Covert Access and Intercept Team privacy impact assessment
On this page
Program overview
In order for the RCMP to carry out its mandate to enforce the law and investigate offences, the RCMP must conduct policing duties pursuant to section 18 of the RCMP Act by collecting evidence and personal information. Successful criminal investigations rely on relevant evidence that must be lawfully obtained to prove the elements required for each of the alleged offences. Broadly speaking, individuals who are involved in the most serious of crimes typically understand that if caught they face greater risk of incarceration and therefore make more sophisticated efforts to avoid detection. Nevertheless, as the use of digital devices has become increasingly incorporated into our day-to-day lives, those individuals are also more likely to leave a digital trail of evidence of their activities. Although police are sometimes able to collect the data sent, received, or stored on or by digital devices, protections such as end-to-end encryption are often used to render such data collection unreadable and therefore useless to investigators. As internet and telecommunication technologies have evolved, tools and techniques used by police have likewise advanced, which led to the establishment of the RCMP's Covert Access and Intercept Team in late 2016.
Search and seizure powers that permit police to collect evidence are long established practices recognised in both statute and common law as well as by the courts. The Covert Access and Intercept Team's mandate is to implement lawful technological techniques to evidence collection that respects the law for search and seizure of digital evidence.
The Covert Access and Intercept Team's primary role is to access computers and digital devices, under warrant without the owner's knowledge, where evidence of serious criminality is believed to be held and to seize that evidence in a manner compliant with the Canadian Charter of Rights and Freedoms.
The tools and techniques used may vary greatly and are dictated by the hardware, software, and network configurations of the targeted computer systems, tablets or smartphones. This class of tools is generally referred to as On Device Investigative Tools.
Information collected by the Covert Access and Intercept Team in support of investigations is described in the RCMP's Personal Information Bank PPU 005 - Operational Case Records, Treasury Board of Canada Secretariat Registration Number 000997, in Personal Information Bank PPU 015- Criminal Operational Intelligence Records (Exempt Bank), Treasury Board of Canada Secretariat Registration Number 000999 and in PPU 025 National Security Investigations Records.
Program or activity type
| Description | Risk level | Rating |
|---|---|---|
| Program or activity that does not involve a decision about an identifiable individual | Low | |
| Administration of program or activity and services | Medium | |
| Compliance or regulatory investigations and enforcement | High | |
| Criminal investigation and enforcement or national security | Very high | Option selected |
Data type
| Description | Risk level | Rating |
|---|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program | Low | |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source | Medium | |
| Social insurance number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual | High | |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive | Very high | Option selected |
Program or activity partners
| Description | Risk level | Rating |
|---|---|---|
| Within the institution (among one or more programs within the same institution) | Low | |
| With other government institutions | Medium | |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | High | Option selected |
| Private sector organizations, international organizations or foreign governments | Very high |
Program duration
| Description | Risk level | Rating |
|---|---|---|
| One-time program or activity | Low | |
| Short-term program or activity | Medium | |
| Long-term program or activity | High | Option selected |
Program population
| Description | Risk level | Rating |
|---|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees | Low | |
| The program's use of personal information for internal administrative purposes affects all employees | Medium | |
| The program's use of personal information for external administrative purposes affects certain individuals | High | Option selected |
| The program's use of personal information for external administrative purposes affects all individuals | Very high |
Technology and privacy
Note
A yes response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.
| Description | Rating |
|---|---|
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | Yes |
| Does the new or substantially modified program or activity require any modifications to information technology legacy systems? | No |
Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
| Yes |
Personal information transmission
| Description | Risk level | Rating |
|---|---|---|
| The personal information is used within a closed system (that is, no connections to the Internet, Intranet or any other system and the circulation of hard copy documents is controlled) | Low | |
| The personal information is used in a system that has connections to at least one other system | Medium | |
| The personal information is transferred to a portable device (that is, USB key, diskette, laptop computer), transferred to a different medium or is printed | High | |
| The personal information is transmitted using wireless technologies | Very high | Option selected |
Impact on individuals in the event of a breach
A breach of privacy during Covert Access and Intercept Team operations could no doubt be damaging to the individual in question. Various types of judicial authorizations are granted to support the Covert Access and Intercept Team's evidence seizure efforts. Those authorizations define what the court has deemed appropriate information to collect in pursuit of the specific investigation and how that that evidence can be collected. Presently, mobile devices and other computer systems contain a myriad of information some of which likely constitutes sensitive personal information. Law enforcement is only entitled to collect information specified in the warrant.
While the risk of a breach is minimal given the security measures put in place by the RCMP, given the nature of the information sought through Covert Access and Intercept Team services, it is possible a breach could result in serious injury to the individual. The RCMP and the Covert Access and Intercept Team recognize the need to maintain the integrity of seized data, not only for continuity and court admissibility purposes, but also to minimize the potential impacts to an individual's privacy. To that end, the Covert Access and Intercept Team manages the collected information in accordance with RCMP and Government of Canada policies for Protected B information. The evidence collected is only accessible in a human-readable format once the data is delivered to the RCMP database. Due to the precision and targeted nature of Covert Access and Intercept Team operations, in the event of a breach, only limited data from one computer system or device will be affected. That data will be encrypted and rendered unreadable. In the extremely unlikely event that Covert Access and Intercept Team operations result in a data breach and the Covert Access and Intercept Team's encryption processes also fail, the resulting data, while clearly no longer fully secure, would still not be rendered into a human-readable format without substantial effort and expertise.
When data must be removed from the database, such as for disclosure in court proceedings, the investigator will protect the information in accordance with RCMP policies on the protection of information.
- Date modified: