The Royal Canadian Mounted Police Canadian Firearms Program is modernizing its service delivery; a period of transformation and automation expected to last at least four years. The upcoming changes are driven by government priorities led by the Minister of Public Safety and the Minister of Justice and Attorney General of Canada. The objective is to improve the safety of our cities and communities and reduce gun violence by modernizing systems that are aging and can no longer support program needs, are largely paper-based, and are prone to significant error rates. These issues are further compounded by the inability of existing systems and processes to easily adapt to changing legislation, and by client expectations that services should be faster, easier and available at any time. Ultimately, the Canadian Firearms Program's goals are to improve accessibility, advance equity, decouple legacy systems, elevate user experience by enabling more digital services, and embrace cloud-based technologies.
This Privacy Impact Assessment was conducted to identify, assess, and mitigate privacy risks related to the Canadian Firearms Program's substantial modification to the collection of personal information from a paper-based system to an online, cloud-based service.
Currently, the personal information collected by the Canadian Firearms Program for processing applications and registering firearms is stored in the Canadian Firearms Information System, an on-premise solution. Eventually, the Canadian Firearms Information System will be decommissioned when the implementation of all functionality within Canadian Firearms Digital Services Solution is complete in approximately four years. This Privacy Impact Assessment covers Phase 1 of the Canadian Firearms Digital Services Solution project, the implementation of an online portal for new individual Possession and Acquisition Licence applications. Applications for renewals, minors, businesses, and prohibited firearms will be addressed in subsequent phases.
The scope of the Privacy Impact Assessment is restricted to the collection of personal information within the new online portal. This phase does not include the processing of or eligibility determinations for Possession and Acquisition Licence applications which will continue to occur in the Canadian Firearms Information System system until sunset.
The same personal information for paper-based Possession and Acquisition Licence applications will be collected during the online Possession and Acquisition Licence application process as required by law, with the following addition:
The new solution, Canadian Firearms Digital Services Solution, uses a cloud-based platform that will coexist with the legacy Canadian Firearms Information System until all functionality is fully integrated over the next few years. The information is stored and managed in the RCMP 's secure cloud Protected B environment and will interface with the on premise Canadian Firearms Information System. The Online Possession and Acquisition Licence portal/application resides on the Canadian Firearms Digital Services Solution platform.
Personal information collected in the Possession and Acquisition Licence application will only be used to determine the existence of an existing client profile in Canadian Firearms Information System. In this phase, there are no data linkages across multiple databases.
The Privacy Impact Assessment identified the following risks rated at low or medium:
Risk to accountability
There is a risk to accountability of provincial Chief Firearms Officers who opt-in to provide licence processing services in the absence of a renewed agreement with the Canadian Firearms Program.
Recommendation: Documentation of the roles and responsibilities of provincial Chief Firearms Officers to ensure accountability via well-defined requirements. Agreements should address training on security and privacy requirements.
Risk to retention
While a Records Disposition Authority was recently assigned, destruction of records which have met their retention has not yet occurred.
Recommendation: Development of retention and disposition procedures in the new solution to ensure that there is no indefinite retention.
Risk to safeguards
Gaps in technical security safeguards commensurate to the sensitivity of the personal information are present.
Recommendation: Mitigation of all risks and completion of the Security Assessment and Authorization mitigations. Current mitigations have permitted an interim authority to operate at an acceptable level of risk.
Risk to openness
Although a compliant privacy notice statement is presented to individual who provide personal information, the personal information banks require updating to reflect the new method of collection and additional data elements being collected.
Recommendation: Update personal information banks as soon as possible (note these are submitted with the Privacy Impact Assessment and require Treasury Board of Canada Secretariat to complete).
Risk Mitigation Action Plan: The RCMP is committed to the protection of personal information and adherence to the Privacy Act and applicable privacy policies. Accordingly, the Canadian Firearms Program has committed to resolve outstanding risks related to safeguards prior to August 2023. Remaining risks are expected to be addressed earlier, in the 2022/2023 fiscal year.