National Fine Recovery Program (NFRP)

Executive Summary

Introduction

The Public Prosecution Service of Canada (PPSC) is responsible for administering the recovery of outstanding federal fines under the terms of an assignment issued by the Attorney General of Canada in 2007.

The mandate of the National Fine Recovery Program (NFRP) is to enforce sentences by recovering outstanding court-ordered fines levied against individuals and companies convicted under federal statutes. Outstanding fines are recovered through various types of intervention such as private collection agencies, civil litigation measures and set-off of income tax refunds, and GST/HST credits through the Canada Revenue Agency.

Overview and Initiation of the Privacy Impact Assessment

NFRP is responsible for tracking and managing fines as they become in default. Personal information contained in prosecution files is recorded in the PPSC’s case management system which allows NFRP to monitor fines as they become overdue for payments. The collection and use of this personal information are consistent with the purposes identified in the Personal Information Bank PPSC PPU 001.

The PPSC outsources a portion of fine recovery efforts to private collection agencies. This results in the disclosure of basic information by NFRP (i.e. name, date of birth, address, phone number, court file number, amount of fine, and court house address) to Canadian private sector organizations acting on behalf of the PPSC.

The PPSC has decided to change its recovery model to a hybrid approach. In addition to collection agencies, the NFRP now collects, discloses, and retains more information with various other partners such as credit bureaus and federal, provincial and territorial government departments. This represents a substantial modification to the NFRP’s activities and it was determined that a Privacy Impact Assessment (PIA) would be required to evaluate any risks to the personal information that is collected, disclosed, used, and retained as part of this process, as set out in the Treasury Board’s Directive on Privacy Impact Assessment.

Risk Area Identification and Categorization

The PIA has identified a series of privacy risks for the organization and included a detailed mitigation strategies associated for each risk. These recommendations are part of an integrated privacy risk management approach designed to reduce the level of risk found within the operational environment.

The risks that were identified are mainly concentrated on the theme of Accountability and Safeguarding. Below is a high-level summary that has been identified in the PIA report and where the PPSC should:

Corporate Risks

Level of risk to privacy: HIGH

• Review the evaluation of the privacy provisions and requirements contained in contract solicitation process as privacy experts are not normally included in the process.
• Implement formalized data management strategy, migration plans and processes for data migration at the end of contractual agreements with suppliers.
• Harmonize the definition of “personal information” as well as the application of what may constitute a “privacy breach.” It is further recommended that PPSC ensure all suppliers under contract with PPSC adopt the PPSC Breach Protocol and procedures and integrate those into their operating environments when managing PPSC data through its lifecycle events (collection, use, retention, disclosure and disposition).
• Develop and implement a policy on the collection, use and disclosure of Social Insurance Number.

Level of risk to privacy: MODERATE

• Review its retention and disposition schedule as it requires a department-wide process and procedures to ensure the three types of retention are managed appropriately across various corporate systems and applications.
• Formalize corporate controls on requesting, evaluating and responding to privacy and security compliance assurance reports being conducted suppliers during the performance of the contract.

Program Risks

Level of risk to privacy: HIGH

• Develop and implement a policy or directive on the use of social media including Short Message Service (SMS) & Text Messaging for the purpose of the NFRP.
• Develop a systematic approach to safeguarding (security) and privacy protection assessments internal business processes, systems and data associated with NFRP.