Summary of the Privacy Impact Assessment for the Possession and Export of Elver Licence
Title
Possession and Export of Elver Licence Information
Description
The Fisheries and Oceans Canada (DFO) Fisheries Management program is responsible for managing the commercial elver fishery. This activity is administered as part of the program’s management of Canada’s fisheries in consultation with Indigenous groups, federal departments, other levels of government, private industry and non-governmental stakeholders. The program promotes sustainability, allocating harvestable resources amongst Indigenous rights holders, commercial harvesters and recreational anglers. It derives authority from the Fisheries Act, Species at Risk Act and related regulations including the new Possession and Export of Elvers Regulations (PEER) which came into effect on March 1, 2025.
The PEER expands DFO oversight of the post-harvest elver supply chain by requiring new licences to possess and/or export domestic- or foreign-caught elvers. These regulations facilitate traceability of elver along the supply chain through new reporting requirements under the conditions of the possession and export licences, verifications and inspections. The intended outcome is to make it harder to possess, sell and export unlawfully harvested elver and, ultimately, to disincentivize unlawful harvesting.
Why a privacy impact assessment was completed
As per the Treasury Board Secretariat (TBS) Directive on Privacy Practices, a Privacy Impact Assessment (PIA) was conducted to evaluate privacy impacts associated with this new program activity related to the possession and export of elver licences under the new PEER, which involves the collection and handling of personal information for administrative purposes. Additionally, the PIA is necessary to register a new departmental Personal Information Bank (PIB) for the program activities. The PIA ensures that all appropriate measures are in place to protect the personal information collected and processed as part of this program activity, while also identifying, mitigating, and eliminating, when possible, any potential privacy risks for the individuals concerned.
Additional information
The PIA has identified 6 potential privacy risks and provided mitigation measures. Some of these measures have already been implemented, while others are scheduled for future implementation.
Risk 1
Improper or unauthorized internal access to, use, and disclosure of personal information by employees resulting in privacy breaches.
Mitigation
Completing annual audits of systems and repositories used for handling and managing personal information (completed).
Risk 2
Operating with improper or invalid consent, including minors or individuals not authorized to act on behalf of the minor providing consent.
Mitigation
Establishing a process to validate that individuals providing consent are authorized to do so (completed).
Risk 3
Using information that has not been adequately de-identified.
Mitigation
Adopting privacy-preserving techniques to eliminate any risk of re-identification of underlying personal information when using aggregated or disaggregate information (pending).
Risk 4
Retaining personal information beyond its retention and disposition period.
Mitigation
Ensuring an accurate and up-to-date Records Disposition Authority (RDA) is in place and adopting controls and/or procedure to track and identify personal information for disposal at the end of its retention period (pending).
Risk 5
Risk of non-compliance with Section 10(1) of the Privacy Act to include in a personal information bank personal information under the control of the institution.
Mitigation
Complete and register a personal information bank for the program activities being assessed in the PIA (completed).
Risk 6
Risk of non-compliance with Section 6(2) of the Privacy Act for ensuring that personal information collected for administrative purposes is accurate, complete and up to date.
Mitigation
Establish a procedure to ensure personal information that is collected for administrative purposes is accurate, complete and up to date (pending).
Related personal information banks
- National Fisheries Intelligence Service - DFO PPU 140
- Commercial Fishing Registration Cards, Certificates, Permits and Licence Information - DFO PPU 410
- Possession and Export of Elver Licence Information - DFO PPU 411
- Violations under Canadian Fisheries and Fish Habitat Legislation - DFO PPU 460
For more information about this privacy impact assessment
Access to Information and Privacy Secretariat
613-993-3115
DFO.ATIPPolicyandPrivacy-PolitiquesAIPRPetViePrivee.MPO@dfo-mpo.gc.caPage details
- Date modified: