Summary of the Spam Reporting Center

Table of Contents

References

Terminology

Term Definition
Administrative Arrangement Administrative Arrangement between the CRTC and Industry Canada for the Development, Operation and Funding of a Spam Reporting Centre (12 March 2012).
ATIP Access to Information and Privacy
CEM Commercial electronic message, a defined term under CASL that refers to electronic messages, which are commercial in nature.
Complaint Electronic forms submitted by members of the public that describe incidents regarding potential violations of CASL.
Complaint-Linked Report CEM or other electronic threat forwarded to the SRC, via the Public Facing Website and its associated public contact methods, in conjunction with a Complaint.
CRTC Canadian Radio-television and Telecommunications Commission
Data Feed Submissions of spam and other electronic threats that the SRC receives via channels other than the Public Facing Website and its public contact methods. These submissions may or may not include additional description or explanation.
Industry Canada Department of Industry.
Enforcement Agencies Collectively refers to the CRTC, the Competition Bureau and the OPC.
False Positive An email message that is not spam, but is inadvertently caught by a spam filter.
Honey Pot A computer system designed and used to trap spam, as well as other electronic threats.
OPC Office of the Privacy Commissioner of Canada.
Partners The Competition Bureau, the CRTC, Industry Canada and the OPC.
PI Personal information, as defined in the Privacy Act.
PIA Privacy impact assessment.
Public Facing Website Website or webpage(s) and associated public contact methods developed and operated by Industry Canada to receive Complaints and Reports of CEMs and other electronic threats from members of the public.
Reports Submissions of spam and other electronic threats without additional description or explanation, as defined in the Administrative Arrangement.
Spam and other electronic threats Description of various types of violations or offences pursuant to CASL, including the sending of unsolicited CEMs (s. 6), the unauthorized alteration of transmission data (s. 7), the installation of computer programs without consent (s. 8), false or misleading representations (s. 75 & 77), the unauthorized collection of electronic addresses (s. 82(2)) and the collection of PI by accessing a computer system in contravention of an Act of Parliament (s. 82(3)). In other words, this description includes spam, malware, spyware, address harvesting and false or misleading representations involving any means of telecommunication, such as Short Message Services (SMS), social networking, websites, URLs and other locators, applications, blogs, Voice-over Internet Protocol (VOIP) and any other current and future Internet, wireless or other telecommunication threat prohibited by CASL.
SRC Spam Reporting Centre, as operated by the CRTC.
Stakeholders The Competition Bureau, the CRTC, Industry Canada, the OPC, Library and Archives Canada, other law enforcement agencies, the public and Third Party Organizations.
TBS Treasury Board of Canada Secretariat.
Third Party Organizations Private sector organizations, para-public organizations and public sector organizations other than the CRTC.
TRA Threat and Risk Assessment.
URL A uniform resource locator is a web address.

Legislation and Guidelines

Short Title Citation
Access to Information Act Access to Information Act, R.S.C. 1985, c. A-1.
An Act respecting the Protection of Personal Information in the private sector An Act respecting the protection of Personal Information in the private sector, R.S.Q. c. P-39.1.
Appropriation Act Appropriation Act No. 3, 2012-13, S.C. C-11.
Broadcasting Act Broadcasting Act, S.C. 1991, c. 11.
Charter Constitution Act, 1982, 1982, c. 11 (U.K.), Schedule B, Part I, Canadian Charter of Rights and Freedoms.
CASL An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, S.C. 2010, c. 23, s. 21. There is currently no official short title for this statute, and so it is commonly referred to as Canada's Anti-Spam Legislation or CASL.
Competition Act Competition Act, R.S.C., 1985, c. C-34.
Alberta Personal Information Protection Act Personal Information Protection Act, S.A. 2003, c. P-6.5.
BC Personal Information Protection Act Personal Information Protection Act, S.B.C. 2003.
PIPEDA Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
Privacy Act Privacy Act, R.S.C., 1985, c. P-21.
TBS Guidelines Treasury Board of Canada Secretariat Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks Guidelines.
Telecommunications Act Telecommunications Act, S.C. 1993, c. 38.

Overview and PIA Initiation

Introduction

On 15 December 2010, Canada's Anti-Spam Legislation (CASL) received royal assent and came into force on 1 July 2014. The purpose of CASL is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities.

Several federal departments are responsible for enforcing CASL, namely the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner of Canada (OPC). For ease of reference, these three departments are collectively referred to as the "Enforcement Agencies."

Under CASL, the CRTC has the authority to regulate certain forms of electronic contact, consisting of the sending of commercial electronic messages (CEMs), the alteration of transmission data in electronic messages, and the installation of computer programs on another person's computer system, in the course of a commercial activity. CASL also gives the Enforcement Agencies the legal authority to share information and evidence with each other and with partners and foreign agencies.

Pursuant to CASL, the Department of Industry (Industry Canada) acts as the National Coordinating Body, which is responsible for oversight and coordination regarding policy and public education and awareness. Industry Canada also provides support to the Enforcement Agencies.

The Spam Reporting Centre (SRC) will play an integral part in the implementation of CASL, specifically in terms of collecting raw informationFootnote 1. The Department of Industry (Industry Canada) requested that the CRTC develop and operate the SRC, with Treasury Board funding. On 12 March 2012, the CRTC and Industry Canada entered into an understanding to this end.

This document is a Privacy Impact Assessment (PIA) with respect to the SRC. It applies to the CRTC, as operator of the SRC, and Industry Canada, as operator of the Public Facing Website and public contact methods. The SRC is a repository of various types of information, which is described in greater detail below. The Public Facing Website is a website or webpage(s) managed and operated by Industry Canada to receive Reports and Complaints from members of the public. It is also described in greater detail below.

In addition to existing PIAs that will need to be amended, new PIAs will need to be produced that are relevant to CASL, including a larger multi-institutional PIA among the Enforcement Agencies and Industry Canada. This PIA for the SRC is submitted separately and in advance due to the necessity of conducting testing and benchmarking prior to CASL coming into force.

Objectives, Rationale and Scope

The purpose of this PIA is to assess the potential privacy implications arising out of the collection, use and disclosure of personal information (PI) related to the operation of the SRC by the CRTC and the Public Facing Website by Industry Canada.

This PIA does not, however, address privacy issues stemming from the collection, use or disclosure of PI by the Enforcement Agencies regarding their respective investigative and enforcement roles under CASL, including information sharing in those roles.

Implementation of the measures and safeguards set out in this PIA will allow the CRTC and Industry Canada to be in compliance with their obligations under the Privacy Act and the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment regarding the SRC.

As described above, there will be a larger multi-institutional PIA among the Enforcement Agencies and Industry Canada. Each department will be responsible for updating its respective existing PIA or creating a new PIA, as the case may be, regarding potential privacy issues arising from their individual investigative and enforcement roles under CASL.

This PIA involves the SRC part of the CASL program.

The SRC is an integral part of implementing CASL and related provisions in the Competition Act and PIPEDA.Footnote 2 As noted above, the SRC's central function is to collect and store raw information for use by the Enforcement Agencies. The public will be able to submit Complaints and Reports (e.g., forwarded emails) concerning potential CASL violations to the SRC via the contact methods available on the Public Facing Website operated by Industry Canada. The SRC will also use this information to provide aggregated and anonymized monthly statistics and quarterly trend reports to Industry Canada and the Enforcement Agencies. The goal is to allow the Enforcement Agencies and Industry Canada to keep up-to-date with  the most recent macro trends in an ever-changing environment.

The Enforcement Agencies may also access and copy information in the SRC to perform their own analyses, for which their respective PIAs will apply. If any or all of the Enforcement Agencies wish to use the data in an investigation, then they will copy the relevant information into their own management system for analysis. For example, the CRTC will copy data from the SRC and put it into a case management system, for which a different PIA will apply.

Partners

For the purpose of this PIA, the Partners are Industry Canada and the Enforcement Agencies (the CRTC, the Competition Bureau and the OPC).

The CRTC will play two roles. It will operate the SRC and it will, among other things, investigate potential violations pursuant to its mandate under CASL. Regarding the latter role, as noted above, the CRTC may copy information in the SRC to an investigative and enforcement system for analysis.

The Competition Bureau and the OPC may do the same regarding their respective mandates under CASL and will be responsible for ensuring that the privacy implications are appropriately addressed in either amended existing, or new, PIAs.

Industry Canada funds the SRC. It will also manage and operate the Public Facing Website, including the appropriate intake mechanisms and means for receiving information from the public in Complaints and Reports. It will also oversee public education and awareness.

Again, for the purpose of this PIA, the Partners are also included as Stakeholders. The two concepts are not mutually exclusive. However, an important distinction between Partners and the non-Partner Stakeholders is that unlike Partners, the non-Partner Stakeholders do not have an active role in implementing the CASL program.

Stakeholders

The parties in the table below are stakeholders in the CASL program:

Stakeholder CASL Involvement
Competition Bureau The Competition Bureau may copy information from the SRC into its own systems pursuant to its mandate under the Competition Act and CASL.
CRTC The CRTC will play two roles. It will operate the SRC and it will, among other things, investigate potential violations pursuant to its mandate under CASL. Regarding the latter role, the CRTC may copy information from the SRC into an investigative and enforcement system.
Foreign agencies Section 60 of CASL permits the Enforcement Agencies to share information under an agreement or arrangement in writing between the Enforcement Agencies and the government of a foreign state, an international organization of states, or an international organization established by the governments of states, or any institution of any such government or organization.
Industry Canada Industry Canada will manage and operate the Public Facing Website, including the appropriate intake mechanisms and means for receiving information from the public in Complaints and Reports. It will also oversee public education and awareness.
Library and Archives Canada Any information deemed to be of historical or archival value may be sent to the Library and Archives Canada at the end of the retention period for the relevant department's information management policy. It is conceivable that certain monthly statistics and trend reports may be identified as having historical or archival value.
OPC The OPC may copy information from the SRC into its own systems pursuant to its mandate under PIPEDA and CASL.
Other law enforcement agencies Other applicable legislation may permit the Enforcement Agencies to disclose information to other law enforcement agencies for investigative purposes under those legislations.
The Public Members of the public may submit Complaints or Reports to the SRC via the Public Facing Website.
Third Party Organizations Third Party Organizations may provide Data Feeds to the SRC.

Authority and Governance Structure

The CRTC's lawful authority to collect PI flows, by necessary implication, from the scheme and objectives of CASL and the specific statutory authority to use and disclose information to certain entities, including the Competition Bureau and the OPC. The lawful authority for the SRC to collect and store PI before CASL comes into force is section 2 of the Appropriation Act No. 3, 2012-13 (Appropriation Act).

The SRC is governed by an agreement on the relevant responsibilities of the CRTC and Industry Canada.

The CRTC may also enter into additional agreements in the future with the Competition Bureau and the OPC regarding access to the information in the SRC and information sharing. They may also enter into agreements regarding contribution of resources to the CRTC for its operation of the SRC. Similarly, other persons or entities may contribute resources to the SRC in the future, such as other law enforcement agencies.

The CRTC will ensure that SRC activities comply with existing CRTC policies and procedures regarding privacy and the information in the SRC. These policies and procedures include the CRTC Policy on the Identification and Release / Protection of Information and Assets and the Policy on the Management of CRTC Information.

Persons who hold office regarding sections 4 and 10 of the Privacy Act give their formal approval to this PIA, as described in detail below.

Relevant Legislation

The relevant privacy legislation for this PIA is the Privacy Act and PIPEDA.

The SRC is subject to the Privacy Act, as the CRTC, a government institution, will operate the SRC. As noted above, it has the legal authority to collect, use and disclose PI for the purpose of CASL. The SRC will also be required to comply with the Access to Information Act.

Private sector organizations that provide Data Feeds to the SRC may be subject to PIPEDA or substantially similar provincial legislation to PIPEDA.Footnote 3 Paragraph 7(3)(d) of PIPEDA allows an organization to disclose PI to a government institution where the organization "has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed." Such private sector organizations may submit Data Feeds to the SRC on the basis that the information relates to a potential violation under CASL and/or related provisions of the Competition Act and PIPEDA. Additionally, section 56 of CASL provides that an organization may disclose PI to the CRTC, the Commissioner of Competition or the Privacy Commissioner if it believes that the information relates to a potential violation under CASL and/or related provisions of the Competition Act and PIPEDA.

As described above, this PIA does not address privacy issues stemming from the collection, use or disclosure of PI by the Enforcement Agencies regarding their respective investigative and enforcement roles under CASL, including information sharing in those roles. Such issues will be addressed in the Enforcement Agencies' respective PIAs.

Risk Area Identification and Categoriation

The analysis in this PIA is based on the approach outlined in the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment. The numbered risk scale is presented in ascending order: the first level (1) represents the lowest level of potential risk for the risk area. The fourth level (4) represents the highest level of potential risk for the given risk area. There are descriptions for each potential level in the risk scale for each category.

The applicable risk ratings for the SRC are shown in the tables below. There is also a description of how the bolded risk ratings apply to the SRC in the first row, under the category heading.

a) Type of program or activity
The purpose of the SRC is to collect and store data concerning potential violations under CASL and/or related provisions under the Competition Act and PIPEDA
Description Risk Level Rating
  • Program or activity that does NOT involve a decision about an identifiable individual
1
  • Administration of program or activity and services
2
  • Compliance or regulatory investigations and enforcement
3
  • Criminal investigations and enforcement or national security
4 4
b) Type of PI involved and context
The PI collected, used and disclosed by the SRC will generally be non-sensitive in nature. PI is collected with consent in most circumstances (i.e. Complaints and Reports).
Description Risk Level Rating
  • Only PI, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program
1
  • PI, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use PI held by another source
2 2
  • Social Insurance Number, medical, financial or other sensitive PI or the context surrounding the PI is sensitive; PI of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual
3
  • Sensitive PI, including detailed profiles, allegations or suspicions and bodily samples or the context surrounding the PI is particularly sensitive
4
c) Program or activity partners and private sector involvement
For the purpose of the SRC, the Competition Bureau, the CRTC, the OPC and Industry Canada are Partners. Private sector involvement will be limited to providing Data Feeds to the SRC.
Description Risk Level Rating
  • Within the institution (among one or more programs within the same institution)
1
  • With other government institutions
2 2
  • With other institutions or a combination of federal, provincial or territorial, and municipal governments
3
  • Private sector organizations, international organizations or foreign governments
4
d) Duration of the program or activity
The SRC will be a long-term program or activity.
Description Risk Level Rating
  • One-time program or activity
1
  • Short-term program or activity
2
  • Long-term program or activity
3 3
e) Program population
The use of PI in the CASL program is for investigations that may affect certain individuals.
Description Risk Level Rating
  • The program's use of PI for internal administrative purposes affects certain employees
1
  • The program's use of PI for internal administrative purposes affects all employees
2
  • The program's use of PI for external administrative purposes affects certain individuals
3 3
  • The program's use of PI for external administrative purposes affects all individuals
4
f) Technology and privacy
The CASL program, including the SRC, is a new program.
Description Yes/No
  • Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of PI?
Yes
  • Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?
No
  • Does the new or substantially modified program or activity involve implementation of new technologies of one or more of the following activities:
    • Enhanced identification methods;
    • Surveillance; or
    • Automated PI analysis, PI matching and knowledge discovery techniques?
No
g) PI transmission
The PI will be used in a system that has connections to other systems. For example, the SRC will receive electronic transmissions from the Public Facing Website, and PI will be accessible by the Enforcement Agencies.
Description Risk Level Rating
  • The PI is used within a closed system (i.e. no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled)
1
  • The PI is used in a system that has connections to at least one other system
2 2
  • The PI is transferred to a portable device (i.e. USB key, diskette, laptop computer), is transferred to a different medium or is printed
3
  • The PI is transmitted using wireless technologies
4
h) Breach
Impact on individual
Description Yes/No
The impact is minimal. The PI collected from complainants is optional and is voluntarily provided. It is also non-sensitive in nature. Yes
Date modified: