Privacy Impact Assessment (PIA) MyGreenCar Smartphone Application

Section 1 – Overview and PIA Initiation:

1. Name of program or activity:
   MyGreenCar Smartphone Application
2. Institution responsible for delivering the program or activity:
   National Resources Canada
3. Government official responsible for the privacy impact assessment:
   Senior Program Officer for Fuel Diversification Division
4. Head of institution/delegate:
   Minister Natural Resources Canada/ATIP Secretariat
5. Description of program or activity:
The Office of Energy Efficiency’s Transportation and Alternative Fuels (TAF) Division includes the Personal Vehicles Program and is described in Sub-Program 2.1.3: Alternative Transportation Fuels in the NRCan’s Strategic Outcomes and Program Alignment Architecture. The Personal Vehicles Program includes the provision of fuel consumption information to inform Canadian car buyers. This information enables Canadians to make fuel-efficient buying choices.
6. Description of the class of record associated with the program or activity:
   Info Source: Sources of Federal Government and Employee Information Core Responsibility 2: Innovative Solutions and Sustainable Natural Resources Development 
7. Personal information bank: Class of Record Number: NRCan ES 323
8. Legal authority for the program or activity:
   Department of Natural Resources Canada Act, S.C. 1994, c.41, https://laws-lois.justice.gc.ca/PDF/N-20.8.pdf 

Summary of the project/initiative/change:
The Personal Vehicles Program, Transportation and Alternative Fuels Division at NRCan is working with Green Light Labs, Inc. who is developing the MyGreenCar smartphone application.  NRCan is looking to acquire anonymized (aggregate) data of Canadian users to assist in the overall program goals of the Department’s Sustainability and Clean Energy. This PIA focused on the management and control of information and the design and implementation of the MyGreenCar smartphone application. The PIA examined the deployment of the software and operational processes and considered identity management and authentication, application development, security configuration and the security mechanisms of the software.

The scope of the PIA includes the following:

• MyGreenCar smartphone application for Android and Apple iOS
• Access Administration
• Data management

Section 2 - PIA Risk Area Identification and Categorization

The following section summarizes risks that were identified in the PIA from lowest to highest. A risk assessment was provided for the MyGreenCar Smartphone Application PIA.

Type of program or activity - In line with Canada’s objectives to address climate change, the Lower Carbon Transportation program’s objective is to increase energy efficiency in the transportation sector and to transition transportation to lower carbon options.

Type of personal information involved and context –
The user is prompted to register in the application and provide some biographical information:

The user is prompted to provide additional information:

Duration of the program or activity - Long-term program

Program or activity partners and private sector involvement - Private sector organization.

Personal information transmission - The personal information is transmitted using wireless technologies.

Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.
Potential risk that in the event of a privacy breach, there will be an impact on the institution. Note: For additional guidance, government institutions can refer to the Guidelines for Privacy Breaches.

Conclusion

The purpose of this PIA report was to provide an assessment of any potential for the compromise of sensitive personal information. A methodical appraisal of the security posture of the MyGreenCar smartphone application formed the basis of the privacy impact assessment. The conclusion was that there are risks to privacy inherent in the application itself. There are a number of improvements needed in order to enhance the security of personal information.