National Child Exploitation Crime Centre

On this page

Overview and privacy impact assessment initiation

Government institution
Royal Canadian Mounted Police
Head of the government institution or delegate for section 10 of the Privacy Act
Danielle Golden
Director of Privacy
Access to Information and Privacy Branch
Senior official or executive responsible for the privacy impact assessment
Officer in Charge, National Child Exploitation Crime Centre
Sensitive and Specialized Investigative Services
Name and description of the program or activity of the government institution
National Child Exploitation Crime Centre
Legal authority for the program or activity

Royal Canadian Mounted Police Act, Section 18

Criminal Code of Canada, Section 163.1

Standard or institution-specific personal information bank

Operational Case Records, RCMP PPU 005

Criminal Operational Intelligence Records (Exempt Bank), RCMP PPU 015

National Child Exploitation Crime Centre Program, RCMP PPU 201

Description of the project, initiative or change

The Royal Canadian Mounted Police (RCMP) National Child Exploitation Crime Centre (NCECC) is a national program within the Sensitive and Specialized Investigative Services Branch and is mandated to reduce the vulnerability of children to Internet-facilitated sexual exploitation, under Canada's National Strategy for the Protection of Children from Sexual Exploitation on the Internet. As the lead RCMP Program, the NCECC is responsible for operationalizing the National Strategy's objectives by identifying victimized children; investigating and supporting criminal justice outcomes; developing and deploying innovative technologies; providing criminal intelligence support; and, strengthening the capacity of municipal, territorial, provincial, federal, and international police agencies through research, training, technology, intelligence and investigative support.

Significant increases in online child sexual exploitation (OCSE) are the result of the modern digital world that crosses many jurisdictions, and leverages innovative technologies that allow offenders to evade prosecution. However, just as tools may be leveraged for criminal purposes, they can also be leveraged to bring offenders to justice and in this regard, are absolutely necessary in the fight against OCSE.

A broad overview of the Program's operational activities as it relates to the detection, reduction and investigation of OCSE is well aligned with the RCMP's Vision 150 Strategic Plan to improve transparency and increased accountability of policing activities.

Purpose and scope of the privacy impact assessment

This privacy impact assessment (PIA) on the NCECC is program-based and looks broadly at the sources and methods of personal information collected, used and shared to support its mandate of law enforcement for the purpose of investigations of OCSE. The program-level PIA considers the personal information handling practices of the NCECC to ensure the RCMP meets its legal obligations under the Privacy Act, and to ensure that privacy risks are identified, assessed, and mitigated.

The scope of the PIA is restricted to the types of operational technologies used and the processes in place to ensure compliance rather than specific technologies themselves. This Program-level PIA is another step forward, to provide transparency to the activities of the NCECC, and in particular, examine how the NCECC collects, uses and shares personal information it relies on for the purpose of OCSE investigations. Although the PIA takes a broad approach to various technologies implemented, it satisfies Treasury Board Secretariat of Canada's requirements to document personal information handling practices of the Program: sources of collection of personal information, methods used to collect highly sensitive personal information, and how this information is used and shared to achieve its mandate.

Privacy analysis

Based on this assessment, privacy impacts associated with the collection and use of personal information in the NCECC Program PIA are expected to be elevated. Recommendations from the privacy impact assessment process, once fully completed, are expected to reduce these risks to an acceptable level. In addition, opportunities to improve the NCECC's privacy practices through policy and technical measures were considered throughout the development of the PIA.

Risk area identification and categorization

A) Type of program or activity

Personal information is used for investigations and enforcement in a criminal context (for example decisions may lead to criminal charges/sanctions).

Level of risk to privacy: High Risk

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy: High risk

C) Program or activity partners and privacy sector involvement

With other government institutions, federal, provincial or territorial, and municipal governments and private sector organizations, international organizations and/or foreign governments.

Level of risk to privacy: Elevated to High risk

D) Duration of the program or activity

Long-term program or activity.

Level of risk to privacy: Elevated risk

E) Program population

The program's use of personal information for external administrative purposes affects certain individuals.

Level of risk to privacy: Elevated risk

F) Technology and privacy

  1. Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?
    Risk to privacy: No
  2. Does the new or substantially modified program or activity require any modifications to information technology legacy systems?
    Risk to privacy: No
  3. Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
    • Enhanced identification methods;
      Risk to privacy: No
    • Surveillance;
      Risk to privacy: No
    • Automated personal information analysis, personal information matching and knowledge discovery techniques?
      Risk to privacy: Yes

Level of risk to privacy: Elevated to High risk

G) Personal information transmission

Data is transmitted through the NCECC's information management system, OCEAN, to authorized users only, who connect with VPN and credentials and who are authorized to receive information which is law enforcement (ICE Units, POJ) only. Data is transmitted with end-end-encryption and can only be decrypted by authorized users via their assigned certificates. Transfer of data to foreign entities must undergo internal processes under FIRAC. Data transmitted to international entities follows specific transfer protocols such as through Europol's SIENA network. Since systems are on separate servers and not connected, some manual transmission within NCECC from one data base to another may be required.

Level of risk to privacy: Moderate to Elevated risk

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

The impact of a breach of personal information "unauthorized access to, use of, or disclosure" related to OCSE on an individual – the victim – is considered to be very serious. It could also lead to compromised safety of the child/victim with threats of violence or intimidation by the victim's offender or other known individuals. The sensitivity of personal information cannot be understated and therefore any breach would be devastating to the victim. The impact of a breach to the offender during the investigative process would also be serious, could infringe their legal rights and exposure may lead to self-harm or harm from the public given the abhorrent nature of the offence.

Level of risk to privacy: High risk

Top of page
Date modified: