosures of information.
6 The sharing of conviction information will be provided to PWGSC Branches and Other Government Department (OGD) clients. The IDS confirms a positive match for an offence; however, the sharing of conviction details is only provided to the client senior manager in circumstances in which the supplier disputes the existence of the conviction.
7 The IAP database was developed using MS Access. A SQL database was created in FY 2013-14 which is more stable and secure. In the near future, it will also support a secure web portal allowing IDS clients to submit requests and review results ("No Match" or "Match Confirmed"). As with the current process by email, the results available through the web portal will be restricted to a whether a match resulted from a search of the database or not.
8 The IAP may share conviction information with the Industrial Security Sector (ISS) to support re-assessments of company or individual security screening levels. The IDS has not and will not share conviction information with ISS to support assessments or individuals for security screening.
9 Reference to the Director General and Director within DOB, responsible for the implementation and roll-out of the Integrity Framework, including their involvement in the IDS was not originally included in the original submission. A Director General and a Director within DOB provide oversight on PWGSC's Integrity Framework Policy and any response to questions regarding the database verification and agreements with OGDs seeking services. In this role, the Director General and Director may have access to any of the information collected by the IDS, but not the database itself.

Section II - Risk area identification and categorization

Table summary

Table A provides a description of the privacy risks associated to the type of program or activity for which the PIA is describing the program. Table A describes four categories of related privacy risks with a corresponding privacy risk score of 1, 2, 3, and 4. Table A also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

A: Type of program or activity Level of risk to privacy
Program or activity that does not involve a decision about an identifiable individual uncheck 1
Administration of programs / Activity and services check 2
Compliance/Regulatory investigations and enforcement uncheck 3
Criminal investigation and enforcement / National security uncheck 4

Details: DOB is responsible for providing the oversight required to ensure that the Department's integrity and credibility are protected through effective management practices and sound stewardship of public funds. As part of that responsibility, employees of DOB will administer the IDS to assist the other Branches of the department in ensuring that Departmental operations are being carried out with prudence, probity and transparency. IDS will also assist other government departments/agencies and crown corporations after entering into a Memorandum of understanding (MOU).

Table summary

Table B provides four categories of privacy risks associated to the types of personal information involved and its context, including a corresponding privacy risk score of 1, 2, 3, and 4. Table B also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

B: Type of personal information involved and context Level of risk to privacy
Only personal information provided by the individual – at the time of collection - relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure/with no contextual sensitivities. uncheck 1
Personal information provided by the individual with consent to also use personal information held by another source/with no contextual sensitivities after the time of collection. uncheck 2
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. check 3
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. uncheck 4

Details: PWGSC will store information in a database of individuals and companies convicted and absolutely or conditionally discharged of certain Canadian and foreign offences in the past 10 years which would render them ineligible to be awarded a procurement or real property transaction.

Table summary

Table C provides four categories of privacy risks associated to partners involved in the collection, use, or disclosure of personal information, including a corresponding privacy risk score of 1, 2, 3, and/or 4. Table C also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

C: Program or activity partners and private sector involvement Level of risk to privacy
Within the institution. check 1
With other federal institutions. check 2
With other or a combination of federal/provincial and/or municipal government(s). check 3
Private sector organizations or international organizations or foreign governments. check 4

Details: Information within PWGSC is collected and is responsibly disseminated to internal clients to ensure PWGSC is addressing its legislative mandated responsibility for ensuring integrity in procurement and real property transactions. PWGSC will also disseminate limited verification results to other government departments (OGDs) with whom the IDS has entered into an MOU to provide integrity verifications. Specifically, the IDS collects data on a particular list of offences that would render a supplier ineligible from being awarded a contract or real property transaction. The Integrity database is populated from reliable, authentic and publicly available sources:

PWGSC will collect conviction information from other departments and agencies, such as tax evasion conviction information from Canada Revenue Agency, Competition Act convictions from the Competition Bureau, and conviction information from courts.

PWGSC will also collect information from provincial and territorial government sources, such as conviction information from provincial and territorial courts.

PWGSC will collect court conviction data from Canadian Legal Information Institute (CanLII).

PWGSC will not collect open source information from blogs, non-government website, or media outlets.

PWGSC will verify conviction information with provincial, territorial, and federal courts, as well as with the RCMP.

PWGSC Procurement/Leasing Officers submit requests to DOB for a query of the Integrity database to determine if a conviction exists according to the related PWGSC's offences. In response, DOB provides a "No Match" or "Match Confirmed" response. In the case of a match, the supplier is told that he/she (or the company) has a conviction for one of the offences. Details on which offence, sentence information, etc. are not provided.

If the company or individual disputes the presence of such a conviction, the IDS will share the conviction specifics with a senior manager of the PWGSC Branch or OGD so that the company and/or individual in question can be informed.

Risk Level 1 is checked as information is provided to other Branches of PWGSC.

Risk Level 2 is checked as information is provided to OGDs with whom the PWGSC has entered into a MOU.

Risk Level 3 is checked because the database collects information from federal and provincial governments, such as court records.

Risk Level 4 is checked because the information may, in rare circumstances, be shared with the company or individual. However, as noted above details of the conviction are only provided when the company or individual has disputed the presence of the conviction.

Table summary

Table D provides three categories of duration of the program or activity, including a corresponding privacy risk score of 1, 2, and 3. Table D also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

D: Duration of the program or activity Level of risk to privacy
One time program or activity uncheck 1
Short-term program uncheck 2
Long-term program check 3

Details: The IDS is designed to assist in ensuring greater integrity in procurement and real property transactions.

Table summary

Table E provides four categories of population affected by the program, including a corresponding privacy risk score of 1, 2, 3, and 4. Table E also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

E: Program population Level of risk to privacy
The program affects certain Program participants (employees) for internal administrative purposes. uncheck 1
The program affects all employees for internal administrative purposes. uncheck 2
The program affects certain individuals for external administrative purposes. check 3
The program affects all individuals for external administrative purposes. uncheck 4

Details: Any supplier bidding for or that has entered into a contract or real property transaction issued by PWGSC for which the integrity provisions are included will be affected by this program. This includes members of the board of directors of the company, parents of the company, subsidiaries or other affiliates wherein direct or indirect control can be established. Similarity, this will also affect any suppliers bidding on contracts or real property transactions with any OGD/agency who has included the Integrity Framework into their procurement documentation and has entered into an agreement with the IDS for verification services.

A yes response to any of the below indicates the potential for privacy concerns and risks that will need to be considered and if necessary mitigated.

Table summary

Table F provides a description of the privacy risks associated to the use of technology. Table F lists 3 questions with question 3 being a three part question. For each of the 3 questions asked there is a corresponding answer in the form of a yes or no check box. Table F also provides a narrative section for all three parts of question 3 providing details regarding the privacy risks.

F: Technology & privacy Level of risk to privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? Yes
Does the new or modified program or activity require any modifications to IT legacy systems and/or services? No
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
  • Enhanced identification methods
  • Use of surveillance
  • Use of automated personal information analysis, personal information matching and knowledge discovery techniques
 No
No
Yes

Details: Currently, DOB manually conducts verifications against the Integrity database, however, once the system is automated, the system will perform an electronic data match to determine if any offences stored in the database match an existing or potential supplier. If a match occurs with an individual, the database will notify requesting procurement/leasing officers of a match, which will prompt the collection of a consent form so that PWGSC can validate the conviction with the RCMP. In validating the conviction, the RCMP may require fingerprints. Court documents from the court of conviction will be collected to assist in validating the accuracy of the match.

Table summary

Table G provides a description of the privacy risks associated to the information technology transmission of personal information. Table G describes four categories of related privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table G also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

G: Personal information transmission Level of risk to privacy
The personal information is used within a closed system check 1
The personal information is used in system that has connections to at least one other system uncheck 2
The personal information is transferred to a portable device or is printed uncheck 3
The personal information is transmitted using wireless technologies uncheck 4

Details: Conviction and absolute or conditional discharge information collected will be stored electronically in a database on the PWGSC Protected B network (access is restricted to only those who require access). Information transmitted to/from other Branches and other departments is currently conducted via email, however it will be performed through a secure web portal allowing Branches and OGDs the ability to submit supplier information for a verification query and to view results. The results provided are limited to whether the supplier has been convicted or absolutely or conditionally discharged of any of the offences for which PWGSC would preclude the awarding of a contract of real property transaction. If a match occurs, the individual will be asked to provide consent for a criminal records check with the RCMP. Initially, it will be a name based check; however, the RCMP may require fingerprints to validate the conviction or discharge.

Table summary

Table H provides a description of the potential risk that, in the event of a privacy breach, there will be an impact to the individual or employee. Table H describes four categories of related harm/privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table H also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

H: Risk impact to the individual or employee  Level of risk to privacy
Inconvenience uncheck 1
Reputation harm, embarrassment check 2
Financial harm check 3
Physical harm uncheck 4

Details: The types of personal information collected may cause embarrassment or financial harm to a company or an individual due to adverse information being collected on a company or individual which may result, if public, in a company's being denied a contract with private sector organizations. If personal information collected is released, this may cause reputation harm or embarrassment.

Table summary

Table I provides a description of the privacy risk impact to the institution submitting the privacy impact assessment, Public Works and Government Services Canada. Table I describes four categories of related harm/privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table I also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

I: Risk impact to the individual or employee  Level of risk to privacy
Managerial harm uncheck 1
Organizational harm uncheck 2
Financial harm check 3
Reputation harm, embarrassment, lost of credibility check 4

Details: Consequently, PWGSC may experience financial impact if it denies or cancels existing contracts or real property agreements due to inaccurate information or alternative may have cause reputational harm to the Government.

Footnotes

Footnote 1

CanLII is a non-profit organization managed by the Federation of Law Societies of Canada. CanLII's goal is to make Canadian law accessible for free on the Internet. CanLII's website provides access to court judgments, tribunal decisions, statutes and regulations from all Canadian jurisdictions.

Return to footnote 1 Referrer