Skip to content
CMHC Home Canada Mortgage
and Housing Corporation
  • Sign In or Register
  • Français
  • MENU
MENU
× Français
  • Home
  • Professionals
    • Project funding and mortgage financing
      • Funding programs
        • Affordable Housing Fund
        • Affordable Housing Innovation Fund
        • Apartment Construction Loan Program
        • Canada Greener Affordable Housing
        • Community (social) housing
        • Federal Lands Initiative
        • Funding for Indigenous housing
        • Housing Supply Challenge
        • Innovation and research
        • National Housing Strategy Project Profiles
        • Rapid Housing Initiative
      • Mortgage Loan Insurance Products
        • Homeowner and Small Rental Mortgage Loan Insurance
          • CMHC Purchase
          • CMHC Improvement
          • CMHC Income Property
          • CMHC Refinance
          • CMHC Newcomers
          • CMHC Self-Employed
          • CMHC Portability
          • Eco Products for Lenders
        • Multi-Unit and Rental Housing
          • MLI Select
        • Default, claims and properties for sale
        • Underwriting centre
        • emili
        • NHA approved lenders
        • Calculating GDS / TDS
        • How to recognize and report mortgage fraud
        • Contact mortgage loan insurance
        • Insured Mortgage Purchase Program (IMPP)
      • Securitization
        • NHA Mortgage Backed Securities
        • Canada Mortgage Bonds
        • Canadian registered covered bonds
        • Blockchain in the housing industry
    • Housing markets, data and research
      • CMHC Reports Calendar
      • Housing markets
        • Housing market reports
        • Mortgage market and consumer reports
        • Fall 2024 Rental Market Report
      • Housing research
        • Consultations
          • Prohibition on the Purchase of Residential Property by Non-Canadians Act
            • Prohibition on the Purchase of Residential Property by Non-Canadians Act – Frequently asked questions
        • Housing research reports
        • Housing surveys
          • Mortgage consumer surveys
        • Research awards and scholarships
        • Understanding core housing need
        • Collaborative Housing Research Network
      • Housing data
        • Data tables
          • Household characteristics data
          • Housing market data
          • Mortgage and debt data
          • Rental market data
        • Housing market information portal
        • Residential Mortgage Industry Data Dashboard
        • CMHC licence agreement for the use of data
        • Housing Knowledge Centre
    • Industry innovation and leadership
      • Housing innovation
      • Our Partners
        • Partnerships
        • Federal, Provincial and Territorial Forum on Housing
      • Industry collaboration
        • Expert Community on Housing (ECoH)
      • Industry expertise
        • Affordable housing
        • Indigenous housing
        • Senior housing
        • Accessible and adaptable housing
        • Developing sustainable housing
        • Resources for mortgage professionals
        • CMHC newsletters
    • Events and speakers
      • Conferences
        • 2024 National Housing Conference
          • About
          • National Housing Conference - Agenda
          • Location
          • InnoZone
          • Details for participants
      • Speakers’ bureau
        • Kevin Hughes
  • Consumers
    • Buying a home
      • Homebuying calculators
        • Mortgage calculator
        • Affordability calculator
        • Debt service calculator
      • Buying guides
        • Homebuying step by step
        • CMHC's condominium buyer's guide
      • Mortgage loan insurance for consumers
        • What is CMHC mortgage loan insurance?
        • Do I qualify for mortgage loan insurance?
        • CMHC mortgage loan insurance costs
        • CMHC's Eco Products
          • CMHC’s Eco Improvement
          • CMHC Eco Plus
        • CMHC — home renovation financing options
        • FAQs — mortgage loan insurance
      • Incentives for homebuyers
      • Newcomers
      • The First-Time Home Buyer Incentive
    • Owning a home
      • Manage your mortgage
        • Mortgage fraud
        • Mortgage planning tips
        • Plan and manage your mortgage
        • Your credit report
        • Your home value
      • Aging in place
        • Housing options for Seniors
        • Housing and finance tips
        • Mortgage financing options for people 55+
        • Preventing fraud and financial abuse
    • Renting a home
      • I want to rent
        • Things to consider before renting
        • Types of housing for rent in Canada
        • Finding or advertising a rental property
        • Visiting the rental property
        • Lease and rental agreements
        • Signing the lease
        • Credit checks and bad credit
        • Rental payments and deposits
        • Roommates and pets
      • I am renting
        • Moving day
        • Landlord/Tenant responsibilities
        • Inspections
        • Maintenance and repairs
        • Complaints and evictions
        • Rent increases
        • When you can't pay rent
        • Renewing or terminating the lease
        • Moving out
      • One-Time Top-Up to the Canada Housing Benefit
      • COVID‑19: eviction bans and suspensions to support renters
  • About CMHC
    • CMHC’s goals, values and commitment to housing
    • Discover Life at CMHC
    • Management and governance
      • Speakers’ bureau
      • CMHC's Annual Public Meeting
      • CMHC’s board of directors and committees
      • Our management committee
      • Pension governance
        • Pension overview
        • Key roles and responsibilities
        • Annual reports
    • Corporate reporting
      • CMHC’s 2023 Annual Report
      • Program evaluation
      • Quarterly financial reports
      • Joint auditors special examination report to CMHC board 2018
      • CMHC’s Insured Mortgage Deferral
      • Corporate Plan Summary
      • Transparency
        • Access to information and privacy protection
        • Accessibility at CMHC
        • Accessibility feedback process
        • Briefing materials
        • Procurement
          • Vendor Diversity Program
        • Travel, hospitality and conference expenditures
    • Contact us
      • Contact mortgage loan insurance
      • Regional offices
      • Granville lsland
      • Indigenous and the North Housing Solutions
      • National office
      • Holiday service hours
  • Media Newsroom
  • National Housing Strategy
    • What is the strategy?
      • About the initiatives
      • How to apply
      • Help and resources
      • Priority areas for action
      • The National Housing Strategy Glossary of Common Terms
      • The Strategy in Action
    • Federal/Provincial/Territorial housing agreements
    • Other funding and financing opportunities
  • The Housing Observer
  • Canada’s Housing Podcast
  • Careers
  • Housing Knowledge Centre
 
  • Home
  • About CMHC
  • Corporate reporting
  • Transparency
  • Privacy Impact Assessments (PIA)
  • Save
  • Share

Privacy Impact Assessments (PIA)

Ensuring privacy compliance in our activities and programs.

Save Icon

SAVE TO MY FOLDER

Privacy Impact Assessments (PIA)

SAVE
Close this Window   |   Manage my Folder
Save Icon

SAVE TO MY FOLDER

Privacy Impact Assessments (PIA)

Done Done!
Close this Window   |   Manage my Folder
Share icon

Share via

  • Facebook
  • LinkedIn
  • Mail
  • print
  • CopyLink

SuccessCopyLinkVersionLink copied

Share icon

Share via

  • Facebook
  • LinkedIn
  • Mail
  • print
  • CopyLink

SuccessCopyLinkVersionLink copied

share icon

Mail-blue Share via Email

Did You Know?

You can include an email signature?

Register | Sign In

×
Google Captcha Loader
share icon

Mail-blue Share via Email

Done Done!
Close this window

Why Privacy Impact Assessments (PIA) are Completed

CMHC completes Privacy Impact Assessments to ensure compliance with the requirements set out in the Privacy Act, Treasury Board of Canada Secretariat (TBS) policies and directives, and privacy best practices.

In line with the Privacy Act, PIAs are completed for any new, revised or outsourced programs or activities. PIAs help us embed privacy into the design of our activities by understanding the risks associated with new or redesigned programs and making privacy a key consideration before they are launched.

PIAs are used as a risk management tool to help us identify areas of privacy risk in our activities and implement remediation plans to reduce risks to an acceptable level.

We assigned priority ratings to all identified deficiencies/findings as either a “high” or “low” priority based on the criteria below, which was based on our industry knowledge and privacy experience in dealing with TBS, considering the Privacy Act, TBS Guidelines and regulatory expectations:

A high priority  means that the finding must be remediated or addressed as soon as possible to reduce the risk posed to CMHC and/or the privacy rights of the individual to an acceptable level within CMHC’s risk appetite.

Immediate remediation of the finding is required as there is a high degree of certainty that the failure to remediate will lead to:

  • Non-compliance with the law or contrary to regulatory expectations and/or TBS guidelines;
  • Reputational damage to CMHC or area under review; or
  • Significant and/or adverse regulatory scrutiny or fines and/or negative media attention.

A low priority  means that there is low residual risk of harm. The remediation of the finding is not required by law or regulation, however it is recommended as an area of enhancement. It is intended to provide CMHC with additional information to assist in developing best practices for the area or process under review.

The low priority is categorized given that the:

  • Finding can only lead to limited financial, legal, reputational, human consequence or impact in the area under review; or
  • Deviation from policy or procedure represents a change in business process but doesn’t violate the law or is contrary to regulatory expectations (i.e. policy is no longer applicable and requires updating).
  • Area under review requires routine management attention to reduce exposure(s), and is warranted to assist in the overall efficiency of the process.

For more information:

If you would like more information about this PIA, please contact:
Privacy Office
700 Montreal Road
Ottawa, Ontario
K1A 0P7
Email: PrivacyOffice@cmhc-schl.gc.ca
Phone: 1-800-668-2642

Privacy Impact Assessment Summaries

2023

Arc Health Management Solutions — Absence Management Services PIA

Description

Arc Health Management Solutions of Canada Inc. will handle sensitive personal and health information for CMHC employees during Short Term Disability (STD) periods and related cases. This includes employee IDs, home addresses, personal emails, birth dates, hire dates, office locations, positions, and health data. The PIA focuses on ensuring data privacy and security compliance in the management, adjudication, and case handling of STD, medical accommodations, ergonomic assessments, and attendance management.

Findings

The PIA identified 1 moderate-level risk finding and 1 low-level risk finding. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks are in progress and scheduled to be completed by April 2024.

Know Your Customer (KYC) Program PIA

Description

CMHC's Know Your Customer (KYC) program is designed to identify and mitigate the risks involved in transacting with entities or individuals that may present an unacceptable level of risk. It focuses specifically on the Multi-Unit (MU) lending and insurance sector, where initial and further risk assessments are conducted on the applicants. For those flagged as high risk, CMHC leverages third-party vendors, specifically PWC and KPMG, to perform Level 2 Reputational Due Diligence. The findings from these due diligence processes inform CMHC's decision-making regarding proceeding with business engagements with these high-risk entities.

Findings

The PIA identified 2 moderate-level risk findings. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks are in progress and scheduled to be completed by April 2024.

Migration to Manulife — Benefits and Group Insurance PIA

Description

CMHC has established a partnership with Manulife through two formal agreements for "Benefits Administration" and "Group Insurance" as part of the same RFP process, with identical service delivery and organizational protocols across both. Manulife is appointed to handle personal information within its programs to administer group insurance and employee benefits for CMHC. Their role encompasses adjudicating claims across various plans including life, disability, health, and dental for both active employees and retirees. Additionally, as the Benefits Administrator, Manulife's responsibilities include recordkeeping, managing annual enrollments, data validation, and managing flex credits and spending accounts, as well as processing life events and monthly premium payments.

Findings

The PIA identified 2 low-level risk findings and 1 moderate-level risk finding. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks are in progress and scheduled to be completed by April 2024.

Equifax Tool — Luminate PIA

Description

CMHC has initiated a shift to Equifax's Luminate platform, which replaces Citadel for enhanced fraud detection in mortgage loan insurance applications. The upgrade includes the integration of additional personal information fields to refine fraud screening without increasing the sensitivity of the data. The Luminate system evaluates these parameters, which now encompass a broader range of financial and demographic details, to identify potential fraud risks more precisely. This modernized process allows for more targeted monitoring, investigation, and reporting by CMHC's fraud team to bolster the integrity of the mortgage insurance process.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

2022

Mandatory Vaccination Measures Initiatives (March 2022)

Description of program

The Government of Canada introduced mandatory COVID-19 vaccine measures across the federal public service. Crown Corporations are expected to implement measures mirroring broader Government of Canada vaccination requirements. CMHC implemented the Vaccination Attestation and Request for Exemption on human rights grounds under the CHRA, to be compliant. These processes require the collection of personal information.

Findings

The PIA identified no findings hence, a Management Action Plan (MAP) is not required.

Richmond Advisory Services Inc. (March 2022)

Description of program

The National Housing Council (NHC) is an advisory body that promotes participation and inclusion in the development of housing policy. The purpose of NHC is to further the housing policy underlying the National Housing Strategy (NHS). The NHC conducts review panels and public hearings on systemic housing issues to achieve their mandate and in the course of doing so, personal information is collected.

Findings

The PIA identified 2 moderate level findings. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by September 2022.

National Housing Council (July 2022)

Description of program

The National Housing Council (NHC) is an advisory body that promotes participation and inclusion in the development of housing policy. The purpose of NHC is to further the housing policy underlying the National Housing Strategy (NHS). The NHC conducts review panels and public hearings on systemic housing issues to achieve their mandate and in the course of doing so, personal information is collected.

Findings

The PIA identified 2 moderate level findings. The findings required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by September 2022.

ClearView Connects (August 2022)

Description of program

ClearView Connects is a third-party vendor that offers a service to CMHC employees in providing a secure and anonymous way for employees to ask questions, raise concerns or report workplace incidents and or wrongdoing.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Canada Greener Home Loan Initiative (September 2022)

Description of program

CMHC was directed to deliver a Canada Greener Home Energy Retrofit Loan Program to help homeowners complete deep home retrofits through interest-free loans. CMHC was mandated to design and implement the program such that the homeowners have a seamless user experience that integrates some of the information transferred to CMHC from the grant portion offered through National Resources Canada (NRCan) and access to the loan application process/loan portal. CMHC contracted Intellifi for the delivery of the loan portal.

Findings

The PIA identified 1 moderate level risk finding. The finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk is in progress and scheduled to be completed by June 2023.

Digital Well Being Portal (September 2022)

Description of program

CMHC’s Well-being Portal is a comprehensive solution that curates a catalogue of mental health, social, financial, and physical well-being services for employees. As a fully integrated platform, along with CMHC’s existing Health Benefits provider, this allows employees to use their flex credits towards a more diverse range of benefits.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Kiteworks- OPTIV (October 2022)

Description of program

CMHC hired Optiv to setup, configure and deploy Kiteworks (a secure managed file transfer - SMFT) SaaS Platform for CMHC in the Accellion cloud environment. To that effect, Optiv will also migrate ten (10) existing vaults from current SMFT platform (CyberArk) to Kiteworks (new SMFT platform). This will allow CMHC to securely transfer sensitive files to and from other government departments and Financial Institutions.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

2021

Fraud Risk Management (Luminate) (October 2021)

Description of program

Luminate is a real-time, adaptive identity fraud solution that uses advanced analytics and data orchestration to effectively assess potential fraud on new accounts. The solution matches input data to Equifax’s consortium fraud and historical client data, to help detect fraud patterns based on user-controlled business rules.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Veranova Properties Limited (May 2021)

Description of program

Veranova Properties Limited delivers real estate services for CMHC-owned real estate (1-6) units in various regions across Canada, excluding Quebec. The Service Provider provides property management, marketing and sales services in accordance with CMHC Guidelines, including Policy, Letter of Instructions, industry rules and standard practices in effect.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Corporate Insurance (Opticrisk) (May 2021)

Description of program

OpticRisk is an advanced web-based incident/claims, assets and insurance policy management tracking system that manages claims and asset data and facilitates comprehensive reporting and analysis of an organizations risk. It also provides CMHC employees with the information required to manage risks across multiple organizational levels.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

DocCentre & Digital Mail Services (Xerox) (May 2021)

Description of program

Xerox DocCentre & Digital Mail Services provides CMHC with DocCentre and mail services, including incoming mail, outbound courier, printing and digital mail services. DocCentre Hub is CMHC’s customized platform from Xerox, for CMHC employees to submit requests for printing, mass mailing, digitization and business cards. Xerox uses SCLogic as the platform for CMHC employees and contractors to access incoming mail & shipping and is the portal for the outbound courier services.

Findings

The PIA identified 1 moderate and 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategy for this risk was completed by December 2021.

Employee Relations Case Management System (Sodales) (March 2021)

Description of program

The Employee Relations (ER) Case Management System through Sodales is a cloud-based solution that provides an end-to-end integrated environment for managing human resources related requests. Using a role-based design, the Case Management System allows employees to direct inquiries to Employee Relations, Health and Safety, Disability Management and HR Shared Services Teams.

Findings

The PIA identified 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in August 2021.

Legal Request System (Flowfit-Consoltec) (March 2021)

Description of program

FlowFit is a SaaS Request Management System made available by Consoltec Inc. for CMHC to access and use on a subscription basis. This system enables various internal lines of business to initiate requests to Legal Services. FlowFit enables Legal Services to record, manage and track requests in order to manage workflows.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Pei Rural and Native Housing Program (March 2021)

Description of program

The Rural and Native Housing Program is designed to help low-income families in rural areas obtain suitable, adequate, and affordable housing on a rental basis only. This program is designed to provide affordable housing, the rental payments are based on a percentage of their income. Information collected is used to determine program eligibility, maintain tenant communications and determine rent amounts by verifying total household income.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Outsourcing Pension Plan Payments (February 2021)

Description of program

CMHC uses RBC Investor &Treasury Services to administer pension payments, retroactive payment calculations, reconciliation upon termination of payment, following the death of recipients, overpayment recoveries, preparation and distribution of year-end tax forms, commuted value payments to individuals, financial institutions and customer service.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

2020

Federal Community Housing Initiative — Phase 2 (FCHI2) (October 2020)

Description of program

FCHI-Phase 2 will provide $462 million in funding from September 1, 2020 to March 31, 2028. The two FCHI-2 funding streams are Rental Assistance and Transitional Funding. The rental assistance stream provides financial assistance for low-income households. Housing providers may apply for this rental support, which aims to fund the gap between 30% of an assisted household’s gross monthly income and the occupancy charge. The transitional funding stream is available to housing providers having trouble transitioning to the new program. The temporary funding will cover eligible operating costs for up to 24 months following the expiration of past federal agreements. This funding stream has a limited budget and is reserved for the most vulnerable groups, such as deep subsidy projects or urban Indigenous projects.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk were completed in 2020.

Equifax (October 2020)

Description of program

CMHC uses Equifax to obtain electronic credit bureau information for National Housing Act related to the requirements of the Privacy Act, TBS guidelines, regulatory expectations and privacy best practices in order to better understand our privacy risk posture and address any areas of identified risk before we roll out or implement our initiative.

Findings

The PIA identified 1 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

Research (October 2020)

Description of program

Internal and external Research activities including data related to housing needs and conditions, household composition, and past and current housing needs and conditions. Research, expertise and experience is obtained from individuals and organizations.

Findings

The PIA identified 6 low priority risk. The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk will be completed in 2021.

Image on Demand (September 2020)

Description of program

Image on Demand is an alternative document delivery service for retrieval of information stored off-site at Iron Mountain warehouse. The service enables CMHC to gradually digitize physical records that are still referenced and minimize our dependency on these physical records, as well as reduce our off-site storage footprint. It serves as a method for converting paper or film-based information to a digital format.

Findings

The PIA has identified no findings hence, a Management Action Plan (MAP) is not required.

Compensation and Benefits Program (Manulife) (August 2020)

Description of program

CMHC collects, uses, and shares of personal information from employees required as a condition of employment to administer the various human resources-related functions such as employee benefits administration, compensation and benefits, which has been outsourced to an outside supplier — Manulife Company.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk were completed in 2020.

Business Continuity Management (Rave Mobile Safety) (August 2020)

Description of program

Rave Alert software is a business continuity alert system used for internal employees. It is a license-based a fully hosted, web-based emergency mass notification technology system. The system is owned by Rave Mobile Safety, operated in Canada by a Canadian Team against the requirements of the Privacy Act, TBS guidelines, regulatory expectations and privacy best practices in order to better understand our privacy risk posture and address any areas of identified risk before we roll out or implement our initiative.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

Canada Emergency Commercial Rent Assistance (July 2020)

Description of program

Canada Emergency Commercial Rent Assistance (CECRA) for small businesses provides relief for small businesses experiencing financial hardship due to COVID‑19. CECRA for small businesses offers you a forgivable loan worth 50% of the value of your small business’ rent each month. The loans will be forgiven if you comply with all applicable program terms and conditions.

Findings

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk have been completed in 2020.

MyHR Systems (CMHC’s branded instance of SAP SuccessFactors) (June 2020)

Description of program

CMHC collects, uses, and shares HR data about its employees and prospects who are seeking employment at CMHC in the context of employment at CMHC utilizing myHR. MyHR is solely used for human resources planning which is detailed in the privacy notice presented to employees and prospects who are seeking employment at CMHC. HR data is disclosed with programs or activities of the Canadian Government in compliance with the primary purpose of human resources planning. Examples of HR data disclosure to the Canadian Government are “Official Languages in Federal Institutions Report” and “Workplace Equity Information Management System Report”.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 1 high priority risk (Compliance Review Procedure). The priority finding required immediate attention and resulted in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for this risk will be completed by the end of the 2020 calendar year.

Granville Island Volunteer Program (Better Impact Software) (June 2020)

Description of program

CMHC collects and uses personal information in the Better Impact Software that was provided on a voluntary basis from the participation in the Granville Island Volunteer Program.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 2 high priority (Breach Management Process and Logical Access) and 2 low priority risks that were all remediated in 2020.

Client Relationship Management (CRM) System (February 2020)

Description of program

CMHC’s Dynamics 365 Client Relationship Management (CRM) system is a central database that provides a single source of client contact information to enable external client-facing teams to work better together by sharing contacts, dashboard and reports. The CRM system centralizes data and standardizes processes across the regions to improve productivity, enable decision-making and improve the client experience. The CRM system is used to store client contact information and records of correspondence that provide CMHC employees with the insights to develop, improve, and retain client relationships and build custom dashboards to analyze data.

Findings

The PIA identified 9 high priority (Compliance Review Procedure, Privacy Training Program, Training and Guidelines, Third Party Disclosure Agreements, User Guide, Records Retention Schedule, Unique Identifiers, Limited Retention, and Disposition) and 14 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by the end of the 2021 calendar year.

Data Lake PIA (January 2020)

Description of program

CMHC’s Data Lake is a centralized repository that stores data across all CMHC programs. The Data Lake is CMHC’s single data source, which increases data security, facilitates integration and improves sharing and collaboration between business lines. The largest amount of data in the Data Lake comes from emili, which is CMHC’s online mortgage insurance application system. The scope of this assessment focused on CMHC’s emili, in addition to a total of seven systems that feed into the Data Lake. Namely, we assessed the data inputs into emili, Collibra, Success Factors, CRM, Dynamics 365, ERP and data warehouses.

Findings

The PIA identified 15 high priority (Contact Person, Compliance Review Procedure, Privacy Training Program, Data Owners, Third Party Disclosure Agreements, Privacy Notice, Consistent Use, Original Consent, Secondary Use, Anonymize Data, Access, Identified Purpose, Records Retention Schedule, Limited Retention, User Authentication) and 26 low priority risks, resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by the end of the 2021 calendar year.

2019

Technology Transformation Program (December 2019)

Description of program

CMHC collects, uses, and processes personal information about applicants in their application HR data about its employees and prospects who are seeking employment at CMHC in the context of employment at CMHC utilizing myHR.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 4 high priority (Access Management, Training and Guidelines, Third Party Disclosure Agreements, Records Retention Schedule) and 5 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks will be completed by June 2021.

First-Time Homebuyer Incentive (FTHBI) (November 2019)

Description of program

As part of the National Housing Strategy, the First-Time Home Buyer Incentive launched on September 2, 2019, to help middle class families take their first steps towards homeownership by reducing monthly mortgage payments required for first-time homebuyers without increasing the amount they need to save for a down payment. The program offers 5 or 10% of the home’s purchase price to put toward a down payment, which lowers mortgage carrying costs and makes homeownership more affordable.

Findings

The PIA identified 3 high priority (Compliance Review Procedure, Privacy Training Program, and Records Retention Schedule) and 9 low priority risks for both the FTHBI and Shared Equity Mortgage Providers fund (SEMP) programs resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed in 2020.

Shared Equity Mortgage Providers Fund (SEMP) (November 2019)

Description of program

As part of the National Housing Strategy, the Shared Equity Mortgage Providers (SEMP) Fund helps eligible Canadians achieve affordable home ownership. This $100-million lending fund supports existing shared equity mortgage providers and attracts new providers of shared equity mortgages by encouraging additional housing supply. The Shared Equity Mortgage Providers Fund is a 5-year program that launched on July 31, 2019. It aims to assist in the completion of 1,500 new units and help at least 1,500 homebuyers buy their first home. The program offers eligible proponents repayable loans from one of two possible funding streams. The first is funding for preconstruction cost loans to commence new housing projects in which shared equity mortgages will be provided to homebuyers via SEMPs and the second is Loans to SEMPs to fund shared equity mortgages that they provide directly to first time homebuyers.

Findings

The PIA identified 3 high priority (Compliance Review Procedure, Privacy Training Program, and Records Retention Schedule) and 9 low priority risks for both the SEMP and FTHBI programs resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed in 2020.

2018

National Housing Strategy (September 2018)

Description of program

CMHC collects, uses, shares, and processes personal information received from Provincial or Territorial Government Partners, as well as from individuals applying for affordable housing projects. The National Housing Strategy was announced on November 22, 2017 as part of a $40 billion plan that will deliver more affordable, accessible, inclusive and sustainable homes. The primary focus is on meeting the needs of vulnerable populations, such as women and children fleeing family violence, seniors, Indigenous peoples, people with disabilities, those dealing with mental health and addiction issues, veterans and young adults.

Findings

This PIA focused on CMHC’s collection and use of various personal information as part of a decision-making process directly affecting individuals.

The PIA identified 3 low priority risks and 1 residual risk that have been fully mitigated. The priority findings resulted in recommendations for remediation of these risks, which were all completed by March 2020.

Lender File Review and Operational Compliance Program (May 2016)

Description of program

Under the National Housing Act (NHA), mortgage loan insurance is mandatory for federally regulated lenders in Canada when the buyer of a home has less than a twenty percent down payment. This insurance protects the mortgage lender against loss if a borrower defaults, and allows qualified borrowers to access homeownership at interest rates comparable to those offered to buyers with larger down payments. When applying for loan insurance, Lenders are required to share borrower information with CMHC, which is initially submitted to CMHC for loan underwriting and risking purposes. CMHC’s Lender File Review and Operational Compliance Program is responsible to conduct reviews for assessing the accuracy of insured mortgage loan information in applicants. Although the Program only requires certain elements of personal information in order to assess lender files, other personal information may be included by the lender. The personal information is used by the Program to verify the lender submitted accurate information via emili at the time of loan approval and had sufficient documentation on file to substantiate the data submitted.

Findings

The PIA identified 1 high (Safeguards), 1 moderate and 1 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed.

2016

Outsourcing of the Human Resources, Payroll Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as payroll administration, compensation and benefits in the context of employment at CMHC. In 2013/14, CMHC’s Management Committee (MC) proposed the full outsourcing of the payroll administration function to an outside supplier — Ceridian Canada Ltd. (Ceridian, or the Contractor). Through the outsourcing of the payroll administration functions to the Contractor, CMHC will be required to provide employee personal information to the Contractor in order for the Contractor to provide payroll services to CMHC.

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Outsourcing of the Human Resources, Employee Benefit Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as employee benefits administration, compensation and benefits, among others. CMHC’s Management Committee (MC) proposed the full outsourcing of the employee benefits administration function to an outside supplier — Great West Life Assurance Company (GWL, or the Contractor). To meet the needs of CMHC’s employee benefits administration, GWL has proposed the implementation of their proprietary Software as a Service (SaaS) product, GroupNet Flex. GroupNet Flex is a fully secure Internet-based tool that will allow CMHC to manage its administrative and enrollment needs, and will let CMHC plan members and administrators manage benefit options online, in a user-friendly environment.

Through the outsourcing of the employee benefits administration function to the GWL, CMHC will be required to provide employee personal information to the Contractor in order for the Contractor to provide services to CMHC.

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Outsourcing of the Human Resources, Pension Administration Function (February 2016)

Description of program

CMHC collects, uses, and shares personal information from employees required as a condition of employment to administer the various human resources-related functions such as pension benefits administration, compensation and benefits, among others. The CMHC Pension Plan provides its members and beneficiaries with pension benefits in accordance with the provisions of the CMHC Pension Plan Rules. In 2013/14, the government provided CMHC (and other Crown Corporations) with specific orders to reform their pension plans to be more inline with their federal government equivalents by 2017. In consideration of the Order-In-Council and the necessary costs to update CMHC’s current system and make it compliant with today’s regulatory and transactional practices, the CMHC proposed the full outsourcing of the pension administration function to an outside supplier — AON Hewitt (or the Contractor).

Findings

The PIAs identified 1 medium priority and 3 low priority risks resulting in recommendations for remediation. The mitigation strategies for these risks were completed in 2016.

Housing Internship Initiative for First Nations & Inuit Youth (HIIFNIY) (February 2016)

Description of program

CMHC’s Housing Internship Initiative for First Nations & Inuit Youth is a youth employment initiative that provides financial assistance to help First Nations and Inuit businesses and organizations create housing-related internships for youth. CMHC provides a wage subsidy to First Nations Band Councils, Tribal Councils, Inuit community or business organizations that sponsor eligible First Nations and Inuit Youth. HIIFNIY forms part of the federal government’s Youth Employment Strategy (YES), which has three streams. HIIFNIY is part of the “Skills Link” stream intended to target unemployed youth at risk.

Findings

The PIA identified 6 low priority risks resulting in recommendations for remediation summarized in a Management Action Plan (MAP). The mitigation strategies for these risks were completed.

Was this page relevant to your needs?

Thank you for your feedback!

How Can We Help?

Suggest an Improvement

Report a Bug

How Can We Help?

Suggest an Improvement

Please share your suggestion.

Google Captcha Loader

How Can We Help?

Report a Bug

Please describe the problem.

Google Captcha Loader

Thank you. Your feedback has been submitted.

Date Published: December 22, 2023

By Topic

  • Professionals
    • Project funding and mortgage financing
    • Housing markets data and research
    • Industry innovation and leadership
    • Events and speakers
  • Consumers
    • Home buying
    • Owning a home
    • Renting a home

About Us

  • CMHC's Story
  • Management and Governance
  • Our Partners
  • Corporate Reporting
  • Contact Us
  • Careers

More

  • CMHC Newsletters
  • CMHC Library
  • Housing Observer
  • Media Newsroom
  • CMHC and Accessible Housing
  • CMHC on Twitter
  • CMHC on LinkedIn
  • CMHC on Facebook
  • CMHC on Instagram
  • CMHC on YouTube
Privacy Policy    |    Terms and Conditions    |    Transparency    |    Accessibility Plan    |    Accessibility Feedback     Canada Mortgage and Housing Corporation (CMHC) ©2025 
Canada
loader icon