Statistics Canada takes reasonable measures to safeguard census data transferred to Shared Services Canada

Complaint under the Privacy Act

May 7, 2018

Summary of Investigation

1. The Office of the Privacy Commissioner of Canada (OPC) received a complaint under the Privacy Act (the Act) against Statistics Canada (StatCan) in relation to its personal information handling practices. In particular, the complainant, alleged that StatCan improperly disclosed confidential census information collected from the 2016 Census of Population and previous censuses (the data or census data) to Shared Services Canada (SSC) when it transferred its informatics infrastructure to SSC.
2. The complainant further alleged that the sharing of census information with SSC is in contravention of the provisions of the Statistics Act – while StatCan may have sworn SSC employees as “deemed employees” under the Statistics Act, StatCan has no meaningful supervision over the actions of these SSC employees. In addition, the complainant stated that the data is being stored in SSC data centres shared with other federal institutions, thereby creating a risk of unauthorized disclosure to those institutions. He alleged that while the information may be encrypted, there is a risk of disclosure of confidential census data when it is decrypted for processing.
3. Following our review of the submissions from both the complainant and StatCan, our Office is satisfied that StatCan did not disclose personal information contrary to the Act when it transferred its informatics infrastructure to SSC, as it was legally required to do. Further, we are of the view that reasonable measures have been taken by StatCan to define its relationship with SSC and to ensure that privacy and security considerations were taken into account to protect census data when responsibility for its information technology (IT) infrastructure was transferred to SSC. We therefore determined that the complaint is not well-founded. The rationale for our finding is presented below.

Background

4. Under the Statistics Act^{Footnote 1}, StatCan is required to collect, compile, analyse, abstract and publish statistical information relating to the commercial, industrial, financial, social, economic and general activities and condition of the people of Canada.
5. StatCan collects personal information pursuant to its mandate as defined in the Statistics Act. Sections 3 and 22 of the Statistics Act detail the various subject matters for which StatCan may collect information under its statistical programs. StatCan has six high-level programs under which personal information may be collected. For the most part, personal information applies to the census and social statistics program of StatCan; however, personal information may also be found in the economic statistics program.
6. Associated with the authority to collect information, the Statistics Act also requires that the information be kept confidential and not disseminated in a manner that could identify an individual, subject to certain exceptions.
7. SSC was created on August 4, 2011, to assist the federal government manage its IT infrastructure. Under the Shared Services Canada Act (SSCA)^{Footnote 2}, SSC is responsible for managing IT-infrastructure services related to email, data centres and networks used by 43 federal government institutions (referred to by SSC as partner organizations), including StatCan. An Order in Council issued on November 15, 2011^{Footnote 3}, describes the transfer to SSC of the control and supervision of the email, data centre and network services unit of the federal public administration as set out in the schedule.
8. Section 6 of the SSCA provides, among other things, that the Governor in Council may specify the government institutions that must obtain services through SSC and that are not permitted to meet their requirements for that service internally.
9. A number of Orders in Council have been issued pursuant to section 6 of the SSCA. Order in Council 2015-1071,^{Footnote 4} which was issued on July 16, 2015, specifies, among other things, the services that the designated minister must provide through SSC, and lists the various departments or other entities that must, or may, obtain IT services through SSC. Together, the provisions of the SSCA and the Order in Council provide that StatCan must exclusively obtain certain IT services from SSC, including services related to data centres and networks.

Investigation

Representations from the Complainant

10. In his representations to our Office, the complainant submitted that the Statistics Act does not allow StatCan to divulge confidential statistical information to SSC as has been done since 2011, and contended that StatCan is not maintaining the level of protection of confidential respondent information and administrative data that is required under the Statistics Act.
11. In addition to the allegations noted at paragraphs 1 and 2 of this Report, the complainant also raised concerns that it is unclear whether SSC employees with access to confidential census data have been sworn in under the Statistics Act, and what occurs if StatCan refuses to swear in an SSC employee that is to be involved in the operations of data centres where confidential data is stored. He further alleged that StatCan cannot establish mandatory operational procedures for the handling of its data, and it has no guaranteed, immediate access to the sites where its data is stored for purposes of inspection, or any guarantee of SSC’s cooperation with audits of data security.
12. The complainant raised an overarching concern that StatCan cannot withdraw from the imposed relationship with SSC, and is prohibited from providing data centre informatics services itself, or acquiring those services from any other third party.
13. The complainant also referenced a CBC news article regarding a reported IT vulnerability involving SSC,^{Footnote 5} and questioned the safeguards and potential vulnerability of the information stored in shared data centres operated by SSC.

Representations from StatCan

14. According to StatCan, SSC has the mandate to consolidate and streamline the delivery of IT infrastructure services across the Government of Canada. SSC has taken ownership of all Government of Canada data centres, including the former Statistics Canada Tunney’s data centre. All new StatCan projects, including the census, implement solutions using SSC’s services.
15. StatCan informed us that the infrastructure required for the collection, processing and dissemination of the census data are found in an area of an SSC data centre located in Gatineau referred to as the “census enclave” and the SSC Tunney’s data centre.
16. StatCan submitted that the census enclave was configured with similar services (e.g. hardware, firewalls, networks, zones) and is essentially an extension of the SSC Tunney’s data centre. Both data centres are connected with a secure high speed connection. The census infrastructure deployed in the census enclave is physically segregated (i.e. no physical connection) from all other partners’ infrastructure deployed in the SSC Gatineau data centre. The cabinets where the census enclave systems are deployed are locked to prevent unauthorized physical access to the cabinets. The security posture in the census enclave was determined to be equivalent to that of the SSC Tunney’s data centre.
17. With respect to the complainant’s allegation that the sharing of census information is in contravention of the Statistics Act, StatCan submitted that the Statistics Act requires that all information collected or obtained under the authority of that Act that could identify an individual, business or organization must be kept confidential and can only be released under strict conditions such as with the consent of the individual, business or organization that provided the information. StatCan contended that it is not in contravention of the Statistics Act, as no data was “transferred” to SSC. Rather, SSC took over responsibility and ownership of the data centre infrastructure, as well as the employees supporting it that formerly belonged to StatCan. All SSC employees who have access to the infrastructure in the SSC Tunney’s data centre, and the SSC Gatineau census enclave, as service providers, are deemed employees under the Statistics Act and subject to the oath and the same security provisions as StatCan employees.
18. StatCan submitted that there are a number of controls in place which address this privacy complaint. First, StatCan has not authorized access to census information to any SSC employee. As noted above, StatCan has ensured that all SSC employees who have access to the IT infrastructure that contains census data are deemed employees under the Statistics Act and subject to the oath and sworn to keep census information confidential, even though they are not operationally required to open specific folders or view information contents.
19. Moreover, StatCan submitted that all SSC employees who have access to the census infrastructure are cleared to secret, which exceeds the security classification of census information. The secret clearance also requires a highly enhanced level of reliability for these SSC employees.
20. StatCan further submitted that the census IT infrastructure is physically separate from all other Government of Canada IT infrastructure, so that only SSC employees who are specifically authorized are able to access infrastructure that contains and processes census information.
21. StatCan submitted that its arrangement with SSC for IT-related services is focused on ensuring the integrity and availability of StatCan data. The arrangement does not provide for access by SSC to the census data. According to StatCan, the census data is neither used by, nor disclosed to, SSC.
22. StatCan submitted that it has completed a thorough Security Authorization and Accreditation (SA&A) based on ITSG-33^{Footnote 6} control profiles recommended for Protected B information, on all census systems, including the infrastructure platforms, provided by SSC, where all of those census systems run. At the end of this process, a careful risk-based analysis, using the Communication Security Establishment’s (CSE’s) Harmonized Threat Risk Assessment (HTRA) methodology was conducted, and the remaining residual risk (including privacy-related risks) were determined to be within the risk tolerance as defined by the census program.
23. StatCan also provided numerous reference documents to our Office as part of its response to this complaint. The following paragraphs outline some of the documents we reviewed during the investigation.
24. StatCan’s Directive on the Security of Sensitive Statistical Information provides an overview of the safeguards implemented for statistical information and imposes obligations on StatCan’s Director of IT Operations Division in section 6.4 to ensure that appropriate procedures and controls are in place to protect all sensitive statistical information, including the information stored on IT infrastructure managed by an external partner such as SSC. The Directive also requires that staff of external partners, including SSC, who require access for job-related purposes to email, data centres and networks where sensitive statistical information is held are administered the oath of office as required by the Statistics Act, and that the number of deemed employees is limited to the minimum possible.
25. StatCan informed us that its Threat Risk Assessment (TRA), conducted as part of its Generic Privacy Impact Assessment for its operations and which documents the various threats to its statistical operations, takes into account the deemed employees from SSC.
26. StatCan also provided a copy of the Shared Services Canada Business Arrangement with Statistics Canada (the Business Arrangement) as well as the Complementary Agreement to the Business Arrangement (the Complementary Agreement). Both arrangements were entered into in May 2017 and thus post-dated the complaint to our Office.
27. The Business Arrangement sets out the overall relationship between SSC and StatCan and describes the responsibilities of each organization. Among other things, the Business Arrangement provides that SSC is responsible for protecting its “IT infrastructure and associated data in transit, at rest, and in use”; for adhering to “any related Government of Canada policies, processes and procedures … including but not limited to security, privacy, management of IT security compliancy”; and collaborating with StatCan to manage cyber and IT security.
28. The Complementary Agreement further describes the expectations specific to the ongoing business relationship between the two organizations. In particular, the Complementary Agreement states that StatCan retains the accountability of ensuring the protection of sensitive statistical information, which will always be protected according to explicit criteria, risk assessment and controls, including:
    • SSC employees take an oath to meet the requirements of the Statistics Act;
    • the establishment of operating protocols and monitoring of SSC personnel who are deemed employees of StatCan; and
    • documentation about the security of legacy and enterprise services.
29. As noted above, deemed employees may be hired to assist with the statistical operations. StatCan provided a copy of its Directive on the Use of Deemed Employees which states at Section 6.5 that the Director General, Informatics Branch, has the responsibility to manage the access to protected StatCan information by SSC employees, including:
    • determining which SSC employees require access;
    • for those employees who are identified as requiring access, ensuring that the appropriate implementation procedures (as described in the appendices to the Directive) have been followed; and
    • providing to Policy Committee an annual report on access by employees of SSC.
30. Any actions that contravene the security policies of the Government of Canada or StatCan could lead to administrative, disciplinary or statutory penalties when misconduct or negligence is involved. The nature of the penalties will depend on the nature of the offence. Employees, including deemed employees, who contravene the confidentiality provisions of the Statistics Act are subject to prosecution and are liable on summary conviction to a fine and/or imprisonment.
31. StatCan also provided a number of documents which support its relationship with SSC for the provision of IT infrastructure services to support the 2016 Census, including:
    • SSC Service Level Agreement with StatCan for Network Security Service/Secure File Transfer for the Census 2016 Program (for period April 2014 to March 2017)
    • StatCan TRA for the 2016 Census
    • SSC 2016 Census Project Letter of Engagement
    • SSC 2016 Census of Population Operating Protocol
    • 2016 Census Security Assessment and Authorization Plan
    • Statement of Acceptable Risk for the Census 2016 Systems
    • StatCan Business Continuity Plan for IT Operations and Services
32. According to the SSC 2016 Census of Population Letter of Engagement, the purpose of the partnership between SSC and StatCan is to ensure that the IT infrastructure services required to support the 2016 Census are delivered in accordance with StatCan's requirements and consistent with SSC's standards, mandate and objectives.
33. The Letter of Engagement defines the engagement of SSC, and also presents the approach, scope, funding, and governance of the project as well as roles and responsibilities of the project members. The IT infrastructure services provided by SSC include: enterprise architecture, data centre, telecommunication (voice and data) services and IT security services.
34. The Service Level Agreement between SSC and StatCan represents an agreement for the provision of IT services to ensure that the proper elements and commitments are in place to provide consistent IT service support and delivery to StatCan by SSC. The objectives of this Agreement are:
    • to provide clear reference to service ownership, accountability, roles and/or responsibilities;
    • to present a clear, concise and measurable description of service provision to StatCan; and
    • to match perceptions of expected service provision with actual service support and delivery.
35. The SSC 2016 Census of Population Operating Protocol states that, as a common service department for IT, SSC is responsible for providing infrastructure to support IT and voice services to Statistics Canada as outlined in the Policy on Government Security (PGS)^{Footnote 7}. The Operating Protocol focuses on SSC service delivery in support of the 2016 Census Project during the Census production phase. The Protocol provides a description of the Concept of Operations during the 2016 Census Production period. The level of detail of the document allows for support and delivery oversight of the services provided as defined in the SSC 2016 Census Project Letter of Engagement between StatCan and SSC.
36. The Operating Protocol documents:
    • existing SSC 2016 Census Production services, support and delivery processes and procedures;
    • defines roles and responsibilities to support the 2016 Census Project delivery; and
    • describes the service components, SSC processes, as well as the day-to-day operational functions that encompass the 2016 Census Project Services.
37. We also reviewed StatCan’s TRA for the 2016 Census. The TRA document evaluated safeguards protecting five Census 2016 internal-facing systems, and provided StatCan with risk information required to support informed risk-management decision-making regarding the security requirements for the 2016 Census.
38. StatCan’s Security Assessment and Authorization (SA&A) Plan provides an assessment of the security controls in the Census 2016 solution in order to determine if the proposed controls are adequate and meet the security requirements for the system. The SA&A Plan identifies tasks and deliverables that provided SSC and StatCan with a level of confidence that the introduction of this system into the production environment will not introduce any unacceptable risks and existing systems and applications individually and collectively will continue to:
    1. operate within an acceptable level of residual risk to process information and to protect the confidentiality, integrity, availability and value of that information;
    2. adhere to the PGS, MITSS (Standard on the Security of IT (SSIT)), and the departmental security policies, security requirements, technical standards and operational procedures defined for the departmental infrastructure as well as those defined for individual systems and applications;
    3. operate so as not to create vulnerabilities or unintended interdependencies in other systems; and
    4. operate, as expected, without introducing new risks to the departmental infrastructure. A specific system should not decrease the availability of other systems nor should the security posture for the set of all systems within the departmental security zone be decreased because of a specific system.

Other

39. As part of the census planning process, StatCan conducts a test approximately two years prior to each census. Our Office last received a PIA in May 2014, in advance of the 2016 Census of Population and National Household Survey. As the 2016 Census included new content and changes to previous collection procedures, the PIA assessed privacy risks and mitigating measures for the 2014 Census Program tests to address areas that changed since 2011.
40. In response to StatCan’s PIA, our Office made several recommendations regarding the collection of new content, and also regarding the systems which fall under the control of SSC. In particular, we recommended that StatCan should amend the PIA to indicate the technical systems which are under the control of SSC, and should include any assessments of privacy risks undertaken by SSC related to technical infrastructure under its control.

Application

41. In issuing our finding, we considered sections 3 and 8 of the Act. We also considered sections 5 and 6 of the Statistics Act, and sections 6 and 16 of the SSCA.
42. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
43. Under section 8 of the Act, personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with one of the categories of permitted disclosures outlined in subsection 8(2).
44. Subsection 5(2) of the Statistics Act makes provision for the Minister to use the services of employees of the federal public administration to carry out any duty, power or function of StatCan pursuant to the Statistics Act. Such persons are considered to be "deemed employees" of StatCan.
45. Section 6 of the Statistics Act provides that every person employed or deemed to be employed pursuant to the Act shall take and subscribe to an oath of office or solemn affirmation.
46. Section 6 of the SSCA provides, among other things, that the Governor in Council may specify the services that the Minister must provide through SSC, the services that the Minister may provide through SSC, and terms and conditions respecting the provision of any such services.
47. Section 16 of the SSCA states that, for the purposes of the Privacy Act, any personal information collected by other government institutions and that is contained in or carried on SSC's IT infrastructure on behalf of those institutions is not under the control of SSC.

Analysis

48. In light of the complainant’s allegations, and given our mandate, our investigation focused on whether StatCan has contravened section 8 of the Act by transferring census data collected under the authority of the Statistics Act to SSC’s IT infrastructure. Our investigation also assessed whether StatCan has taken sufficient steps to oversee SSC’s handling of the census data on its behalf, consistent with its obligations under the Act.
49. Recognizing that StatCan is subject to a strict confidentiality regime under the Statistics Act and is prohibited, with certain exceptions, from disclosing information it collects in a manner that could be linked to identifiable individuals, our Office first contemplated whether the transfer of census data to SSC’s IT infrastructure is in line with the requirements of the Act.
50. The SSCA gives SSC the mandate to transform, build and operate the government's IT infrastructure. Pursuant to the SSCA, SSC is responsible for providing StatCan with IT infrastructure services. As a result of an Order in Council issued under the SSCA, StatCan is part of SSC’s mandatory client base for email, data centre and network services.
51. In light of section 16 of the SSCA, personal information that is collected by other government institutions and that is contained in or carried on SSC’s IT systems on behalf of those government institutions, is not under the control of SSC for the purposes of the Act.^{Footnote 8} Therefore, although the data may be contained on SSC’s IT systems, StatCan retains control of, and overall accountability for, the data for the purposes of the Act.
52. This interpretation is consistent with TBS policies which place the onus on government institutions to take steps to safeguard personal information they have collected, even when it is transferred to others who may be handling the personal information on their behalf.^{Footnote 9}
53. Given SSC’s mandate to provide IT-related infrastructure and services to StatCan, we are satisfied that any transfer of personal information by StatCan to SSC for these purposes is authorized by the SSCA and is not contrary to the Privacy Act.
54. Nevertheless, there are privacy considerations to take into account when transferring personal information to SSC’s IT infrastructure. Given that control and ownership of any personal information transferred to SSC’s IT infrastructure rests with the partner organization – StatCan in this case – care must be taken by the partner organization to ensure that it continues to fulfill its privacy obligations, in line with the spirit, intent and requirements of the Act.
55. Personal information must be managed in accordance with the fair information practices embodied in sections 4 to 8 of the Act, the Privacy Regulations^{Footnote 10}, the TBS Policy on Privacy Protection^{Footnote 11}, the Directive on Privacy Practices^{Footnote 12} and other privacy policy instruments.
56. The Policy on Privacy Protection requires that institutions establish measures when personal information is involved to ensure that they meet the requirements of the Act when contracting with private sector organizations, or when establishing agreements or arrangements with public sector organizations. This includes ensuring that appropriate privacy protection clauses are included in contracts or agreements. Institutions must also adhere to the requirements of the Policy on Government Security^{Footnote 13} for protecting government assets, including information, and must implement safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information.
57. Consequently, privacy protection must be a core consideration in the transfer of personal information to SSC’s IT infrastructure. An agreement that defines the operational relationship with SSC, and which also defines the respective IT roles, responsibilities and expectations for any transfer, safeguarding or transmission of personal information, is key to ensuring accountabilities. This will also result in stronger assurances for the partner organization that adequate safeguards have been implemented to protect personal information.
58. Our investigation reviewed the measures taken by StatCan to define its relationship with SSC and to ensure that privacy and security considerations were taken into account when it transferred census data to SSC’s IT infrastructure, including the steps taken to mitigate any risks of unauthorized disclosure.
59. As noted above, StatCan provided a number of documents to our Office which support its arrangement with SSC. StatCan also outlined the controls which have been put in place to safeguard census data housed on SSC’s IT infrastructure. StatCan’s ongoing business relationship with SSC has also been defined through the Business Arrangement and Complementary Agreement, which outline StatCan’s accountability for the protection of sensitive statistical information, SSC’s responsibilities to protect its IT infrastructure, and the controls implemented in relation to SSC employees.
60. Following our review, we are satisfied that reasonable steps have been taken by StatCan to define its relationship with SSC, and to ensure that the necessary controls and commitments are in place for SSC to provide IT service and delivery to StatCan. In our view, StatCan has taken measures to exercise a level of oversight over SSC’s handling of statistical data, and has exercised due diligence in transferring data to SSC’s IT infrastructure.
61. With respect to the complainant’s concerns regarding the risk of unauthorized disclosure of StatCan data housed on SSC’s IT infrastructure, including his concern that there is a risk of disclosure of confidential census data when it is decrypted for processing, we note that StatCan has, through collaboration with SSC, put in place a combination of technical and operational safeguards to reduce the risk of unauthorized disclosure. In particular, through a TRA, StatCan has assessed the threats and system vulnerabilities that could affect service delivery, determined the level of risk based on current safeguards and vulnerabilities, and made recommendations for safeguards to mitigate risk to an acceptable level. In addition, StatCan has conducted a thorough SA&A process to ensure all residual risks are within acceptable levels of risk tolerance as defined by the Census Program.
62. The complainant also raised concerns that StatCan cannot establish mandatory operational procedures for the handling of its data, and it has no guaranteed, immediate access to the sites where its data is stored for purposes of inspection, or any guarantee of SSC’s cooperation with audits of data security.
63. We recognize that there may be challenges surrounding the roles and responsibilities of SSC and its role as IT provider to StatCan. Nevertheless, as noted above, we are satisfied that StatCan has taken measures to exercise a level of oversight over SSC’s handling of statistical data. StatCan has articulated its expectations, as well as its business and operational relationship with SSC in a number of agreements and documents, as highlighted in the present report. The evidence before us indicates that both StatCan and SSC are taking responsibility for protecting StatCan’s statistical data and that they are collaborating closely to this end.
64. We note that SSC has also recognized that it must ensure that all processes and safeguards are in place to properly manage the information holdings that have been entrusted to it as part of its enterprise services, including implementing all required security and privacy controls, as well as facilitating access to partners’ data to meet all legislative and administrative obligations.^{Footnote 14} Moreover, SSC recognizes that, as a practical matter, protecting the personal information that it maintains on behalf of other government institutions is a “shared responsibility”.^{Footnote 15} Accordingly, this speaks to both SSC and partners which rely on services provided by SSC working together to ensure that personal information is protected.
65. The complainant also raised concerns regarding the authority of StatCan to swear in SSC employees as deemed employees under the Statistics Act, whether SSC employees with access to confidential census data have in fact been sworn in under the Statistics Act, and that StatCan may have no meaningful supervision over the actions of those SSC employees.
66. According to StatCan, all SSC employees who have access to the census infrastructure are deemed employees under the Statistics Act and subject to the oath and the same security provisions as StatCan employees. This is also articulated in StatCan's Directive on the Use of Deemed Employees. As noted above, StatCan has committed to monitoring SSC employees who have deemed employee status.
67. Given that StatCan has the authority under the Statistics Act to use the services of non-StatCan employees, including SSC employees, and given the general measures it has put in place to mitigate against the risks of unauthorized access, in our view, there is no contravention of the Privacy Act by virtue of StatCan exercising its authority in this way.
68. StatCan retains the responsibility for the continued delivery of its programs and the protection of its sensitive data, even when stored on infrastructure that is managed by SSC. In this respect, the duties imposed on the Chief Statistician under the Statistics Act remain the same, and it does not seem to us that the requirement to use SSC’s services is necessarily incompatible with the role that is provided for StatCan by the Statistics Act. Rather, the transfer of ownership of IT infrastructure to SSC has forced StatCan to work closely with SSC to ensure that it has policies and processes in place to allow it to exercise this role and its responsibilities.
69. In conclusion, while the complainant has raised legitimate concerns regarding the transfer of the management of StatCan’s informatics infrastructure to SSC, StatCan is legally obliged to use SSC’s services and has, from the evidence before us, taken appropriate steps to mitigate the risks associated with the transfer. In light of this, and in the absence of specific evidence pointing to a failing on the part of StatCan or SSC to adequately protect the data that has been transferred to SSC’s infrastructure, we cannot conclude that there has been a violation of the Act in the circumstances.

Disposition

70. In light of the above, it is our view that StatCan is not in contravention of the requirements of section 8 of the Act, and we consider this complaint to be not well-founded.