Summary of Finance Canadaís Privacy Impact Assessment of the Conflict of Interest Code for Departmental Personnel

The Conflict of Interest Code for the Department of Finance (Conflict of Interest Code) is intended to supplement and strengthen the conflict of interest provisions in the Values and Ethics Code for the Public Service. More specifically, it implements an important principle relating to financial interest, namely, that no one who works in Finance Canada may use or disclose non-public information obtained in the course of his or her work in the Department for personal financial benefit or to further the financial interests of relatives, friends, or others. The departmental Conflict of Interest Code establishes additional compliance measures—including reporting requirements concerning personal information—for persons working in Finance Canada over and above those set out in the Values and Ethics Code for the Public Service. Compliance with both this Conflict of Interest Code and the Values and Ethics Code for the Public Service is a condition of employment in the Department of Finance Canada.

Because the Conflict of Interest Code requires the collection and management of personal information, the Department determined that a Privacy Impact Assessment (PIA) should be conducted to assess the privacy-related impact of the Conflict of Interest Code and its related processes and to propose appropriate mitigation measures for identified privacy risks. Administration of the Conflict of Interest Code involves the collection, use, disclosure, and retention of sensitive personal and financial information including:

  • Staff member tombstone information;
  • Staff member job position information;
  • Information on a staff memberís real, potential, or apparent conflict of interest; and
  • Information on a staff memberís publicly traded securities, other assets, liabilities, and outside activities.

The PIA assessment process has confirmed the Departmentís commitment to privacy and has identified several privacy-enhancing practices related to the Conflict of Interest Code including:

  • Dropping the requirement for staff members to disclose their securities unit-holdings in their confidential report. The collection of such information is now limited to cases in which a real, potential, or apparent conflict of interest has been identified in respect of securities holdings and where the number of units held is required to assist in determining the appropriate divestment method; and
  • A commitment to proactively develop the PIA prior to initiating of the Conflict of Interest Code to allow for privacy recommendations to be built into Conflict of Interest Code processes.

The Departmentís Privacy Risk Mitigation Action Plan below summarizes the privacy risks identified through the PIA process along with the recommendations from the Office of the Privacy Commissioner and the proposed departmental mitigation strategies.

 

Privacy Risk Mitigation Action Plan Pertaining to the Privacy Impact Assessment of the Conflict of Interest Code for Finance Canada and the Related Observations and Recommendations of the Office of the Privacy Commissioner
Department of Finance Canada (FIN)
PIA Findings and Conclusions
Office of the Privacy Commissioner (OPC)
Observations and Recommendations
Departmentís Risk Mitigation
Action Required

4.1 Accountability
Low Risk
1.0  
The PIA states that accountability for the personal information collected, used, and disclosed through the Conflict of Interest Code processes has not been formally documented. The PIA indicates that the Department should ensure that the Values and Ethics Officerís roles and responsibilities include responsibility for the protection of the Conflict of Interest Code personal information. The OPC concurs with this recommendation. The approved job description for the Values and Ethics Officer states expressly that he or she "is responsible for ensuring that the Departmentís management of the Codes respects privacy concerns and ensures the proper protection of personal information. This responsibility includes safeguarding the personal information of staff in accordance with legal obligations and Treasury Board and Finance Canada policies."
The PIA states that the performance requirements for the Values and Ethics Officer are not set out in a measurable way and are not subject to performance and compliance reviews. The PIA recommends that the Department consider incorporating privacy measures into the Values and Ethics Officerís performance management framework. The OPC concurs with this recommendation. Specific privacy and security-related performance measures should be developed by the Values and Ethics Officer and incorporated into his or her performance management framework.
4.2 Collection of Personal Information 2.0  
No privacy risks identified No discussion points No action required
4.3 Consent 3.0  
No privacy risks identified No discussion points No action required
4.4 Use of Personal Information 4.0  
No privacy risks identified No discussion points No action required
4.5 Limiting Disclosure and Retention
Moderate Risk
5.0  
The PIA states that the personal information of an employee may sometimes need to be disclosed to the Office of the Public Service Values and Ethics (OPSVE), such as when the OPSVE needs to advise departments on the divestment of assets for public servants. The PIA indicates that the Department should establish a procedural document that outlines the responsibilities of both parties in relation to the secure transmission and use of personal information. The OPC concurs that Finance Canada should develop and document procedures in relation to the secure transmission and use of personal information disclosed to the OPSVE. A procedural document that outlines the responsibilities of FIN and OPSVE employees in relation to the secure transmission and use of personal information should be developed by the Values and Ethics Officer in consultation with the OPSVE and the ATIP divisions of FIN and OPSVE.
The PIA states that information collected through the affirmation form will be used by the Values and Ethics Officer to track submissions. It is proposed that limited staff member tombstone information, including the Personal Record Identifier (PRI) found in the Departmentís Human Resources system, be disclosed to the Values and Ethics Office for use in populating and updating the tracking and reporting spreadsheet. The OPC recommends that Finance Canada update their PIA to reflect that the PRI is a personal identifier and will be disclosed. It will be the responsibility of the Values and Ethics Officer to determine whether or not the PRI will be used in affirmation form tracking—refer to item 2.4.1 of the PIA—and, if so, to update the PIA accordingly.
4.6 Accuracy of Personal Information 6.0  
No privacy risks identified No discussion points No action required
4.7 Safeguarding Personal Information
Moderate Risk
7.0  
The PIA indicates that security procedures have not been documented for the collection, transmission, storage, and disposal of personal information and access to personal information particular to the Conflict of Interest Code. The OPC recommends that Finance Canada document its security procedures. The OPC further recommends that staff receive training in these procedures. Security procedures should be developed by the Values and Ethics Officer in consultation with departmental security and ATIP officials. It will be the responsibility of the Values and Ethics Officer to ensure that staff receive training on these procedures.
The PIA indicates that "in addition to the orientation and privacy/security manuals, the Values and Ethics Officer will be given the opportunity to take privacy and security training available to Department executives." The OPC recommends that privacy and security training be mandatory for the Departmentís Values and Ethics Officer. Values and Ethics Officer To meet executive accountabilities, the Values and Ethics Officer will be required to participate in the Canada School of Public Serviceís mandatory training that includes a component on privacy and security.
The PIA further notes that specific access requirements around the Values and Ethics Officerís manual files and tracking spreadsheet have not been developed. The OPC recommends that Finance Canada incorporate all of the items from section 3.7.1 of the PIA including the tracking spreadsheet requirements. It will be the responsibility of the Values and Ethics Officer to establish specific procedures for handling personal information by the Values and Ethics Officer and staff.
The PIA explains that a Threat and Risk Assessment (TRA) has not been completed. However, a statement of sensitivity has been developed to comply with the departmental security policy. The OPC understands from the PIA that the confidential reports will be kept in paper format in a secured cabinet. The OPC recommends that if, in the future, the confidential reports are transferred to an electronic format, that Finance Canada consider completing a TRA. It will be the responsibility of the Values and Ethics Officer to conduct a TRA if, in the future, it is determined that confidential reports should be transferred to an electronic format.
The PIA states that a security quality assurance and audit program has not yet been considered to assess the ongoing state of the safeguards applicable to the system. The OPC recommends that Finance Canada implement a security quality assurance and audit program that includes an audit for privacy. In its April 7, 2008, audit plan, the Internal Audit and Evaluation Division indicates that from September 2008 to March 2009 it will conduct an audit of security of information to assess the management control framework established to comply with security of information requirements under the Privacy Act, the Government Security Policy, and other related policies and legislation.