The Report is a Privacy Impact Assessment (PIA) for Citizenship and Immigration Canada’s Temporary Resident Biometrics Project (TRBP) U.S. Service Channel Arrangement. The Report should be read in concert with the Interdepartmental TRBP PIA published in November 2012, as it provides a broader privacy risk analysis of the TRBP. The objective of this Report however is to identify and assess the privacy risks associate with the U.S. Service Channel Arrangement.
As an initiative jointly managed by CIC, the Canada Border Service Agency (CBSA), and the Royal Canadian Mounted Police (RCMP), the TRBP was created in response to the challenges faced by Canada’s immigration program related to applicant identity. Strong immigration screening and identification practices help to identify individuals who pose a criminal or security threat to Canada while facilitating the travel of legitimate applicants. The project proposed the electronic in-person collection of a digital photograph and all available fingerprints from certain TR applicantsFootnote 1 through a robust service delivery network consisting of commercially contracted service providers, arrangements with trusted governments, and CIC Visa Offices abroad.
More specifically, the TRBP involves the electronic collection of biometric information from certain TR applicants abroad for the purposes of enhancing applicant screening, fixing individual’s identity at time of application, and allowing verification of that identity when the individual seeks entry at the border. CIC and CBSA will work together in using new biometric identification tools to manage the movement of foreign nationals across and within Canada’s borders in accordance with the Immigration and Refugee Protection Act (IRPA) and the Immigration and Refugee Protection Regulations (IRPR), while the RCMP will provide support in the verification and storing of fingerprints and related biographical information.
As part of this new requirement, CIC reached out to its international partner and ally—the United States—to determine whether it can leverage its existing processes to capture and transmit biometric and related biographical information from certain CIC applicants physically located in the United States. As a component of the Department of Homeland Security (DHS), the United States Citizenship and Immigration Services (USCIS) has established an extensive network of biometric collection service points—Application Support Centers (ASC)—which were initially established to assist legacy U.S. Immigration and Naturalization (now part of USCIS) to collect biometric data. The ASCs are a network of 135 geographically dispersed locations in all 50 U.S states commercially contracted and managed by USCIS.
Given the intention to establish a robust service delivery network, CIC proposed to leverage the existing USCIS ASC service provider network for the capture and transmission of biometric and related biographical information. Using existing U.S. biometric collection equipment with comparable privacy and security safeguards, CIC aimed to build a solid service delivery model in the U.S. for the TRBP while upholding Canadian privacy standards and program integrity.
Accordingly, CIC entered into a Memorandum of Understanding (MOU) with USCIS in September 2012, to capture and transmit biometric and related biographical information from CIC TR applicants physically located in the United States as part of the TRBP.
The privacy and security requirements implemented for this arrangement were taken from the Global Visa Application Center Network Request for Proposal (Global VAC RFP) and the Technical Solution RFP – two comprehensive solicitations that include business, privacy, and security requirements, Statements of Work (SOW) – and the Public Works and Government Services Canada’s Standard Acquisition Clauses and Conditions (SACC).Footnote 2 From this outset, CIC and USCIS were able to jointly build on the Global VAC RFP provisions and address the unique requirements of the arrangement between two trusted governments.
The objectives of the PIA Report are to assess the privacy measures included in the U.S. arrangement, which make up the arrangement between CIC and USCIS, as well as to provide recommendations to mitigate or eliminate any identified privacy risk. The intention is to assess whether the necessary privacy requirements have been integrated into the arrangement documents as they form the terms and conditions of the initiative relative to the protection of personal information (PI) that will be captured and securely transmitted by ASCs. The Report does not however include any assessment of Information Sharing Arrangements with the United States. These initiatives are intended to begin in 2014 and are beyond the scope of the TRBP as well as subject to their own PIAs.
While there were no high-level privacy risks identified relating to the personal information collected, this Report identifies a limited number of medium-to-low level risks associated with the principles of Accountability, Limiting Use, Disclosure and Retention, and Challenging Compliance. The Report further describes the various mitigation mechanisms as a result of these risks and describes the various privacy and security requirements built into the U.S Service Channel Arrangement Memorandum of Understanding (MOU) signed by both CIC and USCIS, as well as all arrangement documents related to the project such as the Privacy and Security Requirements Document and the U.S. Service Channel Standard Operating Procedures. Guidance on the privacy and security measures implemented were also taken from the Treasury Board Secretariat’s (TBS) Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows, as well as from various consultations with the Office of the Privacy Commissioner (OPC). To this end, the Department was able to built extensive and robust privacy and security measures into the arrangement documents as they outline the terms and conditions of the U.S. Service Channel between CIC and USCIS.
- Date Modified: