Section 6: Threat and Risk Assessment

The purpose of this section is to assess potential threats and risks that could compromise privacy. It outlines existing Statistics Canada safeguards, the probability of occurrence of the threat, and the severity of the impact as it relates to the privacy and protection of personal information.

Statistics Canada currently employs numerous safeguards to reduce threat probabilities; these safeguards are described in agency policies, practices, tools and/or techniques.

Ratings for threat probability, impact and residual risk are defined and presented as follows:

Threat: An undesirable event with the potential to compromise privacy or breach data confidentiality.

Threat probability: The likelihood that the threat will occur, given the existing Statistics Canada safeguards. The threat probability is rated numerically.

  • Level 1: The threat can only come about through the use of very specialized knowledge and/or costly specialized facilities and/or a sustained effort. The threat is unlikely to occur.
  • Level 2: The threat requires some specialized knowledge and/or facilities and/or a special endeavor to create or take advantage of the threat opportunity. The threat is somewhat likely to occur.
  • Level 3: The threat opportunity is widely available and can occur either intentionally or accidentally with little or no specialized knowledge and/or facilities. The threat is very likely to occur.

Impact: The effect on the privacy of an individual in the event that a threat is realized and his or her information is compromised. The level or degree of impact is expressed in terms of outcome severity as it relates to individual privacy.

  • Level 1: Minor injury with no or minimal harm or embarrassment to the individual.
  • Level 2: Moderate injury causing some harm or embarrassment to the individual, but with no direct negative effects.
  • Level 3: Severe injury such as lasting harm or embarrassment that will have direct negative effects on an individual's career, reputation, financial position, safety, health or well-being.

Residual risk: A numeric rating is arrived at through an assessment and comparison of the threat probability and the impact to individual privacy.

Threat and Risk Assessment Grid: Statistics Canada Statistical Programs

  • TRA Grid A. Statistical Operations in Statistics Canada Head Office and its Regional Offices
  • TRA Grid B. Mail-out / Mail-back collection (MOMB)
  • TRA Grid C. Paper and Pencil Interview (PAPI)
  • TRA Grid D. Computer-Assisted Personal Interviewing (CAPI)
  • TRA Grid E. Computer-Assisted Telephone Interviewing – Decentralized
  • TRA Grid F. Computer-Assisted Telephone Interviewing- Centralized
  • TRA Grid G. E-Questionnaire Service
  • TRA Grid H. Collection Management Portal (CMP)
  • TRA Grid I. Contracting for services where personal information is transmitted, stored or accessed at the contractor's place of business
  • TRA Grid J. Collection of Information through the use of Monitoring Devices
  • TRA Grid K. Obtain records for a specific business (eg., financial statements) from that business in addition to or in place of information provided on a questionnaire
  • TRA Grid L. Use of the E-file transfer service by a business to transmit its information in addition to or in place of information provided on a questionnaire
  • TRA Grid M. Threats and Risks Applicable to all Modes of Direct Data Collection
  • TRA Grid N. E-File Transfer service
  • TRA Grid O. Transmission of Administrative Records to Statistics Canada (when E-File Transfer Service is not used)
  • TRA Grid P. Data Collection from Children
  • TRA Grid Q. Longitudinal Survey Data Collection
  • TRA Grid R. Collection and Analysis of Human Biometrics and Biological Specimens
  • TRA Grid S. Collection of Individual Information Directly from a Public Web Site
  • TRA Grid T. Record Linkage and Data Integration
  • TRA Grid U. Statistics Canada Research Data Centres (RDCs)
  • TRA Grid V. Statistics Canada Canadian Centre for Data Development and Economic Research (CDER)
  • TRA Grid W. Real Time Remote Access (RTRA)
  • TRA Grid X. Production and Dissemination of Public-Use Microdata Files (PUMFs)
  • TRA Grid Y. Production and Dissemination of Pre-release Microdata Files, Microdata Share Files, Work-in-progress datasets and Microdata Discretionary Disclosure Files (using E-File Transfer Service)
  • TRA Grid Z. Statistics Canada Official Release Process (excluding Pre-release) and Dissemination of Statistical Information
  • TRA Grid AA. Personal Information Collected from Clients of Statistical Information

Note: Individual Threat and Risk Assessment grids for Statistics Canada's statistical programs may be provided upon request by the Departmental Privacy Officer.

Date modified: