Privacy Impact Assessment – Data Quality Confirmation Study

A privacy impact assessment (PIA) was conducted to identify and mitigate any privacy risks associated with the National Register of Electors (NROE) Data Quality Confirmation Study (DQCS). The purpose of the DQCS was to evaluate the quality, accuracy and currency of selected fields of personal information contained within the Elections Canada (EC) NROE database.

Section 1 - Overview and PIA Initiation

Government Institution:

Elections Canada

Government Official Responsible for the Program or Activity:

• Director, National Register of Electors
• Director, Data Analysis and Quality

Delegate for Section 10 of the Privacy Act:

Assistant Director, Access to Information and Privacy

Name and description of the Program or Activity:

The objective of the DQCS project was to evaluate the quality, accuracy and currency of the personal information contained within the EC NROE. EC engaged the services of Statistics Canada (STC) to use a subset of NROE personal information in conjunction with multiple internal STC authoritative information sources to evaluate the accuracy, completeness and currency of NROE personal information. This required EC to securely disclose a significant sub-set of NROE personal information to STC in the form of a data extract of approximately 28 million records. STC returned to EC aggregated statistical results on data quality, without personal information.

Personal Information Banks:

Voter Registration and identification Elections PPU 037

Legislative Authority:

• Subsections 6(2), 7(a) and (b); paragraph 8(2)(a) of the Privacy Act
• Subsections 44(1) and (2) of the Canada Elections Act
• Section 3 of the Statistics Act

Section 2 - Risk Area Identification and Categorization

A. Type of Program or Activity:

Program or activity that does not involve a decision about an identifiable individual (Level of Risk: 1)

B. Type of Personal Information Involved and Context:

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program (Level of Risk: 1)

C. Program or Activity Partners and Private Sector Involvement:

With other federal institutions (Level of Risk: 2)

D. Duration of Program or Activity:

One time program or activity; typically involves offering a one-time support measure in the form of a grant payment as a social support mechanism (Level of Risk: 1)

E. Program Population:

The program affects certain individuals for external administrative purposes. (Level of Risk: 3)

F. Technology and Privacy:

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? – No.

Does the new or modified program require any modifications to IT Legacy Systems and/or services? – Yes.

Does the new or modified program or activity involve the implementation of one or more of the following technologies?

• Enhanced identification methods? – No.
• Use of surveillance? – No.
• Use of automated data analysis, data matching and knowledge discovery techniques? – Yes.

G. Personal Information Transmission:

The personal information is transferred to a portable device or is printed. (Level of Risk: 3)

H. Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee:

Identity theft and financial harm