Privacy Impact Assessments (PIA)

Mandatory Vaccination Measures Initiatives (March 2022)

Description of program

The Government of Canada introduced mandatory COVID-19 vaccine measures across the federal public service. Crown Corporations are expected to implement measures mirroring broader Government of Canada vaccination requirements. CMHC implemented the Vaccination Attestation and Request for Exemption on human rights grounds under the CHRA, to be compliant. These processes require the collection of personal information.

Findings

The PIA identified no findings hence, a Management Action Plan (MAP) is not required.

Richmond Advisory Services Inc. (March 2022)

Description of program

The National Housing Council (NHC) is an advisory body that promotes participation and inclusion in the development of housing policy. The purpose of NHC is to further the housing policy underlying the National Housing Strategy (NHS). The NHC conducts review panels and public hearings on systemic housing issues to achieve their mandate and in the course of doing so, personal information is collected.

Findings

The PIA identified 2 moderate level findings. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by September 2022.

National Housing Council (July 2022)

Description of program

The National Housing Council (NHC) is an advisory body that promotes participation and inclusion in the development of housing policy. The purpose of NHC is to further the housing policy underlying the National Housing Strategy (NHS). The NHC conducts review panels and public hearings on systemic housing issues to achieve their mandate and in the course of doing so, personal information is collected.

Findings

The PIA identified 2 moderate level findings. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by September 2022.

ClearView Connects (August 2022)

Description of program

ClearView Connects is a third-party vendor that offers a service to CMHC employees in providing a secure and anonymous way for employees to ask questions, raise concerns or report workplace incidents and or wrongdoing.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Canada Greener Home Loan Initiative (September 2022)

Description of program

CMHC was directed to deliver a Canada Greener Home Energy Retrofit Loan Program to help homeowners complete deep home retrofits through interest-free loans. CMHC was mandated to design and implement the program such that the homeowners have a seamless user experience that integrates some of the information transferred to CMHC from the grant portion offered through National Resources Canada (NRCan) and access to the loan application process/loan portal. CMHC contracted Intellifi for the delivery of the loan portal.

Findings

The PIA identified 1 moderate level risk finding. The finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk is in progress and scheduled to be completed by June 2023.

Digital Well Being Portal (September 2022)

Description of program

CMHC’s Well-being Portal is a comprehensive solution that curates a catalogue of mental health, social, financial, and physical well-being services for employees. As a fully integrated platform, along with CMHC’s existing Health Benefits provider, this allows employees to use their flex credits towards a more diverse range of benefits.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Kiteworks- OPTIV (October 2022)

Description of program

CMHC hired Optiv to setup, configure and deploy Kiteworks (a secure managed file transfer - SMFT) SaaS Platform for CMHC in the Accellion cloud environment. To that effect, Optiv will also migrate ten (10) existing vaults from current SMFT platform (CyberArk) to Kiteworks (new SMFT platform). This will allow CMHC to securely transfer sensitive files to and from other government departments and Financial Institutions.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Fraud Risk Management (Luminate) (October 2021)

Description of program

Luminate is a real-time, adaptive identity fraud solution that uses advanced analytics and data orchestration to effectively assess potential fraud on new accounts. The solution matches input data to Equifax’s consortium fraud and historical client data, to help detect fraud patterns based on user-controlled business rules.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Veranova Properties Limited (May 2021)

Description of program

Veranova Properties Limited delivers real estate services for CMHC-owned real estate (1-6) units in various regions across Canada, excluding Quebec. The Service Provider provides property management, marketing and sales services in accordance with CMHC Guidelines, including Policy, Letter of Instructions, industry rules and standard practices in effect.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Corporate Insurance (Opticrisk) (May 2021)

Description of program

OpticRisk is an advanced web-based incident/claims, assets and insurance policy management tracking system that manages claims and asset data and facilitates comprehensive reporting and analysis of an organizations risk. It also provides CMHC employees with the information required to manage risks across multiple organizational levels.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

DocCentre & Digital Mail Services (Xerox) (May 2021)

Description of program

Xerox DocCentre & Digital Mail Services provides CMHC with DocCentre and mail services, including incoming mail, outbound courier, printing and digital mail services. DocCentre Hub is CMHC’s customized platform from Xerox, for CMHC employees to submit requests for printing, mass mailing, digitization and business cards. Xerox uses SCLogic as the platform for CMHC employees and contractors to access incoming mail & shipping and is the portal for the outbound courier services.

Findings

The PIA identified 1 moderate and 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by December 2021.

Employee Relations Case Management System (Sodales) (March 2021)

Description of program

The Employee Relations (ER) Case Management System through Sodales is a cloud-based solution that provides an end-to-end integrated environment for managing human resources related requests. Using a role-based design, the Case Management System allows employees to direct inquiries to Employee Relations, Health and Safety, Disability Management and HR Shared Services Teams.

Findings

The PIA identified 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in August 2021.

Legal Request System (Flowfit-Consoltec) (March 2021)

Description of program

FlowFit is a SaaS Request Management System made available by Consoltec Inc. for CMHC to access and use on a subscription basis. This system enables various internal lines of business to initiate requests to Legal Services. FlowFit enables Legal Services to record, manage and track requests in order to manage workflows.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Pei Rural and Native Housing Program (March 2021)

Description of program

The Rural and Native Housing Program is designed to help low-income families in rural areas obtain suitable, adequate, and affordable housing on a rental basis only. This program is designed to provide affordable housing, the rental payments are based on a percentage of their income. Information collected is used to determine program eligibility, maintain tenant communications and determine rent amounts by verifying total household income.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Outsourcing Pension Plan Payments (February 2021)

Description of program

CMHC uses RBC Investor &Treasury Services to administer pension payments, retroactive payment calculations, reconciliation upon termination of payment, following the death of recipients, overpayment recoveries, preparation and distribution of year-end tax forms, commuted value payments to individuals, financial institutions and customer service.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Federal Community Housing Initiative — Phase 2 (FCHI2) (October 2020)

Description of program

FCHI-Phase 2 will provide $462 million in funding from September 1, 2020 to March 31, 2028. The two FCHI-2 funding streams are Rental Assistance and Transitional Funding. The rental assistance stream provides financial assistance for low-income households. Housing providers may apply for this rental support, which aims to fund the gap between 30% of an assisted household’s gross monthly income and the occupancy charge. The transitional funding stream is available to housing providers having trouble transitioning to the new program. The temporary funding will cover eligible operating costs for up to 24 months following the expiration of past federal agreements. This funding stream has a limited budget and is reserved for the most vulnerable groups, such as deep subsidy projects or urban Indigenous projects.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk were completed in 2020.

Equifax (October 2020)

Description of program

CMHC uses Equifax to obtain electronic credit bureau information for National Housing Act related to the requirements of the Privacy Act, TBS guidelines, regulatory expectations and privacy best practices in order to better understand our privacy risk posture and address any areas of identified risk before we roll out or implement our initiative.

Findings

The PIA identified 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

Research (October 2020)

Description of program

Internal and external Research activities including data related to housing needs and conditions, household composition, and past and current housing needs and conditions. Research, expertise and experience is obtained from individuals and organizations.

Findings

The PIA identified 6 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk will be completed in 2021.

Image on Demand (September 2020)

Description of program

Image on Demand is an alternative document delivery service for retrieval of information stored off-site at Iron Mountain warehouse. The service enables CMHC to gradually digitize physical records that are still referenced and minimize our dependency on these physical records, as well as reduce our off-site storage footprint. It serves as a method for converting paper or film-based information to a digital format.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Compensation and Benefits Program (Manulife) (August 2020)

Description of program

CMHC collects, uses, and shares of personal information from employees required as a condition of employment to administer the various human resources-related functions such as employee benefits administration, compensation and benefits, which has been outsourced to an outside supplier — Manulife Company.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk were completed in 2020.

Business Continuity Management (Rave Mobile Safety) (August 2020)

Description of program

Rave Alert software is a business continuity alert system used for internal employees. It is a license-based a fully hosted, web-based emergency mass notification technology system. The system is owned by Rave Mobile Safety, operated in Canada by a Canadian Team against the requirements of the Privacy Act, TBS guidelines, regulatory expectations and privacy best practices in order to better understand our privacy risk posture and address any areas of identified risk before we roll out or implement our initiative.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

Canada Emergency Commercial Rent Assistance (July 2020)

Description of program

Canada Emergency Commercial Rent Assistance (CECRA) for small businesses provides relief for small businesses experiencing financial hardship due to COVID‑19. CECRA for small businesses offers you a forgivable loan worth 50% of the value of your small business’ rent each month. The loans will be forgiven if you comply with all applicable program terms and conditions.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

MyHR Systems (CMHC’s branded instance of SAP SuccessFactors) (June 2020)

Description of program

CMHC collects, uses, and shares HR data about its employees and prospects who are seeking employment at CMHC in the context of employment at CMHC utilizing myHR. MyHR is solely used for human resources planning which is detailed in the privacy notice presented to employees and prospects who are seeking employment at CMHC. HR data is disclosed with programs or activities of the Canadian Government in compliance with the primary purpose of human resources planning. Examples of HR data disclosure to the Canadian Government are “Official Languages in Federal Institutions Report” and “Workplace Equity Information Management System Report”.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk will be completed by the end of the 2020 calendar year.

Granville Island Volunteer Program (Better Impact Software) (June 2020)

Description of program

CMHC collects and uses personal information in the Better Impact Software that was provided on a voluntary basis from the participation in the Granville Island Volunteer Program.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 2 high priority (Breach Management Process and Logical Access) and 2 low priority risks that were all remediated in 2020.

Client Relationship Management (CRM) System (February 2020)

Description of program

CMHC’s Dynamics 365 Client Relationship Management (CRM) system is a central database that provides a single source of client contact information to enable external client-facing teams to work better together by sharing contacts, dashboard and reports. The CRM system centralizes data and standardizes processes across the regions to improve productivity, enable decision-making and improve the client experience. The CRM system is used to store client contact information and records of correspondence that provide CMHC employees with the insights to develop, improve, and retain client relationships and build custom dashboards to analyze data.

Findings

The PIA identified 9 high priority (Compliance Review Procedure, Privacy Training Program, Training and Guidelines, Third Party Disclosure Agreements, User Guide, Records Retention Schedule, Unique Identifiers, Limited Retention, and Disposition) and 14 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by the end of the 2021 calendar year.

Data Lake PIA (January 2020)

Description of program

CMHC’s Data Lake is a centralized repository that stores data across all CMHC programs. The Data Lake is CMHC’s single data source, which increases data security, facilitates integration and improves sharing and collaboration between business lines. The largest amount of data in the Data Lake comes from emili, which is CMHC’s online mortgage insurance application system. The scope of this assessment focused on CMHC’s emili, in addition to a total of seven systems that feed into the Data Lake. Namely, we assessed the data inputs into emili, Collibra, Success Factors, CRM, Dynamics 365, ERP and data warehouses.

Findings

The PIA identified 15 high priority (Contact Person, Compliance Review Procedure, Privacy Training Program, Data Owners, Third Party Disclosure Agreements, Privacy Notice, Consistent Use, Original Consent, Secondary Use, Anonymize Data, Access, Identified Purpose, Records Retention Schedule, Limited Retention, User Authentication) and 26 low priority risks, resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by the end of the 2021 calendar year.

Technology Transformation Program (December 2019)

Description of program

CMHC collects, uses, and processes personal information about applicants in their application HR data about its employees and prospects who are seeking employment at CMHC in the context of employment at CMHC utilizing myHR.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 4 high priority (Access Management, Training and Guidelines, Third Party Disclosure Agreements, Records Retention Schedule) and 5 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by June 2021.

First-Time Homebuyer Incentive (FTHBI) (November 2019)

Description of program

As part of the National Housing Strategy, the First-Time Home Buyer Incentive launched on September 2, 2019, to help middle class families take their first steps towards homeownership by reducing monthly mortgage payments required for first-time homebuyers without increasing the amount they need to save for a down payment. The program offers 5 or 10% of the home’s purchase price to put toward a down payment, which lowers mortgage carrying costs and makes homeownership more affordable.

Findings

The PIA identified 3 high priority (Compliance Review Procedure, Privacy Training Program, and Records Retention Schedule) and 9 low priority risks for both the FTHBI and Shared Equity Mortgage Providers fund (SEMP) programs resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed in 2020.

Shared Equity Mortgage Providers Fund (SEMP) (November 2019)

Description of program

As part of the National Housing Strategy, the Shared Equity Mortgage Providers (SEMP) Fund helps eligible Canadians achieve affordable home ownership. This $100-million lending fund supports existing shared equity mortgage providers and attracts new providers of shared equity mortgages by encouraging additional housing supply. The Shared Equity Mortgage Providers Fund is a 5-year program that launched on July 31, 2019. It aims to assist in the completion of 1,500 new units and help at least 1,500 homebuyers buy their first home. The program offers eligible proponents repayable loans from one of two possible funding streams. The first is funding for preconstruction cost loans to commence new housing projects in which shared equity mortgages will be provided to homebuyers via SEMPs and the second is Loans to SEMPs to fund shared equity mortgages that they provide directly to first time homebuyers.

Findings

The PIA identified 3 high priority (Compliance Review Procedure, Privacy Training Program, and Records Retention Schedule) and 9 low priority risks for both the SEMP and FTHBI programs resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed in 2020.

National Housing Strategy (September 2018)

Description of program

CMHC collects, uses, shares, and processes personal information received from Provincial or Territorial Government Partners, as well as from individuals applying for affordable housing projects. The National Housing Strategy was announced on November 22, 2017 as part of a $40 billion plan that will deliver more affordable, accessible, inclusive and sustainable homes. The primary focus is on meeting the needs of vulnerable populations, such as women and children fleeing family violence, seniors, Indigenous peoples, people with disabilities, those dealing with mental health and addiction issues, veterans and young adults.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 3 low priority risks and 1 residual risk that have been fully mitigated. The priority findings resulted in recommendations for remediation of these risks, which were all completed by March 2020.

Lender File Review and Operational Compliance Program (May 2016)

Description of program

Under the National Housing Act (NHA), mortgage loan insurance is mandatory for federally regulated lenders in Canada when the buyer of a home has less than a twenty percent down payment. This insurance protects the mortgage lender against loss if a borrower defaults, and allows qualified borrowers to access homeownership at interest rates comparable to those offered to buyers with larger down payments. When applying for loan insurance, Lenders are required to share borrower information with CMHC, which is initially submitted to CMHC for loan underwriting and risking purposes. CMHC’s Lender File Review and Operational Compliance Program is responsible to conduct reviews for assessing the accuracy of insured mortgage loan information in applicants. Although the Program only requires certain elements of personal information in order to assess lender files, other personal information may be included by the lender. The personal information is used by the Program to verify the lender submitted accurate information via emili at the time of loan approval and had sufficient documentation on file to substantiate the data submitted.

Findings

The PIA identified 1 high (Safeguards), 1 moderate and 1 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed.

Outsourcing of the Human Resources, Payroll Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as payroll administration, compensation and benefits in the context of employment at CMHC. In 2013/14, CMHC’s Management Committee (MC) proposed the full outsourcing of the payroll administration function to an outside supplier — Ceridian Canada Ltd. (Ceridian, or the Contractor). Through the outsourcing of the payroll administration functions to the Contractor, CMHC will be required to provide employee personal information to the Contractor in order for the Contractor to provide payroll services to CMHC.

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Outsourcing of the Human Resources, Employee Benefit Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as employee benefits administration, compensation and benefits, among others. CMHC’s Management Committee (MC) proposed the full outsourcing of the employee benefits administration function to an outside supplier — Great West Life Assurance Company (GWL, or the Contractor). To meet the needs of CMHC’s employee benefits administration, GWL has proposed the implementation of their proprietary Software as a Service (SaaS) product, GroupNet Flex. GroupNet Flex is a fully secure Internet-based tool that will allow CMHC to manage its administrative and enrollment needs, and will let CMHC plan members and administrators manage benefit options online, in a user-friendly environment.

Through the outsourcing of the employee benefits administration function to the GWL, CMHC will be required to provide employee personal information to the Contractor in order for the Contractor to provide services to CMHC.

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Outsourcing of the Human Resources, Pension Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as pension benefits administration, compensation and benefits, among others. The CMHC Pension Plan provides its members and beneficiaries with pension benefits in accordance with the provisions of the CMHC Pension Plan Rules. In 2013/14, the government provided CMHC (and other Crown Corporations) with specific orders to reform their pension plans to be more inline with their federal government equivalents by 2017. In consideration of the Order-In-Council and the necessary costs to update CMHC’s current system and make it compliant with today’s regulatory and transactional practices, the CMHC proposed the full outsourcing of the pension administration function to an outside supplier — AON Hewitt (or the Contractor).

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Housing Internship Initiative for First Nations & Inuit Youth (HIIFNIY) (February 2016)

Description of program

CMHC’s Housing Internship Initiative for First Nations & Inuit Youth is a youth employment initiative that provides financial assistance to help First Nations and Inuit businesses and organizations create housing-related internships for youth. CMHC provides a wage subsidy to First Nations Band Councils, Tribal Councils, Inuit community or business organizations that sponsor eligible First Nations and Inuit Youth. HIIFNIY forms part of the federal government’s Youth Employment Strategy (YES), which has three streams. HIIFNIY is part of the “Skills Link” stream intended to target unemployed youth at risk.

Findings

The PIA identified 6 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed.