Overview & PIA Initiation
Canada Foundation for Innovation
Official responsible for the privacy impact assessment (PIA)
Programs and Performance
Head of the government institution or Delegate for section 10 of the Privacy Act
Finance and Corporate Services
Name and Description of program or activity
Research infrastructure funding programs
Canada Foundation for Innovation (CFI) awards are made to eligible research institutions through an independent, competitive, structured merit-based review process that determines which projects receive funding. The review involves volunteer researchers, research administrators and private sector administrators who review proposals, and make funding recommendations to the CFI. CFI funds up to 40 percent of a project’s research infrastructure costs. Institutions must secure the remaining 60% in partnership with public, private and non-profit sector organizations. As part of the review process the CFI consults with experts in Canada and abroad, and collaborates with a variety of stakeholders and partners such as industry, colleges and universities, governmental and private sector research agencies and councils, and provinces and territories. Institutions apply to the CFI through a suite of funds and all applications are assessed using three broad criteria: quality of the research and its need for infrastructure; contribution to strengthening the capacity for innovation; and, potential benefits of the research to Canada.
The CFI’s funding architecture is designed to deliver on the CFI’s mandate by meeting the current needs of the research community, its partners and stakeholders. The CFI funding architecture is built around three core programs: the Innovation Fund (IF), which holds open competitions for innovative infrastructure projects; the John R. Evans Leaders Fund (JELF), an allocation-based funding program that provides research institutions with flexibility and rapid turnaround time to enable them to recruit and retain leading researchers; and the Infrastructure Operating Fund, (IOF) a program that covers a portion of operating and maintenance costs to ensure optimal use of CFI-funded infrastructure. Personal information is collected and used only in IF and JELF programs, not in the IOF. In addition to these three core programs, the CFI makes other strategic investments through such programs as the Major Science Initiatives Fund, the College-Industry Innovation Fund, the Automotive Partnership Canada Fund, the Cyberinfrastructure Initiative and the Exceptional Opportunities Fund.
Summary of the project / initiative / change:
The CFI has undertaken this Privacy Impact Assessment (PIA) to document, verify and improve the compliance of its main funding programs with the requirements of the Privacy Act and associated policies. This PIA is not a response to a specific trigger criterion in the Treasury Board Secretariat (TBS) Directive on Privacy Impact Assessment. Rather, the CFI is conducting the PIA as a due diligence exercise. By completing a high-level PIA on its key programs, CFI hopes to establish a baseline assessment of its privacy practices that it can use going forward to assess and document new programs and changes to programs, and to provide context for related changes to personal information banks (PIBs). The plan is to keep this PIA evergreen.
CFI management believes that a single overarching program PIA is the best approach because CFI funding mechanisms work in a similar manner, particularly with respect to the management of personal information. To the extent that there are differences, these tend to be mainly in the areas of research, or in the funding partners involved. In some cases, a competition is launched as a response to a strategic priority. Whether the infrastructure is intended for automotive or cyber research, the personal information required for decision-making and for post award management and reporting tends to be the same. Similarly, for certain CFI funds, there may be a joint application and review process that involves sharing of personal information with one or more funding partners. In general, the same limited personal information is shared, and the measures required to achieve privacy compliance and to mitigate risk are similar regardless of the specific funding partner(s).
With respect to scope, the focus of this PIA is on the above-cited CFI funding programs, for which the CFI collects and uses personal information as part of the decision-making process. It does not include the CFI process related to determining the eligibility of institutions, since that does not use personal information. It does not include the collection and management of personal information by CFI-eligible research institutions, most of which are subject to privacy and data protection laws in their own jurisdictions. It does not include CFI’s Infrastructure Operating Fund, a formula-based allocation made by CFI to eligible institutions which does not collect or use personal information. Finally, it does not include the personal information that is collected and used by CFI in the administration of its internal services, such as financial and human resources management.
Description of the class of record and personal information bank
Standard or institution specific class of record:
CFI FCI 100 Innovation Fund
CFI FCI 105 John R. Evans Leaders Fund
CFI FCI 115 The College-Industry Innovation Fund
CFI FCI 120 The Major Science Initiatives Fund (MSI)
CFI FCI 125 The Automotive Partnership Canada Fund
In addition, a new Class of Records is proposed for the Cyberinfrastructure Initiative.
Standard or institution specific personal information bank:
The following Personal Information Banks (PIBs) relevant to activities covered by this PIA are currently registered with Treasury Board and published.
CFI-PPU-020 Innovation Fund – Applications and awards
CFI-PPU-010 John R. Evans Leaders Fund - Applications and awards
CFI-PPU-015 The College-Industry Innovation Fund - Applications and awards
CFI-PPU-120 The Major Science Initiatives Fund (MSI) - Applications and awards
CFI-PPU-125 The Automotive Partnership Canada Fund - Applications and awards
In addition, a new PIB is proposed entitled “Cyberinfrastructure Initiative - Applications and awards”.
Legal authority for program or activity
The Budget Implementation Act, 1997
PART I CANADA FOUNDATION FOR INNOVATION
Risk identification and categorization
1) Type of program or activity
Administration of Programs / Activity and Services
Level of risk to privacy: 2
Details: While CFI’s awards are made to eligible research institutions, they do affect certain individuals. Most proposals are championed and led by a project leader(s) and involve a team or group of highly-qualified researchers with stakes in the outcome. The qualifications and experience of these researchers is considered as part of the merit-based review. The composition and quality of the research and management teams is a factor in the decision-making related to most proposals. If an infrastructure project is funded, it will impact research programs and careers. The John R. Evans Leaders Fund, for example, provides high-quality research infrastructure to attract and retain specific world class researchers; the prospect of acquiring and accessing the infrastructure in the recruitment and retention of these highly-qualified individuals is a central aspect of the proposal.
2) Type of personal information involved and context
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
Level of risk to privacy: 2
Details: Most of the personal information associated with CFI proposals and awards is not particularly sensitive in the sense that highly-qualified researchers tend to publish details of their academic credentials, employment history and research achievements on web sites associated with the eligible institutions where they are employed. This openness is a convention and expectation in modern research, scholarship and publication. The CFI has developed a privacy notice statement to advise the researchers associated with CFI proposals about uses and disclosures of their personal information to ensure that they are empowered to make informed decisions whether to participate.
3) Program or activity partners and private sector involvement
With other or a combination of federal/ provincial and/or municipal government(s)
Level of risk to privacy: 3
Details: CFI contributes a maximum of 40% of the total of the requested infrastructure funding. This means that the research institution seeking funding from CFI must secure the rest of the funding from other sources such as federal government institutions, provincial governments, non-profit and/or community partners.
In recognition of their shared interest in these projects, and of the obvious benefits of collaborative approaches to review, some CFI program components are designed around partnerships with relevant federal program partners. In some cases, funding proposals are adjudicated jointly or in parallel with other federal research funding agencies, usually one or more of the three federal research funding agencies, the Natural Sciences and Engineering Research Council (NSERC), the Social Sciences and Humanities Research Council (SSHRC) and the Canadian Institutes of Health Research (CIHR). In certain of these “tri-agency” programs, a proposal may include a specific additional component requesting support for research infrastructure support from the CFI. In such cases, the research funding proposals, or parts of them, may be shared with the CFI and vice versa. The content of expert and committee assessments may also be shared. Institutions applying for support under the tri-agency Canada Research Chairs (CRC) program 1, for example, may include a component in the funding application requesting infrastructure funding from the CFI. Final decisions are made by the CFI.
Limited information may also be shared with provincial funding partners. This does not typically happen at the proposal submission phase since institution apply separately to these agencies to make up all or part of the 60% of funds not provided by the CFI. However, it is in the interest of the proponents and the various funding agencies to avoid unnecessary duplication of effort and to reduce response burden on expert reviewers. The CFI may share assessment reports from expert committee and multidisciplinary committee recommendations with the provincial funding partners. The information would reflect the consensus view of the committee, there is no attribution of opinions or recommendations to a specific expert reviewer or committee member. The CFI has agreements in place with most provinces governing the sharing of information since the partners are assessing the same projects. Applicant institutions and their researchers are informed of this aspect of the process in CFI Privacy Statements.
Similarly, because partners have similar requirements for post award progress reporting, in some programs limited post-award reporting information is shared. The data shared is aggregate data showing the impact of the infrastructure. The only personal information disclosed would be identities of the project leaders, which are public in any case. The individuals whose information is shared are advised from the outset and the sharing is governed by agreements between the partners.
4) Duration of the program or activity
Level of risk to privacy: 3
Details: Specific funds are of limited duration; however, core CFI funding programs are ongoing, subject to the continued funding allocations by Parliament.
5) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details: CFI programs affect the relatively small numbers of individuals who are involved in these proposals and awards. Thus, only certain external individuals are affected, the research project leaders and principal users of the infrastructure.
Activities related to the submission of applications and management of CFI awards also involve research administrators and senior officials in eligible institutions, officials in other federal institutions, in other government jurisdictions, as well as company officials, community stakeholders, expert reviewers and committee members. Limited personal information identifying these other individuals may come to reside in the CFI’s files in the context of these activities; however, these individuals are not as directly affected by the CFI program decisions.
6) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
CFI has developed and implemented the Canada Foundation for Innovation Awards Management System (CAMS). CAMS is a secure online portal that enables eligible research institutions to apply for CFI funding and assists them in managing the full life cycle of a CFI-funded project. CAMS enables institutional administrators to manage pre-award and post-award activities related to CFI funding. It also enables researchers to prepare proposals for submission to their institution, and to have access to information related to the projects they lead. CAMS also gives reviewers access to the information and documentation necessary to assess the proposals assigned to them.
The new or modified program or activity involves the implementation of one or more of the following technologies:
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: No
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: No
7) Personal information transmission
The personal information is transferred to a portable device or is printed.
Level of risk to privacy: 3
Details: CFI’s Awards Management System, CAMS, is a web-based portal that enables project leaders and authorized institutional officials to complete and amend their respective parts of applications for CFI funding. It allows them to track and manage applications and awards through the entire funding cycle. The portal also permits reviewers and committee members to register and complete their reviews.
8) Risk impact to the institution
Details: A breach that resulted in the unauthorized disclosure of personal information of any kind under the CFI’s control could cause embarrassment to CFI and its senior officials. It could affect CFI’s credibility in the eyes of the research community, the media and the public with respect to the safeguarding of confidential information.
9) Risk impact to the individual or employee
Details: The personal information collected and used by the CFI to make decisions about research infrastructure awards meets the definition of personal information in the Privacy Act in that it relates to identifiable individuals; however, most of it is not particularly sensitive. Researchers publish biographical information in the form of curriculum vitae, including information on their research interests. The publicly-available versions of their CVs often contain sketches of their academic achievements and employment history. The unauthorized disclosure of such personal information entrusted to the CFI would be a serious matter, and would be treated as such; however, it would be unlikely to have a significant impact on the individual.
(The CRC program is a tri-agency initiative of the Social Sciences and Humanities Research Council (SSHRC), the Natural Sciences and Engineering Research Council and the Canadian Institutes of Health Research. It is administered by the Tri-agency Institutional Programs Secretariat, which is housed within SSHRC.