Privacy Impact Assessment (PIA)

Canada's Anti-Spam Legislation

March 2014

Volume I: A multi-institutional assessment of the privacy impacts arising from the administration and enforcement of Canada's Anti-Spam Legislation (CASL).

Table of Contents

Description of the Program

On , Canada's Anti-Spam LegislationFootnote 1 (CASL) received royal assent. The purpose of CASL is to encourage the growth of electronic commerce by ensuring public confidence and trust in the online marketplace. In addition to promoting the use of electronic messaging as a means to carry out commercial activities, CASL also helps to protect Canadians and Canadian businesses from damaging and deceptive spam, false or misleading electronic representations, malware (including spyware), botnets, and other related network threats.

The majority of CASL's provisions are expected to enter into force on . When the new law is in force, it will generally prohibit the following activities:

  • The sending of commercial electronic messages without the recipient's consent;
  • The alteration of transmission data in an electronic message without consent resulting in the message's delivery to an unintended and/or additional destination;
  • The installation of computer programs without consent;
  • The use of false or misleading representations online in the promotion of products or services;
  • The collection of personal information through unauthorized access to a computer system; and
  • The collection of electronic addresses without permission (i.e., address harvesting).

There are three federal agencies responsible for enforcement of the law: the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau (CB), and the Office of the Privacy Commissioner of Canada (OPC) (collectively referred to as the "Enforcement Agencies"). In addition to any independent actions an agency may undertake to enforce CASL's provisions, the law requires that all three agencies consult with each other (to the extent considered appropriate) to ensure the effective regulation of prohibited activities. Agencies may share information with each other as well as with the government of a foreign state (in select circumstances, and subject to appropriate written agreements or arrangements between the parties).

CASL's introduction involves the creation of a Spam Reporting Centre (SRC) and the implementation of new electronic systems to support the collection, administration and analysis of submissionsFootnote 2 and reportsFootnote 3 for enforcement purposes. The SRC is intended to serves as a repository of information from which Enforcement Agencies may draw from for the purpose of conducting an investigation. Access to information housed by the SRC will be restricted, and made available to Enforcement Agencies on a need-to-know basis only. The SRC will receive submissions and reports of alleged contraventions from Industry Canada's (IC) public facing website, along with data from third party feeds and honey potsFootnote 4. Access to information stored within the SRC will be restricted to Enforcement Agencies only. Working copies of raw data will be provided to designated individuals within each agency based on a "need to know" basis.

Personal information collected in conjunction with enforcement activities under CASL may be used for administrative purposes (i.e., to make decisions that directly affect an identifiable individual). Personal information collected in the course of enforcement activities may also be used for investigating possible contraventions of CASL with administrative, civil and/or criminal consequences. All disclosures of personal information to law enforcement authorities, or the use of personal information for investigative purposes, is to be guided by the legislative provisions set out in CASL and the privacy laws and policies of the Government of Canada.

CASL enforcement activities do not necessitate the collection, use or disclosure of sensitive personal information. Indeed, the supply of personal information in submissions is entirely voluntary. Recognizing that submitters may however provide personal information that they believe to be relevant to their submission and which may be sensitive in nature (alone or in combination with other identifiable information), it has been recommended that controls be implemented to ensure that Enforcement Agencies are only collecting personal information that is necessary for their stated purposes.

In most cases, the personal information to be collected from submissions will be limited to an individual's name, contact information and matters pertinent to the alleged incident. In and of itself, this information is not considered to be contextually sensitive. Wherever possible, personal information will be collected directly from the individual to whom it belongs, or with the consent of the individual through third parties. The personal information of submitters (i.e., individuals making a submission) is not expected to be used for secondary purposes.

Purpose of the PIA

The CRTC, OPC and IC are all named in the Schedule to the Privacy ActFootnote 5 and are subject to the privacy policies and directives of the Treasury Board of Canada Secretariat (TBS). The CB, though not listed in the Schedule to the Privacy Act reports to the Minister of Industry for all financial and administrative matters. Under TBS policy, all federal institutions subject to the Privacy Act are required to undertake an assessment of the privacy impacts associated with the development or design of new programs or services involving personal information (or when making significant changes to an existing program or service). The present assessment (hereafter the "CASL PIA") fulfills the requirement to conduct a PIA under the TBS Directive on Privacy Impact AssessmentsFootnote 6. It also meets the requirements of the OPC's Audit and Review Branch, as set out in Expectations: A Guide for Submitting Privacy Impact AssessmentsFootnote 7.

Scope of the PIA

The purpose of the multi-institutional CASL PIA is to perform a high level assessment of the potential privacy impacts associated with CASL enforcement activities on behalf of IC, the CRTC, CB and OPC. It includes an evaluation of planned collection activities, a review of core functions of the SRC, and a high-level assessment of standard investigative functions. The sharing of personal information with enforcement counterparts, to the extent known at the time of drafting, has also been considered.

The CASL PIA does not include a review of specialized or institutional-specific investigative or enforcement activities being undertaken by Enforcement Agencies. These activities—to the extent that they involve the collection, use or disclosure of personal information—have (or are to be) covered in program PIAs initiated by individual agencies.

Summary of Privacy Issues Identified

In general, based on the findings of the present PIA, administrative and enforcement activities to be undertaken in conjunction with CASL are likely to present a moderate risk to the privacy of individuals. While the supply of personal information in submissions is entirely voluntary, information of a sensitive nature may, from time to time, be collected as it relates to an alleged contravention of the law. That information, while not intended for purposes of making an administrative decision about a submitter, may be used in judicial proceedings and/or for purposes of law enforcement.

In all cases, the use of personal information by Enforcement Agencies is to be limited to the purposes for which the information was first collected (i.e., the investigation of CASL contraventions and any authorized enforcement activities). Security and safeguards planned for the SRC are to be commensurate with the sensitivity of information compiled. Based on a review of the development of the SRC and planned enforcement activities, the program is unlikely to attract negative public interest or criticism.

Notwithstanding the program's general characteristics—some of which suggest an elevated project risk—recommendations from the CASL PIA, where fully adopted, are expected reduce the overall level of risk associated with CASL's implementation to a low or acceptable level.

The table which follows summarizes the privacy risks identified through the PIA process, and assigns responsibility for each recommendation to appropriate entities. A detailed action plan for outstanding items shall be developed for implementation prior to .

Privacy risks identified through the PIA process
Issue and recommendation ICFootnote 8 CRTC CB OPC

1. There is presently no policy or agreement in place to establish access and privacy rights or requirements with respect to the Spam Reporting Centre. 

The CRTC, in consultation with IC, CB and OPC should consider drafting and executing an agreement or policy respecting the use of the SRC, the spam intelligence database and other supporting tools and applications, if any. The agreement should establish privacy and security requirements for the handling or personal information.

C R C C

2. Privacy protocols for institutions involved in the administration and enforcement of CASL may be inadequate or insufficient in ensuring the proper handling of personal information from the SRC.

TBS' PIA Directive encourages federal institutions collecting, using or disclosing personal information to create and implement privacy protocols to help mitigate the privacy impacts emanating from operating programs or activities. While a full evaluation of the privacy protocols of the CRTC, CB, and OPC were beyond the scope of the present PIA, each institution will need to evaluate its own internal controls to determine whether or not protocols for the handling of personal information are sufficient to address the privacy risks associated with their handing of personal information under CASL.

  R R R

3. Personal information banks describing the collection, use, disclosure and retention of personal information by agencies involved in the administration and enforcement of CASL may be out of date or incomplete.

It is recommended that the CRTC, CB and OPC update their respective personal information bank entries in InfoSource so as to disclose the collection and use of personal information under CASL.

To the extent that IC expects to use personal information in the development of legal and policy frameworks supporting CASL, it should consider the drafting and disclosure of a new PIB. In the interim, its collection, use, disclosure and retention of personal information (if any) for purposes of receiving and handling complaints and enquiries is appropriately captured in PIB IC PPU 034.

  R R R

4. The use of open text or free form fields in on-line submissions may result in the collection of more personal information than is necessary for stated purposes under CASL.

The CRTC should consider developing and implementing controls and procedures to ensure that the SRC is not collecting more personal information than is necessary. Controls or procedures should also be put in place to ensure that unnecessary personal information, once collected, is destroyed or rendered anonymous. Data validation controls and notification procedures should be reviewed with sufficient consideration of any enforcement activities which might be undertaken by Enforcement Agencies.

C R C C

5. Individuals may not be adequately informed of the purposes for which their personal information may be used or disclosed at the time of its collection. 

Individuals making submissions to IC (or directly to Enforcement Agencies) should be informed of the general purposes for which their personal information may be collected, used and disclosed. Entities should develop and draft a 'Privacy Notice' and/or 'Consent Statement', and provide notice to submitters in on-line submission forms and/or Enforcement Agency consent forms where appropriate.

R C C C

6. There are presently no standards or mechanisms in place to ensure that an individual has capacity to give consent for the use and disclosure of his or her personal information for enforcement purposes under CASL.

IC should consider establishing age and other criteria for submissions, as necessary and authorized under subsection 77(1) of the Privacy Act. Where consent is required for the use and disclosure of personal information for enforcement purposes, IC should verify that submitters meet the mandatory age restrictions to provide meaningful consent. If a submitter does not meet the established criteria, a parent or custodian's consent should be sought prior to the processing of his or her submission.

Where information may be collected from minors or incompetents, or from persons authorized to act on behalf of minors or incompetents, IC, in conjunction with the CRTC, should implement appropriate mechanisms to ensure that consent is documented and verified.

R C C C

7. The breach protocols of institutions involved in CASL's administration and enforcement may be out of date or inadequate to mitigate the damages, if any, arising from a breach of personal information from the SRC.

In compliance with the Government's Directive on Privacy Practices, all institutions should ensure that breach protocols are in place and updated to reflect personal information at risk following the introduction of CASL. Protocols must, at a minimum, define the following: roles and responsibilities in the event of a privacy breach; internal procedures and communications requirements; and notification standards and procedures (including the timing of such notification, for informing the Office of the Privacy Commissioner and parties affected by a privacy breach).

R R R R

8. An agency's response to an access to information or privacy request may result in the release of information that could jeopardize or prejudice an on-going investigation of another agency.

Institutional ATIP Directors should consider developing a formal protocol for the co-ordination of responses to access to information or privacy requests emanating from CASL so as to avoid the release of information which may prejudice or jeopardize an on-going investigation by another enforcement partner.

R R R R

Footnotes

Footnote 1

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)

Return to footnote 1 referrer

Footnote 2

For purposes of this PIA, the term "submission" means forms and information submitted by an individual on fightspam.gc.ca in relation to an alleged contravention of CASL.

Return to footnote 2 referrer

Footnote 3

For purposes of this PIA, the term "report" refers to information provided in support of a submission, or to intelligence and other information provided to the SRC from third parties in relation to alleged contraventions.

Return to footnote 3 referrer

Footnote 4

A "honeypot" is a trap set to detect or permit unauthorized use of information systems. Honeypots may consist of computers, email addresses, or network sites that appear to be part of an open network, but which are in fact isolated and monitored. These sites in turn provide intelligence or information on spam and other electronic threats.

Return to footnote 4 referrer

Footnote 5

R.S.C., 1985, c. P-21.

Return to footnote 5 referrer

Footnote 6

Treasury Board of Canada Secretariat, Directive on Privacy Impact Assessments, Ottawa, April 2010 [PIA Directive]. www.tbs-sct.gc.ca

Return to footnote 6 referrer

Footnote 7

Office of the Privacy Commissioner of Canada, Expectations: A Guide for Submitting Privacy Impact Assessments to the Privacy Commissioner of Canada, Ottawa, October 2011 [OPC Expectations Guide]. www.priv.gc.ca

Return to footnote 7 referrer

Footnote 8

R = Responsible   C = Consult   I = Inform

Return to footnote 8 referrer