Canadian Police Information Centre

Executive summary

This report contains a Privacy Impact Assessment (PIA) for the Canadian Police Information Centre, a National Police Service of the Royal Canadian Mounted Police. The scope of this PIA is broad and encompasses the current CPIC system and it's future modernized state upon completion of phase 3 of the CPIC Renewal project.

It is understood that this PIA is limited to the current partners sharing information through the CPIC system and will be subject to updates/amendments as new agencies gain access to the system.

The Royal Canadian Mounted Police through the National Police Services is a key service provider to Canadians at the federal, provincial and municipal levels. The law enforcement services are varied and range from protecting Canadians and Canadian interests abroad. In various ways, the RCMP helps to ensure Safe Homes and Safe Communities.

This is feasible only with sound management and supporting infrastructure, such as the proper use of information and technology to support the law enforcement community both domestically and internationally.

CPIC is a national repository of police information that amounts to a vital shared resource within Canadian law enforcement. Currently, CPIC handles in excess of 120 million queries and stores 9.6 million records in its investigative data banks. The system, on-line since 1972, has served the law enforcement community well but could not meet the challenges of the 21 st century. CPIC has undergone numerous upgrades over the years to keep up with new technologies and to meet new law enforcement requirements. The passage of time had caused the system's key components to become brittle and unstable with age, and the retirement of key human resources placed the system at critical risk. Its network components were prone to failure and its proprietary software language was difficult to maintain.

A major overhaul, called CPIC Renewal, designed as a four-stage stabilization, modernization and improvement effort, was launched in April 1999 to modernize the system comprehensively and to make future changes easier to effect. The original funding of $114.7M was allocated by Treasury Board to the CPIC Renewal Project in April 1999 (TB minute 827145) and is already included in the RCMP Main Estimates.

In the original submission, the Project Team was given EPA and PPA for Project 1 and PPA for Projects 2, 3 and 4. Funding for the entire project was also granted a total amount of $114.7M including the National Criminal Justice Index (NCJI). Since 1999, CPIC Renewal Project has experienced a major restructuring.

CPIC Renewal Project 1, which provided a bypass of the old communications infrastructure for a significant amount of the traffic from CPIC Windows devices and which laid the groundwork for several initiatives that were deferred to Project 2, Phase 1, was completed in the Spring of 2002.

Project 2, CPIC Modernization, was sub-divided into three Phases :

• Phase 1 Infrastructure Services Modernization completed development and testing summer 2003, providing a new interface specification in June 2003, and rolling out CPIC Windows v2.0 September 15, 2003. As of March 1, 2005, 73% of the total 109 interface agencies have implemented the new interface specification and it is expected that by the end of June 2005 all Agencies will be migrated. In addition, 99% of all workstations have been converted to the new Windows version.

• Phase 2 PRISM (Police Real Time Information System Monitor) Risk Reduction (PRR) completed development and was implemented July 19, 2003, providing a stable, scaleable, modern platform for further development; and,

• Phase 3 Application Infrastructure and Functionality is currently in its start-up phase and was scheduled for an Effective Project Approval presentation to TB on Oct 23, 2003. Phase 3 will introduce some of the most significant improvements that CPIC users have seen since the system was first implemented in 1972 including enhanced security technology and access controls, and improvements to key CPIC functionality areas including Property, Persons, Vehicles and Marine.

The CPIC Renewal Project is scheduled to be completed by March of 2005.

CPIC is already an important component in efforts to improve information sharing between the various components of the criminal justice community. It will continue to be integral to meeting the RCMP strategic objectives by facilitating information sharing at the national and international working levels, thus facilitating the prevention of situations such as terrorist attacks, major violent crimes and cross-border child abductions. It is expected that CPIC will play a prominent role in any Integrated Justice Initiative (IJI) plan.

CPIC is and will continue to be a national repository of information of interest to the law enforcement community and provide query capabilities to other indexed data repositories of administrative and law enforcement systems such as CFRO (Canadian Firearms Registration On-Line), OMS (Offender Management System), provincial and territorial registered owner/drivers license systems as well as NCIC and NLETS in the United States. CPIC is currently cooperating with the Data Standard Secretariat of the Solicitor General's Integrated Justice Initiative to ensure compatibility with future systems.

The events of Sept. 11, 2001 have brought about a sense of urgency for the RCMP to modernize CPIC in order to meet the challenges posed by terrorism and organized crime both domestically and internationally. The current CPIC provides the foundation for immediate operational goals. The release of CPIC Renewal Phase 3 in 2005 will solidify the status of CPIC and serve the long-term strategic goals and objectives of integrated policing and integrated justice. Ultimately, CPIC will play a lead role in providing "Safer Homes and Safer Communities for Canadians".

This PIA identified the following privacy risks/issues along with measures for their mitigation:

Control and Use of Personal Information. CPIC is an integrated database (repository) where specific law enforcement data can be entered, electronically queried and ultimately shared with law enforcement partners in their crime prevention and crime fighting roles. From an operational perspective, the RCMP controls the infrastructure, which comprises CPIC including mainframe computers, and data storage devices located at RCMP Headquarters in Ottawa. However; custody and control of the personal information entered on CPIC is deemed to be the sole domain of the agency making the entry. Access to any information entered by an agency can only be granted by that agency under the authority of the federal or provincial access legislation that applies to that agency. The RCMP currently controls the access to CPIC through a safefile process. The CPIC Advisory Committee grants access to CPIC. All agencies accessing CPIC are governed by the policies contained in the CPIC Reference Manual. Police agencies do not enter into an MOU to access CPIC. However, non-police agencies such as Transport Canada are required to enter into an MOU. As the numbers of partners and the types of information being shared expands, there will be a need for formal MOU's. A memorandum of understanding is a useful vehicle to describe the responsibilities of the parties.

• Mitigation - The RCMP will develop a new memorandum of understanding for new agencies accessing CPIC including the use and disclosure of personal information obtained from the CPIC system.

Use of Fictitious Data. CPIC information will be used for purposes of training and/or testing. Consideration must be given to the use of fictitious data rather than personal information for the noted functions.

• Mitigation - CPIC currently uses an instructional database that contains fictitious data for training purposes. This capability was not suitable for testing. The RCMP will endeavour to provide a testing and training environment where no personal information is used.

Data Integrity - CPIC is a national repository of law enforcement operational data that amounts to a vital shared resource within Canada law enforcement. The reliability and effectiveness of this support system depends on the accuracy, validity relevance of the data contained within its databanks.

• Mitigation - CPIC has well-established standards and practices to ensure the accuracy, validity and relevance of its data. Each contributing agency is responsible for the data that they input. Reports are provided to ensure that records are validated at periodic intervals. As well, purge reports are generated to ensure that the expiry date of records remains current. Finally, each agency is subject to an independent audit by CPIC auditors.

Summary of PIA - The policy on Privacy Impact Assessments requires that a summary of the PIA be made available to the public. The RCMP has not yet established a formal Departmental process to publish documents such as PIA's but policy is currently under development.

• Mitigation - RCMP ATIP authority will establish a formal Departmental process to publish PIA summaries on the RCMP Public Website.

In conclusion, the privacy issues identified in this PIA can be resolved through the development and documentation of appropriate procedures and processes that ensures compliance with the Access to Information and the Privacy Acts.

Date modified:

2005-02-07