MyCFP Safety Course Report Portal
Overview and privacy impact assessment initiation
Government institution
Royal Canadian Mounted Police
Head of the government institution or delegate for section 10 of the Privacy Act
Danielle Golden
Director of Privacy
Access to Information and Privacy Branch
Senior official or executive responsible for the privacy impact assessment
Joe Oliver
Senior Director, Strategy and Innovation
Canadian Firearms Program
Name and description of the program or activity of the government institution
Canadian Firearms Program
Legal authority for the program or activity
Firearms Act
Standard or institution-specific personal information bank
Canadian Firearms Program, RCMP PPU 100
Canadian Firearms Information System (CFIS), RCMP PPU 037
Inquiries by Firearms Owners, Licence Applicants, and the general public, RCMP PPU 007
Description of the project, initiative or change
The Royal Canadian Mounted Police (RCMP) Canadian Firearms Program (CFP) is modernizing its service delivery, a period of transformation and automation expected to evolve over five years. The upcoming changes are driven by government priorities led by the Minister of Public Safety and the Minister of Justice and Attorney General of Canada to improve the safety of our cities and communities and reduce gun violence by modernizing systems that are aging and can no longer support functionalities needed, are largely paper-based, and prone to significant error rates. These issues are further compounded by the inability of existing systems and processes to easily adapt to changing legislation, and by client expectations that services should be faster, easier and available at any time.
The MyCFP Safety Course Report Portal resides on the same cloud-based solution, the Canadian Firearms Digital Services Solution (CFDSS or "MyCFP") as does Online PAL (PIA submitted March 2023). CFDSS will require the collection and use of personal information to determine eligibility for the licencing and registration requirements of firearms as is required today by existing paper or electronic methods. CFDSS is a Microsoft cloud-based service that will coexist with the existing Canadian Firearms Information System (CFIS) until all functionality is fully integrated. Information collected in the MyCFP Safety Course Report Portal is stored and will operate in the RCMP's secure cloud Protected B environment and will interface with the on premise CFIS.
Purpose and scope of the privacy impact assessment
This PIA on the MyCFP Safety Course Report Portal is the second in a series of PIAs that is developed as the program's new online public-facing system evolves to ensure that the RCMP meets its legal obligations under the Privacy Act, and to ensure that privacy risks are identified, assessed, and mitigated. This initiative permits online submissions of safety course training information by certified Instructors who are responsible for reporting on behalf of their province's Chief Firearms Officer, a substantial modification to the collection of personal information by the CFP from a paper-based system to an online, cloud-based service.
The scope of the PIA is restricted to the change in how the CFP collects personal information related to safety course training. The same personal information for paper-based safety course reports will be collected by the Portal in accordance with the Firearms Act. Personal information collected in the Portal will only be used to determine the existence of an existing client/instructor profile in CFIS. Data linkages against the CFIS exist to verify individual identity.
Privacy analysis
Based on this assessment, privacy impacts associated with the collection and use of personal information in the MyCFP Safety Course Report Portal are expected to be moderate. Recommendations from the privacy impact assessment process, once fully completed, are expected to reduce these risks to a low (or acceptable) level. In addition, opportunities to improve the CFP's privacy practices through policy and technical measures were considered throughout the development of the PIA.
Risk area identification and categorization
A) Type of program or activity
Personal information is used for the administration of the Firearms Act (for example to facilitate legislative requirements) and may involve compliance and enforcement activities (for example as required for reasons of public safety and law enforcement).
Level of risk to privacy: Low to moderate risk
B) Type of personal information involved and context
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
Level of risk to privacy: Low risk
C) Program or activity partners and privacy sector involvement
Within the institution, with other government institutions, federal, provincial or territorial, and municipal governments and private sector organizations, international organizations and/or foreign governments.
Level of risk to privacy: Elevated risk
D) Duration of the program or activity
Long-term program or activity
Level of risk to privacy: Moderate risk
E) Program population
The program's use of personal information for external administrative purposes affects certain individuals.
Level of risk to privacy: Moderate risk
F) Technology and privacy
- Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
- Does the new or substantially modified program or activity require any modifications to information technology legacy systems?
Risk to privacy: No
- Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
- Enhanced identification methods;
Risk to privacy: No
- Surveillance;
Risk to privacy: No
- Automated personal information analysis, personal information matching and knowledge discovery techniques?
Risk to privacy: No
- Enhanced identification methods;
Level of risk to privacy: Moderate risk
G) Personal information transmission
Personal information collected by Instructors/SDAs and the RCMP using the myCFP Safety Course Report Portal will be shared or transmitted between internal groups who are involved in the administration of the Firearms Act, to support the CFP's delivery of services, or with law enforcement partners. The solution operates in the RCMP's secure Protected B Cloud environment, in compliance with the Government of Canada's security policies. Access to the solution is provided through multi-factor authentication using GCKey; access to personal information by internal users is role-based, and the solution provides robust auditing capabilities to monitor user authentication of system user's activity. External transmissions from the solution to students rely on GCNotify.
Level of risk to privacy: Low risk
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Although information collected from Instructors/Examiners related to their certification as Instructor is work-related, it is still considered personal information under the Privacy Act however information collected from Instructors is also not particularly sensitive. Personal information collected as part of the MyCFP Safety Course Report Portal process from student's includes their name, contact information, date of birth, and their test results that when combined or if the student is not successful the reason for failure is documented may be considered sensitive personal information. A breach resulting in the disclosure of personal information could result in loss of privacy, and potential embarrassment to the individual (with a failed test score). There may be some harm to the individuals (psychological) involved), however the impact is Moderate.
Level of risk to privacy: Moderate risk
- Date modified: