Description
This Privacy Impact Assessment (PIA) was written to assess a series of new and existing funding programs that fall under the umbrella of Grants and Contributions Programming offered by Agriculture and Agri-Food Canada (AAFC).
All AAFC programs that fall under Grants and Contributions Programming follow a nearly identical workflow where an agriculture producer or processor applies for funding, AAFC receives and assesses the application, and subsequently provides the producer/processor with repayable funds (including loans), non-repayable contributions, grants, a combination of all 3, or declines the application.
This PIA was written to create a new personal information bank (PIB), called the Grants and Contributions programming PIB. This new PIB will replace existing program PIBs and will be used for new funding initiatives that fall under Grants and Contributions.
Why a privacy impact assessment was completed
Pursuant to the Directive on Privacy Practices, AAFCs' Privacy Compliance Unit (PCU) determined that an assessment of AAFCs' Grants and Contributions programming process, using the Agriculture Clean Technology Program as a model, was required to document the standard workflow for collecting, using, disclosing, and retaining personal information for an AAFC Grants and Contributions program.
Additional information
AAFC has identified 5 risks in this PIA along with recommendations to mitigate those risks.
Risk 1
There is a risk that the programs described in sections 3 and 4 of this PIA do not have a PIB associated to them, as required by s. 11 of the Privacy Act.
Mitigation measures
- Submit the PIA to Treasury Board Secretariat (TBS) for review and approval of the new PIB in Annex B
Risk 2
There is a risk that AAFC is not compliant with the requirements of s. 10 of the Privacy Act in that a PIB has not been authored and registered with TBS for the Agricultural Clean Technology Program, as well as all program activities identified the PIA.
Mitigation measures
- Submit the PIA to TBS for review and approval of the new PIB in Annex B
- It is recommended that AAFC Information Management experts are contacted to validate the retention and disposition schedule for the draft PIB in Annex B
- Once TBS approves of the new Grants and Contributions PIB in Annex B, it is recommended that all associated Privacy Notice Statement (PNS)s (on forms, GCDS, and online portals) are updated to identify the new PIB and remove reference to any other PIBs
Risk 3
There is a risk that AAFC is not providing ample notice to program applicants, in accordance with s. 5 of the Privacy Act
Mitigation measures
- For all future program under the Grants and Contributions Programming umbrella, it is recommended that AAFC ensure a PNS is included on all forms
To ensure an appropriate PNS is included, AAFC should continue its existing business process which requires the PCU to review and edit all PNSs and Consent Statements (if applicable)
Risk 4
There is a risk that a Grants and Contributions Program will collect claim forms which involve the collection of sensitive personal information such as an individual's credit card statement or bank account statements.
This could lead to AAFC unnecessarily collecting sensitive account numbers as well as details of purchase information which are unrelated to the claim form.
This risk often arises when a Grants and Contributions program allows for funds to be paid to company officials for travel expenses, per diems, or other related types of expenses.
Mitigation measures
- It is recommended that all Grants and Contributions applicant guides, wherein a claim form is submitted, includes guidance to black out account numbers and unrelated purchases such that these unrelated purchases, as well as account/credit card numbers, are not collected by AAFC
Risk 5
There is a risk that the Records Disposition Authority (RDA), cited for Grants and Contributions Programs is inconsistent in AAFC's Info Source Chapter. Also, the retention and disposition schedule (RDS) for Grants and Contributions programs (see Section 4.3) varies slightly such that the RDS text authored for the draft new PIB in Annex B is incorrect.
- It is recommended that AAFC Information Management experts confirm the appropriate RDA; the RDAs cited in AAFC's Info Source Chapter appear to be dated (1999/024; 2001/008; 2001/013, and 2001/019). Consequently, the appropriate RDA must be added to the draft PIB in Annex B
- It is recommended that AAFC Information Management experts are contacted to validate the RDS for the draft PIB in Annex B
Related personal information banks
For more information about this privacy impact assessment, please contact the Access to Information and Privacy Office
Agriculture and Agri-Food Canada
Kirsten Gartenburg
Access to Information and Privacy Coordinator
Tower 7, 10th Floor
1341 Baseline Road, Room 216
Ottawa, Ontario K1A 0C5
aafc.atip-aiprp.aac@agr.gc.ca