Quebec Economic Development Program
This report presents the results of the analysis, as well as the findings, conclusions and recommendations, of the Privacy Impact Assessment (hereinafter referred to as the “PIA” or “the assessment”) of Canada Economic Development for Quebec Regions (CED) grant and contribution programs and initiatives.
About CED’s programs
Pursuant to its constituent Act, which came into force on October 5, 2005, Canada Economic Development for Quebec Regions is responsible for promoting the long-term economic development of the regions of Quebec. CED’s mandate is to foster the startup and growth of small and medium-sized businesses and non-profit organizations to help them enhance their competitiveness and productivity and become more innovative. The Agency also contributes to the vitality of the regions of Quebec by giving special attention to communities experiencing slow economic growth.
Via its business offices and advisors, CED has a well-established presence throughout the regions of Quebec. The Agency works with businesses—mainly SMEs—and non-profit organizations, supporting them in their development efforts, primarily by providing funding for their projects.
In addition to implementing its Quebec Economic Development Program (QEDP) and Regional Economic Growth through Innovation (REGI) initiative, CED helps to design and implement national programs and targeted, temporary initiatives.
Rationale behind the decision to conduct this PIA
The Directive on Privacy Impact Assessment issued by the Treasury Board Secretariat of Canada (TBS) on April 1, 2010, states that all government institutions subject to the Privacy Act that develop, sponsor or fund programs, projects or initiatives involving the collection, use or sharing of personal information should consider conducting a PIA before proceeding with their projects and initiatives.
Thus, and in accordance with advice from the TBS, a PIA was conducted during the 2013–2014 fiscal year, and the report dated December 23, 2013, established that “the collection of personal information for the purposes of the QEDP is very limited” and that “although personal information is sometimes taken into consideration by the Agency, the decisions resulting from this process are not made with regard to the individuals concerned by this information but rather with regard to the viability of the proposed projects. Personal information collected for QEDP activities is therefore not used for an ‘administrative purpose,’ as defined in the Privacy Act.” Consequently, the report concluded that “there is no reason to create a personal information bank for this information.” However, in at least one case in 2014, the Agency collected personal information that could potentially be used to make administrative decisions affecting a proponent. It was determined at the time that other client files might result in the collection of similar personal information that could also be used in decision-making affecting individuals. As a result, and in accordance with the requirements of subsection 9(4) of the Privacy Act, the Agency decided to create a Personal Information Bank, and requested that the PIA report dated December 23, 2013, be updated to reflect the new business context of the QEDP. Such a report, which came to similar conclusions, was therefore finalized on December 30, 2015.
Nevertheless, given the recent rollout of the CORTEX computer system, the Regional Economic Growth through Innovation (REGI) program, and certain initiatives, such as the Women Entrepreneurship Fund (WEF), it was decided that a new assessment was needed that would include additional personal information, such as level and field of education, LGBTQ2 status and student status, and that would also ensure the security of our computer systems so as to preserve the integrity of this information. The PIA presents the results of the analysis, as well as the findings, conclusions and recommendations, of the new assessment of CED’s practices with respect to the administration of grant and contribution programs and initiatives.
Objectives of this PIA
The objectives of this PIA were to
- verify the legal basis of the Agency’s grant and contribution programs and initiatives;
- determine whether all aspects of these programs and initiatives meet the requirements of the relevant provisions of the Privacy Act and generally accepted privacy principles, and, above all, are consistent with the essence of these provisions and principles;
- identify risks associated with the implementation of these programs and initiatives; and
- make recommendations, as required, aimed at ensuring compliance with the applicable legislative and political framework and eliminating, or at least mitigating, any identified risks.
Findings and conclusions
Protecting personal information associated with grant and contribution programs and initiatives
The assessment found that the collection of personal information for the purposes of CED’s programs and initiatives is very limited and that, even when personal information is taken into consideration by the Agency, the decisions resulting from this process are not made with regard to the individuals concerned by this information but rather with regard to the viability of the proposed projects. Personal information collected as part of these related activities is therefore not used for an “administrative purpose” within the meaning of the Privacy Act.”
The results of the risk factor analysis suggest that CED’s grant and contribution programs and initiatives do not pose significant risks to individuals’ privacy, and that, as long as the Agency exercises due vigilance, there is no reason for special measures to be taken to protect privacy.
The administration of grant and contribution programs and initiatives results in the collection and the creation of an extremely small volume of personal information. Moreover, the assessment confirmed that this personal information is very rarely used for an administrative purpose within the meaning of section 3 of the Privacy Act (“use of [personal] information about an individual in a decision-making process that directly affects that individual”). That said, personal information may be required to determine program eligibility; likewise, personal financial information about individuals who are acting as guarantors for the repayment of Agency contributions may also be required.
Consequently, this PIA resulted in the following recommendations:
Recommendation 1: Retaining and disposing of personal information
We recommend that visualization audits be conducted sporadically to monitor access to documentation in Content Server and information in grant and contribution systems. It is also recommended that, from now on, data in the Hermès Programs and Cortex systems be added to the retention table, so that it can be archived or deleted in accordance with clearly established standards.
Recommendation 2: Safeguarding personal information
We recommend that a new financial database risk assessment be carried out when new systems are implemented, and that a parameter be put in place to generate alerts when non-government or unsecured devices are connected to Agency systems.
Recommendation 3: Limiting access rights
We recommend that access to external clients’ financial statements be limited to the relevant individuals concerned within the Agency.