Language selection

Privacy Impact Assessment of the Lobbyist Registration System

Government Institution: Office of the Commissioner of Lobbying (OCL)

Head of the Government institution: Nancy Bélanger, Commissioner of Lobbying

Executive of the program or activity: François Bertrand, Director, Corporate Services


Name and description of the program or activity

The Lobbyist Registration System (LRS) is a system developed by the OCL to facilitate the registration of lobbyist and their activities and the filing of Monthly Communication Reports (MCRs) in accordance with the Lobbying Act. The LRS contains the names of registrants and individual lobbyists carrying out lobbying activities, as well as the names, business addresses, business email addresses and telephone numbers of their firms (consultant lobbyists), and employers (in-house corporation and organization lobbyists). It also contains the names of the government institution(s) they are communicating with, as well as the subject matter of the lobbying activities they are required to report under the Act and the Lobbyists Registration Regulations. In the case of former public office holders, the database contains information related to past positions they occupied within the federal government. The online Registry, in accordance with the Act, also includes prescribed information regarding lobbyists' communications with Designated Public Office Holders (DPOH), and information regarding the five-year prohibition on lobbying by former DPOH's, as well as effective dates, exemptions and other relevant data. Through the online Registry of Lobbyists, anyone can search for lobbyists and lobbying activities. While all data submitted to the OCL is a matter of public record to ensure transparency of lobbying activities, so that the general public, the media and public office holders may know who is lobbying the government, for what purpose and in whose interest, some information provided by registrants, for example, internal dialogues with OCL advisors, LRS dashboard warnings about late filings, etc. are not made public.

Legal authority

Personal information provided to the OCL via the LRS is collected under the authority of the Lobbying Act.

Class of Records and Personal Information Bank (PIB):

1. Class of Records:
Registration
Record Number: OCL ROL 005
Compliance
Record Number: OCL RAIN 040

2. PIB:
Lobbyist Registry Personal Information Bank
Related Record Number: OCL ROL 005
TBS Registration: 009943
Bank Number: OCL PPU 039
Reviews and Investigations Personal Information Bank
Related Record Number: OCL RAIN 040
TBS Registration: 20110256
Bank Number: OCL PPU 040

Description of the project, initiative or change

In the past, the OCL’s exemption request process required individuals to make a written request for exemption in accordance with the information described by the OCL on its website. Making the exemption process available through the LRS is intended to make the process more efficient and more in line with today's technology. This PIA will therefore, examine the aspects of the business process and dataflows as well as the policies and procedures relating to the LRS, including the online exemption request process so as to identify and evaluate any potential risks to the privacy of personal information, and to recommend possible options for mitigating any privacy risks identified. The PIA will further evaluate any existing privacy safeguards to determine whether they are sufficient to avoid or mitigate potential privacy risks and to determine if additional privacy safeguards are required to avoid or mitigate privacy risk surrounding the collection, use, disclosure, retention and disposal of personal information.

Risk area identification and categorization

1.1 Type of program or activity

1.1 Type of program or activity Level of risk to privacy
Program or activity that does NOT involve a decision about an identifiable individual
Personal information is used strictly for statistical/research or evaluations, including mailing lists where no decisions are made that have a direct impact on an identifiable individual.
The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection requires government institutions establish an institutional Privacy Protocol for addressing non-administrative uses of personal information.
1
Administration of Program / Activity and Services
Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs, including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
2
Compliance / Regulatory investigations and enforcement
Personal information is used for purposes of detecting fraud or investigating possible abuses within programs where the consequences are administrative in nature (i.e. fines, discontinuation of benefits, audit of personal income tax file, or deportation in cases where national security and/or criminal enforcement is not an issue).
3
Criminal investigation and enforcement / National Security
Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement).
4

Details

Administration of Program/Activity and Services

Information collected via the LRS is used by the OCL for administrative purposes to,

  • Meet the requirements of the Lobbying Act and the Lobbyists Registration Regulations;
  • Administer the LRS and online Registry;
  • Ensure the accuracy of the information collected (registration content, monthly communication reports, and exemption request content); and
  • Analyze the permissibility of exemption from lobbying.

Aggregate information may also be used for the purposes of informing on program and policy planning and design; audit, evaluation and review; generating statistics for departmental reports and publications; reporting to senior management.

Compliance / Regulatory investigations and enforcement

The Commissioner of Lobbying also has the authority to investigate alleged breach of either the Lobbyists’ Code of Conduct, or the Lobbying Act.

As a non-statutory instrument, breaches of the Code are not subject to criminal charges or sanctions. At the end of an investigation of an alleged breach of the Code, the Lobbying Act requires that the Commissioner table a Report of findings, conclusions and reasons for those conclusions in both Houses of Parliament. With the exception of certain cases (e.g. allegations of unregistered lobbying), personal information of those individuals that may be subject to an investigation is retained in the LRS and accessible to the OCL’s Investigations Branch.

Criminal Investigations and Enforcement

Breaches of the Lobbying Act may lead to convictions of fines or jail time, or both for those individuals found in contravention of the Act. While the potential outcomes of these cases will be referred by the OCL to a peace officer, for investigation purposes, the actual investigations themselves are considered to be out of scope of this PIA.

1.2 Type of personal information

1.2 Type of personal information Level of risk to privacy
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individuals for disclosure under an authorized program.
For example: general licensing, or renewal of travel documents or identity documents.
1
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
For example: an application process with a requirement for independent verification of certain non-sensitive factual details.
2
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
For example: the personal information by association indirectly reveals information on the health, financial situation, religious or lifestyle choices of the individual.
3
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.
For example: the personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals, such as relatives.
4

Details

Personal information, with no contextual sensitivities after the time of collection, provided bythe individual with consent to also use personal information held by another source

The LRS involves the collection, use, disclosure, retention and disposition of personal information of two categories of users:

  1. Consultants - any individual who is paid to communicate with public office holders on behalf of a client; and
  2. In-House Lobbyists – individuals that communicate with public office holders on behalf of the corporation or the organization that employs them.

The information is collected is required to meet the requirements of the Lobbying Act. While information collected under the Lobbying Act is a matter of public record, some information collected is not exposed to the public.

1.3 Program or activity partners and private sector involvement

1.3 Program or activity partners and private sector involvement Level of risk to privacy
Within the institution (among one or more programs within the same institution) 1
With other government institutions 2
With other institutions or a combination of federal, provincial or territorial, and municipal governments 3
Private sector organizations, international organizations or foreign governments 4

Details

Within the institution

While anyone can have access to the public-facing online Registry, two internal groups within the OCL have access to all of the information within the LRS.

  1. Registration, Policy and Public Affairs Directorate – is responsible for developing and maintaining the Lobbyists Registration System (LRS) and the online Registry of Lobbyists. Employees of the Registration, Policy and Public Affairs Directorate process lobbyists' registrations and offer client service to registrants, public office holders, and the general public.
  2. Investigations Directorate – conducts monitoring and compliance verification activities to ensure that registrable lobbying activity is properly reported, and information provided by lobbyists is thorough, accurate and complete. Suspected and alleged non-compliance with the Lobbying Act and the Lobbyists’ Code of Conduct is reviewed and, where appropriate, formal investigations are undertaken to ensure that lobbying activities are ethical and transparent. The Investigations Directorate also reviews applications for exemption from the five-year post-employment prohibition on lobbying to ensure that exemptions are granted only when to do so would be consistent with the purposes of the Act.
With other government institutions

Breaches of the Lobbying Act may require the OCL, on behalf of the Commissioner, to disclose information to a peace officer (e.g. RCMP, other provincial/territorial police services, etc.) in accordance with subsection 10.4(7) of the Lobbying Act, which states:

  • “(7) If, during an investigation under this section, the Commissioner believes on reasonable grounds that a person has committed an offence under this or any other Act of Parliament or of the legislature of a province, the Commissioner shall advise a peace officer having jurisdiction to investigate the alleged offence and immediately suspend the Commissioner’s investigation.”

If the referral does not result in a charge or conviction, the Commissioner may decide to cease the investigation or continue to investigate and report to Parliament. After the completion of an investigation of an alleged breach of the Code, the Commissioner is required to publish findings and conclusions in a report submitted to Parliament and made public, whether or not the allegation is well-founded. If an investigation is ceased, the Commissioner is not required to table a report to Parliament.

With private sector organizations

Other private entities may be provided access to the information within the LRS for the purposes of fulfilling their official job duties. This may include, for example, contractors that may be hired by the OCL to work in an official capacity.

1.4 Duration of the program or activity

1.4 Duration of the program or activity Level of risk to privacy
One time program or activity
Typically involves offering a onetime support measure in the form of a grant payment as a social support mechanism.
1
Short–term program
A program or an activity that supports a short-term goal with an established “sunset” date.
2
Long-term program
Existing program that has been modified or is established with no clear “sunset”.
3

Details

The program affects certain individuals for external administrative purposes

The OCL’s use of the information collected via the LRS involves the use of personal information for administrative purposes. Given that the population of individuals who submit information to the OCL is targeted specifically to those individuals taking part in lobbying activities (as described in sections 5 and 7 of the Lobbying Act), and information is submitted with the knowledge that most of it will be made publicly available, it is unlikely that the LRS or the online exemption process will present widespread risks to a large population of individuals.

1.6 Technology

Through the public-facing online Registry of Lobbyists, anyone can search the information that is disclosed by lobbyists in accordance with the Act. The LRS is the application that allows individuals who are paid, by an employer or a client, to communicate with public office holders, to register their lobbying activities, monthly communication reports, and to make exemption requests. The information collected via the LRS is submitted by individuals – either Consultants or In-House Lobbyists – transmitted via Secured Socket Layer (SSL) connection, and stored within a MS SQL database (the Database) hosted on servers that are managed and controlled by the Office of the Privacy Commissioner of Canada (OPC). All information collected within the database is encrypted at rest.

The servers that house the LRS are located in a secretrated access-controlled zone. All physical access to this area is monitored and logged with authorized access given to only a small group of employees. Electronic access to the servers are also logged, and administrator accounts with access to the servers are changed on a weekly basis. Password control software also logs each time an employee accesses their administrator credentials.

All information collected via the LRS (registrant, MCR and exemption information) are assigned request numbers which are generated by the system and used by the OCL as a method to identify registrants. These numbers are crossreferenced in the Database, and manually entered into the OCL’s SharePoint file management system (CRM), and the Investigation Directorate’s Information Management System (IDIMS). Some information produced from the LRS may also reside in GCDOCs (the Government of Canada’s information management system).

1.7 Data transmission

It is important to note that all information submitted via the LRS and transmitted to the Database is through SSL connection. All information stored within the Database is encrypted at rest. Login information such as passwords and secret questions use MD5 salted hash to safeguard this information in storage.

Through the online Registry, any individual can search and review information that has been disclosed by lobbyists in accordance with the Act. To do this, individuals must have a standard internet connection.

Registrations and Monthly Communication Reports (MCR)

Registration and MCR content to be entered requires that an account first be created in the LRS. The user requires an internet connection to build a user profile with a username, password and secret question information. The account is then activated and the user can log in with their unique credentials and enter their registration information into the LRS. The registrant information is transmitted through a SSL connection to the LRS where it is stored within the Database.

MCR verifications

Departmental Public Office Holders (DPOH) are required to review and comment on MCRs where their name occurs. DPOHs do not have account access to the LRS. Rather, the OCL provides DPOHs with a temporary account using a tokenized link provided in an email. The DPOH must click on this tokenized link to access an interface (through SSL connection) that allows them to review and comment on MCRs where their name occurs. This verification process is to ensure the accuracy of information submitted by lobbyists. Once the process is complete, the account is deactivated and the DPOH can no longer access the system. The temporary account is set up to timeout after 30 days.

Exemption Request Process

Similar to the MCR verification process, when a user applies for an exemption under the Act, the system sends a tokenized link to the user so that they may login and submit their application information. This link is time sensitive and expires within 24 hours. During this application process, the user can upload documents, which may include personal information, in support of their request. In addition to the information being stored in the database, information related to the exemption request process is manually copied into the OCL’s CRM/SharePoint system.

1.8 Impact on individuals in the event of a breach

Most of the information collected by the OCL is made available to the public in accordance with the Lobbying Act, and some of this information is not considered personal information under the Privacy Act. However, there are some exceptions to the disclosure of personal information to the public such as in the case of the

  • Registration process: internal notes and clarifications;
  • MCRs: notes by DPOH associated to found errors; and
  • Exemption process: applicant contact information, work history, supervisor and colleague contact information, additional documentation such as letters of offer, proof of departure, correspondence received from the Conflict of Interest and Ethics Commissioner, etc.

In the event of a privacy breach of the LRS there could be a potential of causing (without limitation) loss of privacy, inconvenience, or embarrassment detrimental to the individual’s career and reputation.

1.9 Institutional impact in the event of a Breach

In the event of a privacy breach, the OCL may suffer damage to its reputation, which in turn could potentially attract negative public interest or criticism. The OCL could also be subject to civil litigation and liability for privacy breaches that result in harm to an individual.

Recommendations

Issue Concern Risk level Mitigation measure
Collection (identifying purposes) TBS Directive on Privacy Practices (section 6.2.9) requires there to be a ‘Privacy Notice’ notifying individuals of the collection, use, disclosure, retention and disposition of their personal information.
In addition, section 6.2.9 of Directive sets out the criteria for the notice.
While the OCL does have a Privacy Notice on the main page of its website, a context-specific notice has yet to be drafted and finalized. The notice should be placed in a prominent location for an individual to read prior to creating a user account in the LRS.
Low The OCL should develop and finalize a context-specific notice for the LRS. Best practice would be to place the notice directly at the outset of the LRS Login page. However, if this is not possible. The OCL should ensure that the context-specific notice be placed in a prominent and easily visible location.
Retention of personal information Registration and MCR information is retained in the LRS indefinitely. Information collected under the Privacy Act should not be retained indefinitely. Section 6(1) of the Privacy Act provides that personal information used for an administrative purpose be retained as directed in order to preserve access rights. Section 6(3) of the Act prescribes that personal information be disposed of in accordance with the retention and disposition schedules set out by the Library and Archives Canada. In addition, the capacity to retain significant amounts of personal information over time increases the risks and consequences of a potential data breach. Low The retention and disposition schedules related to the personal information retained by OCL have been developed and are documented in the PIBs OCL PPU 039 and OCL PPU 040.
The OCL should ensure that retention and disposition authorities related to registrations, MCRs and the exemption process, that may be stored within paper files, also apply to the retention of information stored electronically in the LRS.
Safeguards (Administrative – protocol for non-administrative use of personal information) Section 4.2.15 of the TBS Policy on Privacy Protection states that institutions are responsible for, “Establishing a privacy protocol within the government institution for the collection, use or disclosure of personal information for non-administrative purposes, including research, statistical, audit and evaluation purposes.”. The OCL aggregates information in the LRS for use in statistical reports, however it has not established a privacy protocol for non-administrative purposes. Low The OCL should ensure that effective internal privacy practices are developed and formalized for the use of personal information that is not collected for administrative purposes to meet the requirements of the Lobbying Act. This includes the use of personal information for non-administrative purposes such as research, statistics, audit, and evaluation.
Safeguards (Technical - Statement of Sensitivity and Threat and Risk Assessment) Safeguards must be commensurate with the sensitivity of the information, the risks identified, and the nature of the media in which the information is stored, handled and transmitted. Information relative to the completion of a Statement of Sensitivity (SoS) and Threat and Risk Assessment (TRA) or other similar assessment to protect the facilities, the equipment, and the support systems where personal information is recorded and stored, as not provided at the time of this PIA. Low The OCL plans to complete these activities by the end of the 2019/20 fiscal year. The OCL should ensure that the SoS and TRA are implemented and that assurances from the officials responsible for the LRS have been obtained and that any recommended measures have been implemented to confirm the confidentiality, availability and integrity of information. Also, ensure any residual risks to personal information identified in the SoS/TRA are known and accepted by the executive or senior official responsible for the LRS and the Head or delegated authority for the Privacy Act.
Technology and privacy issues (Training and awareness) Institutions must identify any awareness activities related to protection of privacy requirements in the new environment. Low Program-level privacy and security training and awareness should be implemented by the OCL to ensure that all personnel having access to personal information are fully aware of their obligations with respect to the collection, use, disclosure and retention/disposition of personal information in relation to the LRS.
Report a problem on this page
Please select all that apply:
Date modified: