Collection and use of open source information from the Internet

Government institution
Royal Canadian Mounted Police
Head of the government institution or delegate for section 10 of the Privacy Act
Danielle Golden
Director of Privacy
Access to Information and Privacy Branch
Senior official or executive responsible for the privacy impact assessment
Superintendent Wallace Kennedy
Name and description of the program or activity of the government institution
Federal Policing Open Source Program
Legal authority for the program or activity
Section 18 of the Royal Canadian Mounted Police Act
Paragraph 14(1)(a) of the Royal Canadian Mounted Police Regulations
Personal Information Banks
PPU 015 (Criminal Operations Intelligence Records)
PPU 025 (National Security Investigations Records)
PPU 005 (Operational Case Records)
PPU 055 (Protection of Personnel and Government Property)
Description of the project, initiative or change

Nowadays billions of people around the world use social media, online marketplaces and the broader internet to conduct business, socialize, and facilitate a massive variety of activities, generally legal in nature. While the internet and social media help to connect people and to facilitate a wide variety of legitimate and lawful interests, they also facilitate and support the conduct of illegitimate and unlawful activities, such as human trafficking, organized crime, terrorism, human rights abuses, war crimes, and fraud. The prolific use of the internet and social media sites has created new and critical sources of information about criminal activities and threat actors. That information is both necessary and relevant to policing and law enforcement, and for ensuring Canada's safety and security.

Open source information is a term used to denote any information gathered or retrieved from the internet, the deep or dark web, and, in certain instances, commercially acquired information. In order to effectively use this information to promote Canada's safety and security, the Royal Canadian Mounted Police gathers and uses OSI according to their law enforcement and policing mandate across a variety of RCMP Units. Specifically, the RCMP collects open source information pertinent to predicated investigations, to identify issues and relevant facts, and to develop and advise RCMP partners on security and safety matters.

In order to ensure that the RCMP's collection and use of OSI complies with the Privacy Act, the Federal Policing Open Source Program developed a set of policy instruments to enable a consistent operating framework for all open source information intelligence Practitioners. The program also oversees the integration of third-party tools that facilitate the conduct of this activity. This is in conjunction with the National Technology Onboarding Program, which is the first point of contact for all RCMP units considering the use of any operational technology. In accordance with RCMP policy, the National Technology Onboarding Program is consulted before testing, purchasing, developing, or deploying any operational technology. The program is responsible for conducting thorough and objective evaluations of all new operational technologies, which includes consultations from privacy and legal perspectives. Any new open source information tool considered for use in policing operations would have to undergo a thorough assessment by the National Technology Onboarding Program. The policy also applies to any potentially privacy-invasive tools or technologies that are already in use but have not been assessed by the Program.

Purpose and scope of the privacy impact assessment
To ensure that open source information collected from the internet and used for lawful investigations and operational purposes is compliant with the Privacy Act, the RCMP Federal Policing Program has elected to perform a formal privacy impact assessment on the RCMP's use of open source information gathered from the internet for operational purposes. The scope of this PIA is on the activity of open source information collection in an operational context. This PIA does not assess the collection of this information used in an administrative context, such as communications, nor does assess the collection of open source information for security screening purposes.
Privacy analysis

Based on this assessment, privacy impacts associated with the collection, use, disclosure and retention of open-source information by the RCMP from the internet are expected to be moderate. Recommendations from the privacy impact assessment process, once fully adopted, are expected to reduce those risks to an acceptable level.

Potential impacts on the privacy of individuals will be managed by the RCMP through appropriate legal, policy and technical measures geared at the protection of their personal information.

Risk Area Identification and Categorization
A. Type of program or activity

Personal information is used for investigations and enforcement in a criminal context (for example, decisions may lead to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement

  • Level of Risk to Privacy: Elevated Risk
B. Type of personal information involved and context

Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

  • Level of risk to privacy: Low risk
C. Program or Activity Partners and Privacy Sector Involvement

Within the institution, with other government institutions, federal, provincial or territorial, and municipal governments and private sector organizations, international organizations and/or foreign governments.

  • Level of risk to privacy: Elevated risk
D. Duration of the Program or Activity

Long-term program or activity

  • Level of risk to privacy: Moderate risk
E. Program Population

The program's use of personal information for external administrative purposes affects certain individuals.

  • Level of risk to privacy: Moderate risk
F. Technology and Privacy

Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?

  • Risk to privacy: No

Does the new or substantially modified program or activity require any modifications to information technology legacy systems?

  • Risk to privacy: No

Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:

  • Enhanced identification methods?
    • Risk to privacy: No
  • Surveillance?
    • Risk to privacy: No
  • Automated personal information analysis, personal information matching and knowledge discovery techniques?
    • Risk to privacy: No

Level of risk to privacy: Moderate Risk

G. Personal Information Transmission

Open source information collected by the RCMP may be used both internally or, with law enforcement partners. The transmission of that data will be effected through secured network, or through the use of encrypted portable storage devices.

  • Level of risk to privacy: Moderate risk
H. Potential Risk that in the event of a privacy breach, there will be an impact on the individual or employee

Open source information collected by the RCMP is publicly available on the internet. As such, the privacy impacts on an individual in the event of a data breach are considered to be relatively low. Risks to an individual could conceivably include inconvenience, embarrassment, or financial harm. Where information collected from an open-source activity results in a law enforcement action or criminal charges, the impact on an individual would naturally be higher.

  • Level of risk to privacy: Moderate risk
Top of page
Date modified: