Privacy Impact Assessment Summary for the enhanced mandate of the Civilian Review and Complaints Commission for the RCMP

Overview and Initiation

The Civilian Review and Complaints Commission for the RCMP (CRCC) is an independent agency created by Parliament to provide fair and independent civilian review of RCMP members' conduct in the performance of their duties. 

Objectives

The CRCC conducted this Privacy Impact Assessment (PIA) to determine the potential privacy risks associated with the collection, use, disclosure and retention of personal information under its expanded mandate brought about by amendments to Parts VI and VII of the Royal Canadian Mounted Police Act (RCMP Act). Once the risks were identified, the PIA focused on the development of risk mitigation strategies.

Description

The PIA examined the various powers, duties and functions of the CRCC under its expanded mandate, including the broad right to access information in the control or possession of the RCMP, enhanced investigative powers, and the power to undertake reviews of specified RCMP activities.

The PIA identified four potential privacy risks associated with the CRCC's collection, use, disclosure and retention of personal information under its expanded mandate. To mitigate those four risks, the PIA recommended:

• modification of the privacy notice on CRCC complaint forms;
• modification of the CRCC's existing personal information bank;
• enhanced privacy training and awareness for CRCC employees; and
• enhancement of the CRCC's existing privacy breach protocol.

Risk Area Identification and Categorization

The PIA identified the risk areas and categorized the level of potential risk (i.e. level 1 representing the lowest level of potential risk and level 4 representing the highest level of potential risk) associated with the collection, use, disclosure and retention of personal information by the CRCC.

• Type of program or activity – Level 3: Compliance or regulatory investigations and enforcement.
• Type of personal information involved and context – Level 4: Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive.
• Program or activity partners and private sector involvement – Level 1 to 4: With the institution (among one or more programs within the same institution); with other government institutions; with other institutions or a combination of federal, provincial, territorial and municipal governments; and private sector organizations, international organizations or foreign governments.
• Duration of the program or activity – Level 3: Long-term program or activity.
• Program population – Level 3: The program's use of personal information for external administrative purposes affects certain individuals.
• Technology and privacy – The CRCC's expanded mandate does not involve the implementation of new technologies.
• Personal information transmission – Level 1 to 3: The personal information is used within a closed system; the personal information is used in a system that has connections to at least one other system; and the personal information is transferred to a portable device, transferred to a different medium or is printed.
• Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee – There is a low risk of a privacy breach. The impact on an individual or employee in the unlikely event of a breach would be moderate. There is potential for loss of privacy, physical, mental or emotional harm, inconvenience or embarrassment to the individual(s) to whom the information relates.
• Potential risk that in the event of a privacy breach, there will be an impact on the institution – There is a low risk of a privacy breach. The impact on the institution in the unlikely event of a breach would be moderate. The CRCC might suffer damage to its reputation, which in turn could potentially lead to loss of credibility.

Recommendations

As noted above, the PIA included recommendations to mitigate identified privacy risks and ensure that personal information collected by the CRCC is handled in accordance with CRCC policy and is compliant with legislative requirements.

Conclusion

Based on the analysis in the PIA of potential risks, the CRCC's mandate is likely to present a moderate risk to privacy. However, with the implementation of proposed mitigation measures, any remaining risks either will be negligible or are such that the CRCC is prepared to accept and manage these risks.