Research Portal Privacy Impact Assessment Summary (2015)

Introduction

The transition of Natural Sciences and Engineering Research Council (NSERC) and Social Sciences and Humanities Research Council (SSHRC) (the agencies) program delivery services to the Research Portal solution is intended to modernize existing technology and replace the agencies’ current grant management systems.

Objectives

The agencies conducted a joint privacy impact assessment (PIA) to meet their obligations under the Privacy Act and the Treasury Board of Canada Secretariat's (TBS) policies, directives, standards and guidelines regarding privacy, information management and security; and to address the factors set out by the Office of the Privacy Commissioner of Canada in Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada.

The PIA was conducted to develop an informed assessment of the privacy risks associated with using the Research Portal and related client relationship management (CRM) tools, and to inform recommendations to mitigate any identified privacy risks to an acceptable level.

Description

The Research Portal is designed to receive thousands of applications for grants and awards administered by both agencies, and to process, in part, nine of the agencies’ 79 funding opportunities through the complete business cycle (i.e., from application to assessment to award, etc.).

The agencies’ programs and activities have not changed substantively with the implementation of the Research Portal. No new types of personal information are collected, used or disclosed in relation to the Research Portal and CRM. Rather, the new system provides the agencies with a more efficient and harmonized means of managing the application, review, decision and funding processes.

Risk area identification and categorization

The PIA found that the agencies apply privacy best practices and are reasonably compliant with the requirements of the Privacy Act and related TBS policies, directives and guidelines. The PIA identified risk areas and categorized their level of potential risk (with level 1 representing the lowest level of potential risk, and level 4 the highest) associated with the collection and use of personal information through the Research Portal.

The risk levels identified are as follows:

  1. Type of program or activity: Level 2: Administration of program or activity and services.
  2. Details:
    Personal information collected via the Research Portal is intended to be used mainly for administrative purposes (i.e., the information is to be used for the purpose of making decisions about an identifiable individual). It is primarily used to receive and assess applications, administer the review process from beginning (apply) to end (decision), to communicate with applicants and other participants in the review process, and to award/monitor funding. 
    In addition to the administrative uses described, information may also be used for non-administrative purposes, to perform planning, statistical, evaluation, external relations, communication and reporting activities. 

  3. Type of personal information involved and context: Level 2: Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
  4. Details:

    The Research Portal involves the collection and management of personal information of applicants, partners, third parties, reviewers, and committee members. 
    In most cases, personal information is first collected, with the consent of the individual, by an administrating organization (e.g., university), which then submits the application to the appropriate agency.

  5. Program or activity partners and private sector involvement: Level 3: With other institutions or a combination of federal, provincial, or territorial and municipal governments; and Level 4: With private sector organizations, international organizations or foreign governments.
  6. Details:
    Some stakeholders (e.g., reviewers and committee members) may be selected from external organizations (e.g., postsecondary institutions and cross-sectoral organizations) to participate in the review of applications. For this purpose, the agencies have developed the Conflict of Interest and Confidentiality Agreement for Review Committee Members, External Reviewers, and Observers, in accordance with the Conflict of Interest and Confidentiality Policy of the Federal Research Funding Organizations. The agencies’ policy requires that these stakeholders meet the highest standards of ethical behaviour, in order to maintain and enhance public confidence in the agencies’ ability to act in the public’s best interest.

  7. Duration of the program or activity: Level 3: Long-term program or activity.
  8. Details:
    The Research Portal is a system developed to be used until the new Research Portal project delivers a comprehensive subsequent solution in a few years.

  9. Program population: Level 3: The program’s use of personal information for external administrative purposes affects certain individuals.
  10. Details:
    The agencies’ use of the Research Portal involves the use of personal information primarily for administrative purposes. Before accessing the Research Portal, individuals must review and accept the agencies' general terms and conditions and transparency terms, which include a security statement and links to the respective agency's statement on the use and disclosure of personal information.

  11. Technology and privacy: The Research Portal will use a custom-built application and Microsoft SharePoint software, and the CRM will use Microsoft Dynamics CRM 2011 software.
  12. Details:
    Both applications have been configured by the agencies to support the administration of funding programs, including the collection and handling of personal information, as well as the delivery and management of funds, and subsequent reporting.

  13. Personal information transmission: Level 4: The personal information is transmitted using wireless technologies.
  14. Details:
    At the time of this PIA, no statement of sensitivity or threat and risk assessment for the Research Portal and CRM has been completed. However, a threat and risk assessment is planned for the 2015-16 fiscal year.

Based on the summary, the agencies’ current use of the Research Portal and CRM presents a potential for moderate risk to the privacy of individuals.

Conclusion

Several mitigation measures have been developed in response to the main privacy risks identified. Once implemented, these measures will help improve privacy safeguards, processes and overall compliance with relevant policies, directives, standards and guidelines. Many of the risks are actively being addressed. Once residual privacy risks have been fully mitigated, the Research Portal is likely to present minimal risk to the privacy of individuals.

Next steps

A detailed action plan will be developed in 2015-16, and mitigation measures will be implemented according to the timelines established.