Use of Public Safety Portal by the Canadian Firearms Program

1.0 Executive summary

The mission of the Canadian Firearms Program (CFP) is to enhance public safety by helping reduce risk of harm from firearms. The CFP is committed to firearms safety through licencing of all firearms owners, including several levels of security screening for firearms licence holders and applicants.

The CFP is a business line in the Royal Canadian Mounted Police (RCMP) that is made up of accredited law enforcement agencies and provincial Public Safety institutions. Firearms licencing and authorizations in every province and territory are managed by Chief Firearms Officers (CFOs). CFOs and Firearms Officers (FOs) across the country carry out the same duties and responsibilities under Section 2(1) of the Firearms Act or Section 84(1) of the Criminal Code, regardless if their delegation of authority is issued from a provincial minister or the federal Minister of Public Safety.

The Director General of the Canadian Police Information Centre (CPI Centre) has approved the Application for Access to the Public Safety Portal (PSP) submitted by the CFP (See Appendix "A"). Access to PSP will assist CFOs, FOs and designated employees to fulfill their mandate to provide for the continuous eligibility of clients, screening of firearms licence holders and requestors, and for the safety of these public officers, and of the public, while performing field-related duties.

The CFP is authorized to access client information through PSP by virtue of the Privacy Act Section 8 (2)(a) which allows personal information under the control of government institution to be disclosed for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose, and under Sections 5 and 55 of the Firearms Act.

  • In order to enforce the Firearms Act or Part III of the Criminal Code that gives CFP its mandate, the Program is authorized to and does appoint enforcement officers [Chief Firearms Officers (CFOs) and the Firearms Officers (FOs)] who are designated public officers under the Criminal Code. They are engaged in investigations within the full spectrum of enforcement activities dictated by their legislative mandate. The Act grants specific authority for the decision-making and administrative work related to licensing eligibility for minors between 12 and 17, as well as for adults, authorizations to transport and authorizations to carry, transfers of firearms by individuals and businesses, gun show sponsorship approvals, and the conduct of field investigations and inspections, but also implicitly grants authority to obtain information that is relevant to those activities and which form a consistent use of information between CFP and other enforcement agencies.

Training obtained from CFP, and internal practices relevant to investigation, privacy and security, and the reality of gathering evidence that can be used in court ensure that information obtained from PSP will be handled in accordance with the PSP Policy and Procedures, including validation of information with the originating agency and obtaining consent for disclosure from the originating agency.

The RCMP CFP has also updated its Program Policy Manual on the Collection and Use of the Personal Information which addresses the appropriate management of all information that is obtained from any operational police file, including through PSP, for the purpose of investigating Firearms Interest Police (FIP) incidents.

All CFOs, FOs and their staff have been fingerprinted and cleared by the RCMP Forensic Identification Directorate and the Departmental Security Branch to the minimum level of Enhanced Reliability. In addition all CFOs, FOs, and their staff use a two factor Strong Identification and Authentication system to access applications via the standard RCMP Office Support System (ROSS) secure environment. CFOs' offices are secure zones with controlled access.

1.1 Summary of risks and mitigating mechanisms

The table below summarizes the privacy risks identified through the PIA process and categorizes levels of risk as low, moderate or high – defined by a factor of both impact and likelihood of occurrence.

The criteria for risk categorization are set as follows:

Low: There is a remote possibility that the risk will materialize or the impact of the risk is minor.

Moderate: The possibility of the risk materializing is low although the impact of such a risk is high, or the possibility of the risk materializing is high but the impact of such a risk is minor, or the impact and likelihood of the risk occurring are both determined to be moderate.

High: There is a near certainty that the risk will materialize if no corrective measures are taken or the impact of the risk on the project is severe.

# Element Nature of risk Level of risk: Low Level of risk: Moderate Level of risk: High Mitigating mechanisms

1

Access to the Public Safety Portal (PSP) will provide the Chief Firearms Officers and designated employees with additional law enforcement data that they did not previously possess.

Additional information access increases the risk that personal information may be used inappropriately.

L

The amount of information that can be obtained directly from PSP is purposely limited through Role Based Access Control (RBAC), thereby reducing the potential for inappropriate use. PSP will be used to direct the Canadian Firearms Program (CFP) to the agency originating the information.

PSP is a read-only system with no capability of saving or printing search results.

Terms of use are set out in a Memorandum of Understanding (MOU) between the Canadian Police Information Centre (CPI Centre), which is a National Police Service of the Royal Canadian Mounted Police (RCMP) and the CFOs who will require access to PSP (see appendices E, F, G, and H for applicable copies of MOUs).

The CFP will conduct internal audits on an annual basis to ensure that inadvertent or inappropriate use is identified and corrected. The first audit is due to be completed in March of 2016.

CFP will report the results of its audit to CPI Centre.

2

The CFP needs to ensure that the information they use from law enforcement is in accordance with its mandate.

There is a risk that PSP users will access personal information they may not be authorized to access and use.

L

The addendum developed by the CFP to the CPI CENTRE (formerly N-III) Overarching Cross-Jurisdictional Information Sharing Privacy Impact Assessment is detailing the lawful mandate of the CFP and the authority to access PSP data.

The CFP has completed an Application for Access that clearly describes the particular data that can be accessed according to its lawful mandate. The Application for Access was approved by the Director General of the Canadian Police Information Centre and will be part of the MOU between the CFOs who require access to PSP and the RCMP setting out the conditions for PSP access.

The CPI Centre and the CFP have established MOUs that clearly describe the particular data that the CFP can access according to the CFP's lawful mandate.

The amount of information that can be obtained directly from PSP is purposely limited through Role Based Access Control (RBAC) to only the information that the CFOs require to fulfill their lawful mandate.

As per PSP requirements, all provincial and federal CFOs, FOs and staff have been fingerprinted and cleared by the RCMP Forensic Identification Directorate and the Departmental Security Branch to the minimum level of Enhanced Reliability. The facilities housing PSP meet the RCMP safety requirements of Protected B classification which includes restricted physical access controls and alarm monitoring.

In addition, all provincial and federal CFO offices use the two factor strong identification and authentication system to access applications (systems) via the standard RCMP ROSS environment.

All provincial and federal CFOs, FOs and staff must adhere to Acceptable User Practices for RCMP Information Technology with key points being:

RCMP applications and systems support RCMP and National Police Services (NPS) administration and operations and are to be used for business purposes only.

Uses of RCMP IT facilities for personal profit, personal recreation or illegal purposes are prohibited.

All employees have completed form 2871 the Access to RCMP Information Technology (IT) Systems and Data Statement of Agreement.

The RCMP CFP has established a PSP coordinator within the Firearms Business Improvement Section whom is responsible for receiving the two completed user forms (PSP User Privacy and Query Data Notice and User agreement for Non-Police Partners) and recording the user on an Application Access (Excel spreadsheet). The completed forms and spreadsheet are sent to CPI Centre PSP unit as a request for access. The CPI Centre PSP unit advises the RCMP CFP PSP coordinator when access has been granted. The RCMP PSP coordinator is responsible for updating and maintaining the user access list and notifying the CPI Centre PSP unit of any change requests. See Appendix K for forms.

3

PSP will sometimes direct decision makers to personal information or records that are aged and must be verified.

There is a risk that aged law enforcement information may be used to make decisions about an individual that could result in the refusal or revocation of a licence, an authorization to transport or authorization to carry.

L

PSP will be used as a pointer directing the CFP to the agency originating the information.

As the information in PSP is only an indication of probability or "lead" information until confirmed, the CFP will in every case verify the accuracy of the record with the original contributing agency, and if applicable, obtain consent for the disclosure of information.

The CPI Centre includes a notice that is displayed on the system requesting that the user confirm the information with the originating agency before using it.

The PSP welcome page displays the following caveat:

All information must be treated as confidential and verified with the originating Agency.

Information accessible through the Public Safety Portal (PSP) is to be used solely for official duties where Agency legislation permits access to law enforcement data. Except where disclosure is required by law, a user shall not disclose information from another Agency without obtaining the consent of that Agency.

The CFP will forward a copy of the notice of revocation or refusal of a licence or authorization to the originating agency when their information is used in support of the decision to refuse or revoke.

4

CFP users may inadvertently release information to institutions that are not legally mandated to access the information.

There is a risk that the information is inadvertently shared by a user about an individual that potentially could deny an individual or businessthe ability to obtain a licence or authorization.

L

The CFP will:

take all necessary steps to protect third party proprietary information, in compliance with the spirit and intent of the Access to Information and Privacy Acts.

consult with the originating contributing agency prior to disclosing the information or record.

maintain an audit program that reviews the use of the PSP and the actions of its users. The first audit will be carried out in March 2016.

5

Governance Based Access Control (GBAC) could face a technical problem and provide access to the information that users are not legally mandated to access.

There is a risk that GBAC does not enforce information-sharing rules and provide access to users that they are not legally mandated to access.

L

The CPI Centre and CFP have conducted testing to ensure that the GBAC programming complies with the CFP's mandate and legal authority to collect information.

Users must also report any unauthorized information access.

6

A lack of cross-jurisdictional privacy awareness by PSP users.

There is no privacy awareness package regarding cross-jurisdictional information sharing.

L

A Treasury Board Secretariat approved privacy awareness package will be provided to the CFP. In addition, MOUs will specify that the CFP will train the selected employees/users prior to giving them access to PSP.

RCMP PSP users are provided with the PSP User Guide and are required to sign two forms including the PSP User Privacy and Query Data Notice and User agreement for Non-Police Partners prior to access.

The RCMP CFP Policy Manual has been updated in reference to the Collection and Use of Personal Information under chapter 1.4 in which paragraph 3.3.1 of the policy states: "When applying the information management practices, CFP employees are responsible to limit and vet information obtained from operational police files only as it relates to the Firearms Interest Police (FIP) incident category, in order to respect guidelines in the performance of their duties, and to document their activities and decisions." (See Appendix M for complete text of CFP Manual chapter 1.4.)

7

A lack of common Information Management policies and procedures.

There are various information management policies and legislation amongst jurisdictions.

L

Information published to PSP by Police Partner Agencies is maintained in accordance with applicable federal and provincial privacy and record retention legislation.

The validation procedure as outlined in the CFP policy manual chapter 1.4, paragraph 3.3.1 informs the originating Police Partner Agency of the use of their information by the CFP and thus allows the record holder to reset their record retention period at the time of sharing in accordance with applicable federal and provincial privacy and record retention legislation.

The CFP will abide by the legislation and policy directives related to information management, i.e. Firearms Records Regulations, the Treasury Board Secretariat policies and the Library and Archives Act.

Date modified: