o,.~~,,.

,:~:~,
wow`,:u:.~.~b~.~~,

PROTECTED ~`A"

• Remotely Piloted Aircraft Sy~t s

• (RPAS) Program
• PRIVACY IMPACT AS S ~;SSMENT
•
• RF.I'ORT
•
•
s
•
•
•
•
•
•
•
•
•
Cc`~.~1~(~.a
000005

•
 SYS'i'F1~1S
REMOTELY PILOTED AIRCR.AI:'I' {RPAS'1 PROGRAM Pratet~ted "A"
PRIVACY IMPACT ASSESSMEN"r RF.I'ORT'

Table of Contents
Section I —Program Overview 4
About this Report 4
Section II -Risk Area Identifcation and Categorisation 6
1. Program/Activity Type 6
2. Data Type 6
3. Program/Activity Partners 7
4. Program Duration 7
5. Program Population 8
6. Technology and Privacy 8
7. Personal Information Transmission 9
$. Impact on Individuals in the Event of a Breach 9
9. Institutional Impact in the Event of a Breach 9
Section III -Personal Information Elements Id
Section IV - Flow of Personal Information for the Program or Activity 10
Section V -Privacy Compliance Analysis 14
l . Collection of Personal Information 14
2. Consent I7
3. Retention 1$
4. Accuracy of Personal Information 19
5. Use of Personal Information 20
6. Disci©sure of Personal Information 21
7. individual's Right of Access and Correction 21
8. Safeguarding Personal Information 23
9. Transparency 2~
Section VI — Statement ofRisks and Recommendations 26
Section VII -References 27
Stakeholders 27
Supplementary f ocuments 27
Legislation and Policy 27
Abbreviations 28
Section VIII -Formal Approval 29
Program Approval 29
ATIP Approval 29
Departmental Approval 29
Appendix "A" 30
Appendix "B" 33

i
•
•
•
•
•
•
00000s
•
•
 e xu:.,,b~~
ow~a~.,M.M
~•~~,:~..

• REMOTELYPILOTED AIRCRAFT SYSTE'~tS {RPAS}PROGRAM Protected '`A"

i PRIVACY IMPAC`CASSESS1vIE'vT REPC)RT

• Document Change Control Table

Remotely Piloted AircraftSystems (RPAS) Program
Pm~acy Impact AssessmentReport
Version Issue Date Author Description of Amendments
0.1 03 Aug 2017 Daniel Campbell Initial Draf3
0.2 25 Aug 2017 Daniel Campbell Sgt. Derksen review included
0.3 04 Dec 2017 Victoria Baldwin ATI.Preview
0,4 1 S Dec 2017 Daniel Campbell Additions based on ATIP review

i
r
•
•
•
•
r
•
•
REMOTELY PI(..UTID AIRCRAFT SYSTEMS {RPAS) PR(KR.AM Protected "A"
PRIVACY I:4iPACT ASSESSME?~T REPORT

Section I —Program Overview

About this Report
Please include thefolln»=irrgelements:

u) What you ore dying

• Describe the initiative, policy or program being developed and its purpose.
• Ident~ whether them is a cnnraectinnto public pressing or substantial gaol.

The Remotely Piloted Aircraft System (RPAS) Program is intended to capture an aerial account to support
RCMP operations. An RPAS is apower-driven aircraft with components, such as a camera, thatis operated
without a flight crew member on board. RPAS are also commonly referred to as drones, Small Unmanned
Aircraft (SUA), Unmanned Aerial Vehicle{UAV}, and Unmanned Aerial System (UAS). The RCMP's
preferred terminology is RPAS.

RPAS are used primarily for: crime scene examination; forensic collision reconstruction; search andrescue;
international boarder investigations and monitoring critical incidents such as emergency response teams.
The program is also used to research and test Remotely Piloted Aircraft (RPA) countermeasures, including
RPA that can safely and securely contain other RPA that are interfering with public safety operations.

Under Contract and lrrdigenous Policing {CIP), National Trafc Services is the policy centre responsible
far the implementation and monitoring of the RPAS Program, including the creation of procedures,
policies, and training.

bj Whyynu are doing it

• Describe the irre~ciencies of the current method of operation
• Be very specifc ran why this is beingrrndertczken andensure that you pr©videhistory to the
issue that supports the development of fre program,initiative or policy.
• Discuss the e,(~cienciesand beneft to the RCMP of the program, initiative or policy.

Technological advances have made RPAS a viable option to assist in RCMP operations. The RPAS make
aerial support more accessible to RCMP members, helping the RCMP achieve its vision of providing the
highest quality service through dynamic leadership, education and technology with the diverse
communities served by the RCMP. Furthermore, RPAS are a cost et~'ectiveand viable alternative to a
full-scale helicopter or fxed wing aircraft as an inv=estigative aid.
The RPAS program started in Saskatchewan in January 2010 with one RPAS used for collision
reconstruction. RPAS have since advanced RCMP operations along with researching RPA
countermeasures. The RCMP does not use RPAS to perform widespread surveillance under normal
circumstances. RPAS are used for surveillance purposes only with prior judicial authorization, or where
urgent or exigent circumstances make it impractical to frst obtain a search warrant. The RCMP currently
operates several diferent systems that carry both still and video cameras, infrared cameras or thermal i
imagery. Additional payloads such as magnetometers, hyperspectral imaging, and LASER/LIDAR
technology are also being examined. These advances contribute to the success of the RCMP's mission of
preserving the peace, upholding the law and providing quality service in partnership with our communities.

c% Who is doingit

4
00000s
 REMOTELY PIt.C)TED AIRCRAFT SYS7'E~4S {RPAS) PRQGRAs'vl I'ratectcct":~i"
PR.IVAC'Y I'YIPACT
ASSESS{~tE'VT REPORT

are the government institutions involved? In the case ~f ~ multi-instr'tutionalPIA,

~► 61r~ro
which institution will be leading the PIA?
The RCMP is the only government institutioninvolved in the delivery of the RPAS Program.
dj Haw you are doing it
• Describe what you are doing to enable implementation. If it is the development or
modifcation of an I7'system provide detailed lnfarmatioraalxrut the application itse~and
hvw it will wnrk
• T~ltatis ynur legal authority to operate your progmm?
• Ident~ whether the program is related to a new Personal Information Bank(PIBj ar will
substantially madaman existing PIB. Existing I'IBs are to he identifed by their title,
registrar:'onand hank numh~r.
To enable implementation, the RCMP has procured RPA from six diferent manufacturersand hasover two
hundred RPAS deployed throughout Canada. The RPASemployed by the RCMP are not connectedto any
cloud computing or local networks. The RPAS allow operators to collect images and videos which are
saved to a removable digital media storage device.The removable digital media storage device, when
removed from the RPA, can be accessed using existing IT infrastructure ofthe RCMP.
The RCMP Act section 18 is the legal authority to operate theRPAS Program. The authority to collect and
use personal information is based on the RCMP's statutoryand common law duties to preserve the peace,
prevent crime, and protect lives and property.
The RPAS Program is related to the PIB RCMP PPU 005 - tlperational Case Records, TBS registration
000997. No modifcations are requiredto the existing PIB.
ej Implementation
• The implementationdate cifthe initiative, parleyar program
The RPAS Program began in 2010, however, there has been no PIA completed to date.

•
i
i 000009

•
 •
REMOTELY PILOTED AIRCRAFT
SYSTEMS tRPAS} PROC;RA'43 Protected
"A"
I'RIYACY 1111PACT
ASSESSMFN"i REPORT

Section II -Risk Area Identifcation and Categorization

The core PIA must include a cornpleted risk identifcation and categorization section as outlined below. To
have consisic~nt risk categvriesand risk measra•c:mentacross gcri•er»rnentinstitutions, standardized risk
areas (ite:mr~edhelawj and a cvmmon risk scale are to hc~mnintcrined asthe husr`sfar risk ar:alvsis.
.Thenumhc3red riskscale is presented in an asceudirrg arder: t7re~r:<tlevel (1J repres~nts the Intit~est level of
potential risk fvr the risk area; the fourth Level (4)represents the highest level o{potential riskfor the gi ven
risk urea.

The initial step of'the analysis cvnsists of evaluating each risk area independently. The second step consists
of grr~rr~~ing theindit~i~'~=;r?
results to determine if u mare in depth arrcrlysia° is required. Tire greater the
nunrher c~risk areas ids=,t;'~~:das level 3 or 4, the mere likely it is that specifc risk. areas will need to he
addrLssed in a mvre cunl;r:~hensive manner. Riskidentifcation and categorisation provides a common risk
scale shat is used rls the basis f©r risk analysis.

1. Program/Activity Type
Assign a risk level using the following table: {check one box only)

:Description Risk Level Rating

Program or acti~7ty that does NOT involve a decision ~
1
about an identifable individual

Administration ofprogram or activity and services 2 ■

Compliance or regulatoryinvestigationsand enforcement 3

Criminal investigationand enforcementor national ~ ~

security i
~. Data Type
Assign a risk level using thefollowing table: (check vne Brixonly)

Description Risk Level Rating

Only personalinformation, with no contextual
sensitivities, collected directly from the individual or ~
1
provided withthe consent of the individualfor disclosure
under an authorizedprogram
Personal information, with no contextual sensitivities
after the time of collection,pro~7ded by the individual
Z
with consent toalso use personalinformation held by
another source
Social insurance number, medical, fnancial, or other v
sensitive personal information or the context surrounding
the personal information is sensitive; personal
of minors or of legally incompetent individuals or _

000070
i
REMOTELY PILOTED AIRCRAt~T SYSTEMS(RPAS}PROGRAM t'r~tecied"A"
PRIVACY tMPr'1CT ASSESSMENTREPORT

involving a representativeacting on behalf of the 3 _~

individual
Sensitive personal information, including detailed
profiles, allegations or suspicions and bodily samples, or ■
4
the context surroundingthe personal information is
particularly sensitive

3. ProgramlActivityPartners
fvllowing table: (checkone box only)
Assign arisk level using the

Description Risk Level Rating

Within theinstitution (among one or more prob,ams l •
O
within the same institution
With other government institutions 2

With otherinstitutions or a combination federal,

of ~t
3
i provincial or territorial,
and municipal governments
Private sector organizations, international organizations ~
or foreigngovernments

i
4. Program Duration
Assigna rrsklevel using thefollowing table: r'check one
box only)

Description Risk Level Rating

One-time program or
activity l ■

Short-termprogram or activity 2 ■

Long-termprogramor activity 3

7
000011
T ~'!

REMOTELY P[t..C)T'ED AIRCRAFT

SYSTEMS (RPASj PROGRAM Ptt~rectt*d "A''
PRIVACY 1NI-
PACT ASSESSMENT'REPORT

5. Program Population
assign a risk level using the follox•ing table: (check one lrox only)

Description Risk Level Rating

The program's use of personal information for internal 1
administrative purposes afects certain employees 0

The program's use of personal information for internal 2 ~

administrative purposes afects all employees
The program's use of personal information for external
administrative purposes afects certain. individuals 3
~
s
The program's use of personal information for external
administrative purposes afects all individuals ~ `'

b. Technology and Privacy

Select yes or no from the drop-doxms:
i
Does the new or substantially modified program or activity involve implementation of a
new electronic system or the use of a new application or software, including collaborative
software {or groupware}, to support the program or activity in terms of the creation, Yes
collection ar handling of personal information?

Does the new or substantially modified program or activity require any modifications to
information technology ~1T}legacy systems`? No

Does the new or substantially modified program or activity involve implementation of

new technologies or one or more of the following activities:
• Enhanced identification methods;
• Surveillance; ar Yes

• Automated personal information analysis, personal information matching and

knowledge discovery techniques
*AYES response indicates the potential for privacy concerns and risks, which will require
consideration and, if neeessar}~,mitigation

000012
i
• REMOTEt.,Y Pf.ATL-D
AIRCRAFT SYSTEMS PROGRAM
CRPAS) Prc~teeted "A"
PR.fVACY
I>tiiPACT
ASSESSME~'T REPORT

7. Personal Information Transmission

Assign a risk leuel using the,~ollowingtable.• (check one box only)
i
Description Risk Level Rating
The personal information is used withina closed system
(i.e., no connectionsto the intemet, lntranet or any other 1 ~
system and the circulation of hard copydocuments is
controlled)
The personal information is used. in a system that has ~
2
connections to at least one other system
The personal informationis transferred to a portable
device (i.e., USB key, diskette, laptop computer), 3 .+
transferred to a diferent medium or is printed
The personal information istransmitted. using wireless e
4
technologies

$, Impact on Individuals in the Event of a Breach

1escribe the potential risk(s), in theevent of a breach, and what the impact will be on individuals or
employees,

A privacy bretzchinvolvesimproper or unauthorized collection,use disclvs:rre, retention and/ar disposal

of per.4•analinfanrurzir~rt. ~i-i~~crc:y~
hreuches cttn 1?e preve~nzc>d 11r~tigf the
npplicntinn ~~f tht' Governrntnt
Seeurit}~Police (GSP), the e©nrluc•t ofPrivacy Imp~tet ~lssess~nc~ntr and Threat antl Risk .~ssc>ss»lent
{TRA),
and through the provision of training to ensure awareness of the Code of Fair Injormation Practices.

Limiting collection an what is neeersary to operate the program, l,~iving access onu "need to know "basis
a»d the t{se cifencryptiun is~hen
transmitting sensitive personal rrrfi~rm.rti~»> ihrntrgli
email, across the
Internet ar through wireless devices are measures that can minimize the potential forbreach.

There is a risk that the privacy of the individuals) in the recordings could be compromised should the
information be lost or mishandled. The RPAS Program intends to collect onlythe information required to
meet operationalobjectives, however,the data is collected in realtime so individuals in the recordings may
disclose additional,unnecessary information.

9. Institutional Impact in the Event of a Breach

Describe the potential risk to the institution in the event of a breach.

The risks to the RCMP in the event of a breach include liability, loss of credibility in the handling of
personal information, compromising of criminal investigations, and financial loss to the organization
should any individuals) decide to pursue legalaction as a result of the privacy breach.

000013
 i
RElv10TEl.Y PRATED AIRCRAFT
SYSTEMS(R.1'AS}
PROGRA'4'1 Praterted"A"
PRIVACY IMPACTASSESSMENT REPORT •

Section III -Personal Information Elements ~

This section is used to identify the personal information being collected:

a) Iden[~ each element of personal irfvrrnatian collected as defined in Section 3 of~the Privacy Act (fvr
example: 1) first name I middle initial /last Hume, 2)street name f street number /city /province Ipostal
code).

Given that images and videos will be recorded in real time, the following personal information maybe
collected by RPAS:

(1) information relating to the race, colour, re ligion, or age of the indi~~idual,

(2) any identifying number, symbol or other particular assigned to the individual, •

(3) the address of the individual, •

b) Identify how the personal information will be collected and recorded: on paper, electronically, audio
recordings, visual image recordings, human bialvgical samples or other (specify}.

Persona( information will be collected and recorded as digital images and videos.

In the case of'a multi-institutional PIA, each government institution involved is, at a minimum, responsible
far identifying the elements of personal irrfi~rmutioncollected or disclosed in relation tv their involvement
in the.' multi-institutional program ar activity.

NIA

Section IV -Flow of Personal Information for the Program or

Activity
This section is used to create date fow diagrams for the infvrmation•from the cvllectivn stage to the •
disposnl stage anti takes rata account disclosure to internal and c~z•ternulstakeholders. Ensure that the
daterfo~> clic~,1•~rn~s include collection and disclosure from both internal and external data sources and/or
to internul:'c•~r.er~rrczl trukeholders.
a) Ids n: i~•• tfiesource{s) vJ'the personal information collected and ! ar how the persvnal information
will be cr~uterl.
b) Iderrt fi- both internal and external sources for the personal information's use and disclosure, that
is, identify the areas, groups and inrliti~idtrals ivho ltuve rrcc~ss to or handle the person¢1
informaationand to whom it is provided yr disclosed. Where relevant, include the following
infvrmatian:
• Government r'nstitutir~nresponsible fvr the program or activity {provide FIB title and
number);
* Other government institution respvnsible for the prvgram or• activity {provide PIB title
and nrrmher); ar
• lV'vn fc>cic~ral government institution (e.g., prvvincia! or territorial, municipal, ar
Abori,~irrcrl governments ar councils, organization of a foreign state, international
orgunizcrtion) or pri~~ate sector,
c) Identify »;hero the persvnal information will be transmitted and wilt be stored or retained

IU
000014
 b~:"~
ory~~.„:~:~:u::~^Mt~.~~.
i
REMUTP.LY PIt..OTEi7
AIRCRAFT SYSTEMS
(RPAS) I'RtX;RAh~I Proircted "A"
I'RIVAC'Y IMPACT REPpRT
ASSESSMENT

d) Ident~ where urE~as,groups and individuals can accessthe personal information

The pilot of the RPAS will determine whether it is appmpriate to conduct an operation. fight,
with consideration given to the manufacturer's operations specifications. The nature of the cal!
will dictate whether or not a RPA is required and. the pilot will be consulted prior to their arrival.
For example, for a missing person call, depending on theterrain, length of time the person has
been missing time of day and weather willall have an impact if the unitis launched. If the pilot
moves forward with the fight, the pilot will focus only on the RPA operation, while payload
(camera) control will. be delegated, when required, to the payload operator. The RPAS will
capture an image or begin recording a video to a digital (SD} card —theremovable storage media
device —upon the payload operator'scommand. Images and videos are capturedon both still and
~~deocameras, infrared cameras and through thermal imagery.Any time the payload operator
captures an image or records a video, it is automatically saved to the SD card.

After re moving the SD card from the RPA post -fight, the payload operator manually transfers
the information to a standalone workstation. in a detachment. The standalone workstation is
password-protected, and located in a secured building within the detachment that requires a
smartcard to access. Once the data has been transferred to the standalone workstation, all files are
either related to an occurrence in the Operational RecordsManagement System (U/RMS} of
Police Reporting and Occurrence System(PROS) and provided to the assignedinvestigator on a
removable storage media device,or deemed to be transitory in nature. The contents of the SD
card will be placed on a removable storage device, then given to the investigator if ail images and
~rideos are related to one occurrence, however, if there are images and videos associated to more
than one occurrence, the Member will provide separate storage media devices for each file.
Transitory recordsare stored in a locked cabinet and retainedfor a period of 30 days if they do
not contain personal information, ora period of 2 years if they do contain personal information.

Investigators associate the evidentiary videosto a PROS occurrence although the videos and
images are kept as external files which are not uploaded to the OlRMS PROS.When charges are
laid, the files are copied and forwardedas part of the disclosure package.All storage media
devices are secured in a lockablecabinet or evidence locker, then retained and purged as per their
corresponding file retention period.

The RCMP is responsible for thepersonal information collected through theRPAS program. The
personal information is associated with PIBRCMP PPU 005 —OperationalCase Records. This
information is compiled in the administration or enforcement of the law and in the detection,
prevention, or suppression of crime generally. Information in this PIB is collected in accordance
with section 18 of the RCMP Actand section 17 of the RCMP Regulations.

As per the Privacy Act, the indi~ldual can submit a request through.the RCMP ATIP Branch to
access, assess and discuss, or dispute the accuracy of the record. Section 12 ofthe Prii~uc~lAct
provides a mechanism for individuals to have the right to access their collected personal
information and to request changes if they feel there are inaccuracies; however, given that the
information is in video format and cannot be modified, a notice will be placed on the file
indicating that a request was made and the reason the change cannot be made.

I1
000015
REMOTELY PlLO'1'EI)AIRCRAFT SYST(=MS{RPAS) PRtXiRAM Proteciect"A"
PRIVACY IMPACT ASSESSMENT' REPAR"t'

Architecture Diagram - ivlanual Transfer of recorded events

r:~~~ Statxta~cu~c~
~°kiep
Repos+,~ Servlt
i
•
Local Detachrn+ertt

1) Video or image data is recorded to removable storage media located on Remotely Piloted Aircraft
s
System (RPAS}.
2) Member removes storage media from RPAS and transports storage media in accordance with
defined procedures and policies.
3) Member inputs video and image data on standalone video repository server.
4) Member accesses data from standalone video repository server for data post-processing. r
S) Member saves data to a separate storage media device for each associated occurrence.
fi) An Enterprise solution is being explored by the RCMP for all ~7deo obtained. i

t2
000076 •
•
 RI:M07'EI.Y I'II.OTED AIR{'RAFT SYSrt'E141S
(RpA51 PRQGRAM f'rotf~:tcd "A'"
hR11'ACY IMAACTASSESSME'VTREPURT

Remotely Piloted Aircraft System Process A4ap

Gemara records an
age or vide€t upon
rotor's e:nmmand

Recc>rd'ed events '

~rwnbacled to e~Qr
fle

Transitory video

~
1RMS occurrence
eoted and reeord=~ N. ~of per 's~o
,i. nal
ersonal lniormatioa
nt aSS[M:iat@d a5 it1I~LFcg~ir)n

extt:rna}fie

Charges laid Retain 3© days tatn unlit if no tgl~f

ol4s 6vslmsz voice ,

Recorded events eGurding copied 3= External storage dev ternai

r~tasned and purged a: rwarded as part tr# secured in ioekabie.:~ sacuretf in tt)I~atTl xternat storagedearace'
pRr fi~teretention perir~, disatosure package ; ;cabinet or evidence 9r~abinei or evidene red irrkxkabie ca6t
locker locker

Eicfernal steerage devt .g

gsecured in lockable ~ Recorded events
• r~tained and purged
~ea6inef arevtdence ~
locker per fle retention peri
•

i'_xternai st~prage '

• device secured in
,lockable cabinet or
~~ evkiencelc»:ker
•

i3 0000i~
REAdOTf:LY
PILOTED AIRCRAFT SYSTEMS
(RPAS) PROGRAM i'roterted':A"
PRivACYIMPACT ASSESSMENT REPORT

Section. V -Privacy Compliance Analysis

At a minimum, the privacycompliance analysismustcover thefollowing areas and identify specific
conrpliunc•cr
actions token or to he taken to meetx3ith each area'srequirements. Please protirde detailad
answer to the questions in red.

1. Collection of Personal Inf©rmation

a) Is the personal information collected directlyrelated and ~tecessaryto an operating program nr
activity? if yes, provxdE>details

Where personal information is intentionally collected, it is directly related and necessary to the
RCMP's operations of investigating crime, maintaining peace and order, enforcing laws,
contributing to national security, ensuring the safety of state ofcials, visiting dignitaries and
foreign missions, and providing vital operational support services to other police and law
enforcement agencies within Canada and abroad. RPAS are used for a variety of purposes of which
most are not intended to collect personal information. There are occasions where RPAS will be
used to collect personal information and in those cases it is directly related to an RCMP program or
activity. The use of RPAS will enhance the RCMP's ability to preserve the peace, uphold the law

s
and provide quality service in partnershipwith our communitiesby providing aerial support to
RCMP members that may previously have been unavailable.

There are twoauthorities to collect personalinformation: through thecommon law power of police
ofcers to collect information, and through the legislative
and common law duties, the collection of
personal information is necessarily incidental to meeting these
obligations.

b) Have all options to minimize thera:cline collection of personal information beers considered?

To minimize the routine collection of persotal information,RPAS will only be operated,when

required for operational purposes or inareas where the RCMP has judicialauthorization. to do so.
Furthermore, advanced notice may be provided to the public that the RCMPwill be operating
RPAS in the vicinity. Given that media, police, and bystanders often record orphotograph major

s
incidents, crime scenes, ortraining exercises, there is littleexpectation of privacy inthe instances in
which the RCMP would use RPAS.

c) Is personal infomratic~n Tieing collected directly from the individual? If not, why neat? •
The information captwed in images or video is collected. indirectly from. individuals. There are
three types of information collectedby RPAS: evidentiary, administrative or operational processes,
and transitory. Some informationmaybe collected indirectly, consistent with subsection 5(3) ofthe
Primacy Act. Thenature of police investigations requires confidentiality, secrecy andimpartiality.

Depending on tacticalconsiderations and public and police safetyconcerns, individuals may or

may not be aware that the RPA is recording.

d) Piave the purposes,for which the.personalinformationis collected, beend©cumented? Please

identify theassociated Personal.lnformativn Bank (PIB).

Yes. The informationcollected by the RPASprogram is associated with RCMP PPU 0©5
Operational. Case Records. This information will
be collected during the cowse of investigations.
All evidentiary images and videos will be linked to an operational file in the OlRMS PROS.

14
0000~a
REMOTELY {RPAS}PROC;R.A,41
P[L01EDAIRCRAFTSYSTE'~i5 "A"
Pa~tectext
ASSESStviENT REPORT
PRIVACYi>vtPACT

ej I,f multi-institutivn~rl, have the purpvs~~s fvrwhich rhE~ pnrsvna!information is cvllected been
dncumentedamvng instit~itions?

N/A

Is there nvtice at the cvllectinn stage that identifies the specific purposes for the cvllectinn, the
authority jor doing so and the indii•idua! seni~ig as ofcial contact? S.S(2) of the Privacy Act
{nvtice afcvllc>c°tinn may beverbal, electronic or paper)
* Is the nvtice associated with the collection of personal infnrrnutivn available and
consistent across all mediums of cvllectinn?
• If n~utti-institutional, have the nvtice provisions among the institutions been reconciled
and have institutivna! expectations to the ncaticeprnvisivn been ident fed and reconciled?

Due to operational requirements and ofcer safety concerns, notice may not be given at the time of
collection. Notice will be given if tactically feasible although this is unlikely to be the case in all
instances, in particular where surveillance is being conducted under exigent circumstances.

The RPAS program uses the Notice to Airmen {NOTAM) system to ensure that aviation authorities
who may be afected by the RPAS fight are aware of the use of an RPAS. A NOTAM is a notice
distributed by means of telecommunications containing information concerning the establishment,
conditions or change in any aeronautical facility, service, procedure or hazard, the timely
knowledge of which is essential to personnel concerned with f ight operations. The basic purpose
of NOTAM is the distribution of information that may afect safety and operations in advance of
the event to which it relates. Thus, to re alize its purpose the addressee must receive a NOTAM in
sufcient time to take any required action. The value of a NOTAM lies in its "news content" and its
residual historical value is therefore minimal.

Wt`llthe reasons for which the personal information is collected he communicated to the concerned
individuals (the people why are impacted lay the initiative)?

The reasons for which the personal information is collected will be communicated to the concerned
individuals when tactically feasible. Pursuant to subsection 5(3)(a) of the Privuc;y Act, the reason
may not be disclosed if it would compromise an investigation. Furthermore, due to operational
requirements and ofcer safety, notification at time of collection may not be possible.

h) Is personal infvrmativn collected,frvm a public database?

Personal information is not collected from a public database.

i) alt quality assurance or security activities result in the collection of additivara! persona!
inior•mativn?

Quality assurance or security activities will not result in the collection of additional personal
information.

Does the program nr activity involve the ccallectivnthrough a cvmmranclient identi,fier? {e.g.,
unique ID, occurrence number, employee ID) Ifyes, provide details about the ident~er.

1~
000019
 o~~;.;„:~:~;
~aw",K~:r,~~.

R.EI~tUTELY PiLt)TED AIRCRAFT

SYS'I'Ef~9S [RPAS) PRCKRAM Protected
"A"
t'RIVACY1;4iPACT ASSESS'~iEt~7 REPUR7'

The RPAS program does not involve the collection of personal information through a common
client identifier. RPA number image and video files sequentially, but there are no common
identifiers such as unique file names or employee IDs used in the naming convention.

Based on program policy, each recording with evidentiary value taken during the course of an i
investigation or interaction with the public will be associated to an occurrence in the O/RMS. A
supplemental report, or an attached external document, must be documented with PROS and
include the date, tune, location, altitude, weather, device, media captured, delivery to the lead
investigator or file coordinator, and retention as either exhibit or key material. The documentation
will also link to operators, observers and any other crew.

Recordings that are transitory in nature will be stored in a locked cabinet and retained for either 30
days if they contain no personal information or 2 years if they contain personal information.

k) If multi-irrstitutianal, is there a clear relationship between the personal information to be collected

and the crca:~°.s
fnstict~tionutservice being propnsed (the persona! information collected is necessary
for the administration of the service)?

NIA

Ifmt~lti-instittttivna/, does- the cross institutionalprpposad require the collection ofmorepersonal

information that was previously collected by each institution?

N/A

m} If multi-irtstittttional, hoc each institution identified the authority, far the collection of personal
information on their beha~

NIA

Till meusur~sbe taker[ to ensure public confidence when personal infarrnation is collected?

Yes, measures will be taken to ensure public confidence when information is collected. Security
requirements for the collection of personal information are governed by the Policv nn Government
Security and the P©licv on Privacy Protection. The RCMP follows the requirements outlined
therein.

There is an inherent risk of a privacy breach through the loss of an aircraft that contains recorded
information. To ensure public confidence, each drone is equipped with failsafe options; a low
battery warning, wind warning, loss of GPS signal warning, and command and control link loss
warning will all trigger the return to home setting, where the RPAautomatically pilots itself back to
the original. launch point.
i
Access to information obtained via RPAS is managed by a custom-built access control system that
links the users' Entrust/smartcard credentials and assigned roles. The computers used to access
information obtained by the RPAS are housed in secured rooms within secured RCMP buildings.
These are accessible only to employees with Smartcard user profiles that allow them entry to the i
secured locations.

The information on the computers is protected by using Government of Canada Public Key
Infrastructure (PKI). The RCMP Departmental Security Ofcer assumes responsibility for

i6
0000zo
 w~~w,::~~a w: ~u
o.,~a~.i~ ::~~~ .

REMO"1'EI,Y PILOTED AIRCRAFT' (RPASIPROCsRAM

S~'ST'Ehi5 Pmtect~~ti
"A"
PRIVACY I:itPACT` ASSF..SS~iFNT REPORT

ensuring these standards are upheld, and that.breaches of security or confidentiality are reported
and investigated.

Authorized RCMP employees are granted access to the information on a "need to know and right to
know'' basis only.

2. Consent
aJ L?oes the prnpvsal require an individual 's consent to collect, Ilse arrdlor disclr~se personal
information? If nn, ti~vhy not? yes,
If is the corrSEyntClear c~ndwell uttderStrlod?

The proposal does not require an individual's consent to collect, use and/or disclose personal
information. Information is collected for law enforcement purposes and is collected by means
consistent with subsection. 5(3) of the Privacy Act.

b) If multi-institutional, have institutional diferences been reconciled with respect to consent?

N/A

it the consent obtained?

cJ I-It~tiu

N1A

d) L)oes consent require u positive action by an individual rather than being assumed ux a default?

NIA
r
e) I,f consent is sought, is the form a,f consent likely to stimulate negative reaciinrr {for example,
opt-in nr -outj?

NIA.

~ Is consent required for the perss~nal infvrmationtv he used or disclosed fnr a secondary purpose
not preti~auslyidentifred?

No,

gJ If consent is not required far using nr disci©sing the information for cr secondary purpase, please
identify the authority for disctosurc.

All uses and disclosures not described in hifoSaurce will be made in accordance with the
provisions set forth in subsection S{2) of the Privacy Act.

h) t.'an an indi~~idualrefuseto canserrt to the cr~llectionor use of personal information for a

secondary purpose, ante:ss required by !aw?

NIA. Personal information will not be disclosed for a secondary purpose other than as required.by
law.

17
0000z~
 ~~,

REMt7TEt...Y PII.OTEt?AIRCRAF"i"SYSTE~4S(RPAS} PRC)C;RAM Protected"A" •

PRIVACY IMPAC"I'ASSESSMENT REPt)R7'

Mould the refusal of an individual to consent to the collection ar use of person information far a
secondary purpose disrupt the level of program service provided to the individual?

NIA

Are standards and mechanisms in place to ensure that the individual has capacity tv give
cansc~nt?

NiA

k} Are standards and mechanisms in place tv ensure the recognition of persons authprized tv make
decisions on behalf o~'others (e.g, a minor yr incapacitated person) and are. standards in place
far making determination x~hether theindividual has the capacity to give consent by reasons af'
age yr capacity (consider all gvvernmrnt institutions or institrctivns applicable)? If not why
not?

NlA.

3. Retention
a) Is personal information scheduled for retention and disposition? Ifyes, provide details identify if
Math minimumand maximum retention periods exist far the personal information. If nn, disco:ss
why retention periods do not exist.

The O/RItiiS to which recorded tiles will be associated, PROS, allows for all personal information
and any ancillary files to be scheduled properly and consistently for retention and disposal
consistent with the Library and Archives of Canada Act. Evidentiary information is retained by
the RCMP for a minimum of two years and until it no longer has business value, at which point it
will be destroyed or made anonymous if kept only for statistical and research purposes. Transitory
information that does not contain. personal information will be retained for 30 days before being
disposed of. Transitory information containing personal information will be disposed after its
retention for 2 years. Administrative information will be retained until it no longer has business
value.

b) Isar electronic systems, have electronic purging processes been developed to purge information
in accordance with departmental retention and disposal guidelines? If nv, discuss why not.

Yes. All information collected from RPAS are associated with an occurrence in PROS, or deemed s
transitory in nature. Purging processes are in place to purge the information in accordance with
departmental retention and disposal guidelines.
s
c} If multi-irzstitutivnal, is there a cross-institutivnalprocedure tv govern the destntctivn ofpersonal
information? fyer, explain the procedure. If na. explain ~i>hy there is reo identi,~i~d procedure.

I8
000022
 REhiO7"EI,Y
PILOTED AIRCRAFT
5Y5TEMS (RPAS) PROGRAM I'rotcx:tcd "A"
PRIVACYIMPACT ASSESSAAIti'( REPOR7'

N!A

d) Is there a need to recrancileamnng institutir~nsthe Cen~tlt c?f time

perst~nal t>•afarmutian
will lie
retained?

N!A

i e) tYill personal informatir~n 6e prvrersed or

disclosed or retained autside ~~f Canada?

• The RPAS program operatesonly in Canada. The RCMP does not plan on processing, disclosing
or retaining personal information obtained by the RPASprogram outside of Canada. Underthe
Privacy Act, personal informationmay be disclosed subject to the disclosure provisions setout in
the RPAS
section 8. Therefore, there is a possibility that personal information obtained by
program is disclosed toan agency outside of Canada in accordance with section 8. If thepersonal
information were to be disclosed to an agency outside of Canada, the personal information would
likely be processed and retained outside of Canada as well.

4, Accuracy of Personal Information

a) ghat steps will be taken ny ynur prr~gramto ensure that the personal information is accurate,
compute and up-tv-date?

N/A. Information collected at the timeof recording will be considered accurate unless proven
otherwise. Police ofcers will use PROS to confirm. identities of individuals and corroborate
information collected.

} Dues the recnrd of personal inforrnatian indicate tlr~date of last infnrnration

Yes. The video recordings indicate the date and timeof data collection. Furthermore, metadata
stored within the image can be accessed to determine additional information relating tosource.

c) Does your prv~ram have aprocess in place to retard corrections yr amendments to personal
information?

Yes. Section 12 of the Privacy Act provides amechanism for individuals to have the tight. to
access their collected personal information and to request changes if they feel there are
inaccuracies; however, giventhat the informationis in video format and cannot be modified,a
notice wZll beplaced on the file indicatingthat a request was made and thereason the change
cannot be made.

d) there applicable, is there a prrteedure, automatically or at the request r~the individual, to

pravide notices cifct~rrecticsnttathird parties to who personal informatr'onhas been pre>~iottsly
disclosed?

N!A

19
000023
REMU'ft:1.1` PIL.UTED AIRCRAFT SYSTE'~7S (RPAS} PROGRAtiI Protected "A"
PRIv AC'Y 1 MPAt:T ASSFSSht ENT REPORT

e) Ifmulti-itrsritutional, have responsihilitiesond difere:rtes in accuracy requirements been

identified and reconciled?

N/A

,~ Is there a clearly defined process by which an individual tray access, assess and discuss ar
dispute the accuracy of the record? Please briefy describe the steps. i
As per the Privacy Act, the individual can formaily submit a request through the RCMP ATIP
Branch to access, assess and discuss, or dispute the accuracy of the record. The steps to submit a
request under the Privacy Act and details required are outlined on the public -facing ATIP website r
(ht.ta:liwww:rc:mv-urc.lac.caJaiip-aipip:'index-eng.hittt).

The RCMP Information Management Manual 3. ] H —Informal Request for Information also
provides steps for a Commander, Director and CO to follow in the event that an informal request
f'or information is received. in such cases, requests from a person or agency not authorized to
view employee and discipline records, RCMP investigative records, and re quests from a
provincial attorney general will be addressed based on the policy.
i
S. Use of Personal Information
r
a) Is personal informatiarr used exclusively far the purpose for which the information was obtained
or compiled?

Yes. Personal information is used exclusively for the purposes of law enforcement and complies
with legislation as defined in the information banks of InjoSource and disclosed under the
provision of sections 7 and 8 of the Privacy Act.

h) Are thg uses•of ahe information limited to what a reasotrable person would consider appropriate
in the circrrmstancer?

Yes. The collection of information is authorized by common iaw powers of police ofcers in
order to fulfill their duties of the preservation of the peace, the prevention of crime and the
protection of life an d property. The use of information under the control of the RCMP is
governed by section 7 of the Privacy Act and is disclosed in accordance with section 8.

Information obtained by the RPAS is classified as Protected B and accessed on a "need to know"
basis only.

c:) Will the information be used for the same purpose for which it was disclosed to the RCMP? (Is
thcrre any ether use for the informationr received being considered?}

NIA

dj Is itrfornrrztion ananymized when used far planning, forecasting andlor evaluation purposes?

No.

20
00002a
 REMOTELY I'It.OTEA AIRCRAFT SYS7E~iS (RPAS) PROCiR:1h4 "A"
Protected
PRIVACY' KE:PORT
[MPAC"1' ASSE5S0.7ENT

A.re personal identifiers, such as social insurance number, used far the purpose of linking across
multiple databases?

No.

.f} i3'here the program ar activity inucalvesdata matching, is it consistent with the stated purposes
far which thc~ personalinformation was collected?

NIA

6. Disclosure of Personal Information

a) Is personal information disclosed with the consent of the individual?

No.
i
• b) If No, has the specific authority for disclosure been identif ed?(s.8, Privacy Act)

Disclosure of personal information is consistent with the provisions of subsection 8(2} of the
Privacy Act.

c) ~4repersona! identifies, such as social insurance numbers, disclosed?

No.

d) Ls the personal information to he disclosed. limited to the purpose of disclosure?

Yes. The release of personal information is specific to the request and is subject to the disclosure
provisions set out in subsection. 8(2) of the Privc:cyAct.

7. Individual's Right of Access and Correction

a) Is the .systemdesigned to ensure that an individual can have access to hislher personal
infar»uition including all other programs ar applications that have received copies of the
information?

Yes. The video and images recorded indicate the date and time of collection. The evidence cannot
be edited, but a notice can be placed on file indicating an inaccuracy or change request. The
public can request copies of any video or photographs through ATIP.

h) I,('mufti-xnstitutioriul, has the cross-institutdona!service delivery project documented hax~ requests

for personal ii~ormatian covered or not covered by a privacy lax will he processed?

N/A

c) Ifmulti-institutional, are un individual 's access rights. for access to all fnformation of institutions
andlor private sector partners assured?

~~
000025
REMU"tEl._Y
.PILOTED AIRC: RAFT SYS"rE~IS (RPAS) PROGRAM "A"
Prota~-ted
PRIVACY
IMPACTASSESSMEZvT REPORT

N1A

d) Are utl custrxlians and participants aware of air individual 's right of access and the complaint
process?

Yes. information on the applicable sections of the Privacy Act are incorporated into the training
standard for RPAS program. The RCMP Access to Information. andPrivacy Branch provides
training and advice.

e) Ifmulti-institutional, are the custoriirzns aware aj'the cross-irzstitrrtr'onalservice delivery practices

regarding the individual 's right of access and the requirement in advise of the formal and
iffvrmnl appeal and~ar complaint procedures?

N/A

,/} Are there documented procedures developed or planned an hUw to initiate privacy requests or
requests for the correction of personal information?

Yes. The RCMP ATIP Branch has a website which explains the procedures on how to initiate
privacy requests or requests for correction of personal information.

gJ .Has consideration fieen given to providing individuals "routine "access to their personal
infornurtivn?

Providing individuals routine access to their personal information in photo or video format may
compromise investigations and, as such, consideration will not be given to providing individuals
routine access tv their personal information. The videos and images do not replace other pieces of
evidence or testimony. Storage media and their files are secured by the RCMP until it is
necessary or relevant to produce them.

h) If multi-institutional, hove procedures been established to provide individuals with access in a

.`routine "'manner tv the personal information collected 6y the cross-institutional service delivery
project?

Ni"A

i) Are individuals provided with access to their personal information in the o~j}'rcial language df the
choice?

NIA

j) If'apprvpriaie, are individuals prUvided with access to their persona! infvrnuraion in alternative
format?

22
0000zs
 PROGRAM
AIRGR:IFT SYSTEMS (RPAS}
REMOTELY PILt3T£I? Praiei:teJ"A"
£tti"I' REPORT
ASSESSIrf
I'R.NACY I41PAC`T

NIA

8. Safeguarding Personal Information

a) Have security procedures{'©r the collection, rransrnission, ,rtarage and disposal afpersonal
information, and access to it, been documented? Ij'multi-invtitutional, have security procedures
been documented with crass-institutiUrral canjlictsident~ed and reconciled?

Yes. Security requirements for the collection, use, diseiosure, and storage of personal information
i are governed by the Policy on Gni~ernntentSecurity and the Policy on Privacy Protection. All data
obtainedthrough the RPAS, is done in accordancewith OMchapter 16.4 section3.1?. All recordedmedia
will beretained In accordancewith Information Management Manual {1MM) chapter 2.3section 4.6.6.In
•
(information not usedfor an investigativepurpose} willbe retained in
addition transitory information
section 4.6.6.3.1.
accordance withINI\~i chapter 2.3

b) Was a Threat Risk Assessment cvmpleted?

M
A Threat Risk Assessment has been completed.

Are them controls in place for any prod.>sstrt grant authori~ativn to madi,~y (add, changeor delete}
personal information from records?

Role based access controls will control which employees with PROS access are able to modify
personal information in the RMS. A user's RBAC is based upon the requirements of their job and is
managed by coordinators within each division an d at RCMP national headquarters.

Personal information will be considered accurate at the time the video and/or picture is collected.
The personal information in videos and images cannot be modified as they are recorded events. In
the event there is an inconsistency with a photo or video, individuals with access to the RMS that
includes write access are able to add a note to an occurrence associated with a given photo or ~~deo.

For access to information. requests, RCMP ATIP willalter the released recorded event to protect the
privacy of uninvolved Canadian citizens; however, an unedited master copy will be stored.

d) .ls the syste»t designed sa access and changes to personal infarmatiz~ncan be audited by date anti
user ident~cation (e.g., transactianul audit tags)?

The images and video recordings indicate date and time of recording. Furthermore, metadata stored
within the video or image can be accessed to determine additional. information relating to source.
PROS has an Audit Log Viewer (ALV) so any notes tied to an occurrence with regards to
inaccuracies or requests for changes to a record obtained from an RPAS can be audited by date,
time and user identification.

23
00002
RF..MC)TELY
i'ILC)'CED AIRCRAFT SYSTEMS
(RPAS) PRU{iRAM f'mtected "A" .
PRtVAC:Y lMPAC"r ASSESSMENT
REPORT

Videos and imageswith e~~identiaryvalue are kept in exhibit lockers and managed bystorekeepers
—individuals responsible for catalogingand storing evidence. When individuals requestaccess to
videos and images managed bystorekeepers, a log is kept thatindicates who requested themand
when they were requested andaccessed. •

Till individuals be monitored through audit lol,>s

and will personal ir~c~rmationhe collected in the
process? If yes, ensure that ail data elementsare ident~ed in the ~ectian III -Personal
Information Data Elementry with the Source iderrt~ied as7r'ansactional Log.

The system will record the name and HR'viISnumber of employees whoaccess evidentiary video i
or the occurrences to which theyare related.

Are user accounts, accessrights and ser.'urityauthorizations controlled by a system or record

management process (e.g. application security administration module andlor role based access
controls {RBAC})?

Yes. Access rights andsecurity authorizationsare controlled byDepartment Security and

lnfonnation Technology systems that meet the Treasury Board policyrequirement.

g] Do security measures commensurate x~~ith

the sensitivityof the information recorded?

Yes. information collectedmust be secured to aProtected Bsecurity requirement asoutlined in the

Statement of Sensitivity.

h) Is there a plan,for quality assurance and audit programs to assessthe ongoing state of the
safeguards applicable to the system?

Yes. RCMP security protocols are continually monitoredand assessed. Required changes are
applied by the Departmental Security Branch.

Are there contingencyplans and docnrnentedprocedures in place to ident~ and respond to

security breaches or disclosures ofperscmal information in error?

Yes. The RCMP has extensive security policies and pmcedures to deal withsecurity breaches and
inadvertent disclosures ofpersonal information. The ATIP Branch also uses Treasury Board
Secretariat's {TBS) Guidelines for Privacy Breaches,Ofce of Primary Interest {OPI) Privacy
Breach Checklist, Privacy Breach ManagementToolkit, Ofce of the Privacy Commissioner's
(OPC) Privacy Breach Checklist,and the RCMP's Administration Manual(AM) AM XI. L( -
Security Incidents.

,j) Are there documentedprocedures in place to carnmunicatesecurity violations to thedata subject,

law en_J'oraement
autliarities and relevant program tnanagers?

?.1
00002$
 PItrOTED AIRCRAFT
REMOTEI:Y {RPAS}
SYS'1"EMS PROGRAM Pn~tectrd'`A"
PRIVACY IMPACT' ASSESSMEIti7' KENOR9`

Yes. The RCMP Departmental Security ©fcer assumes responsibility for ensuring these standards
are upheld and that breaches of security or confidentiality are reported and investigated.
The RCMP ATIP authority will notify the Ofce of the Privacy Commissioner of any breaches of
privacy.

k) If multi-ittstitutivnal, is there alsv a procedure tv cvmmtrnicate security vivlativns w institutions?

N/A

9, Transparency
a) Are policies and practices redatirtg tv the handling of personal information by your
prvgramlactivity available tv the public?

The RCMP currently has RPAS policy in place in OM 25.7 —Investigational. Aids, however, a
new version is currently under development for future publication.

b) Is there a clearly defined and easy prvicessfvr individuals to access such inf©rnuttion and/vr
communication with appropriate individuals with respect to policies and practices relati~tg tv
management and protection vfpersvnal information?

A clearly defined and easy process for individuals to access such information and/or
communication with appropriate individuals with respect to policies and practices relating to
management and protection of personal information is outlined on the external ATIP Branch
webpage on the RCMP website: httpai`www.r+cmp-grc.gc.cv'atip-aiprp/index-eng.Lun

Subsection 12{1) of the PrimacyAct authorizes access to personal information held by federal
departments and agencies, however, the head of the RCMP may refuse to disclose any personal
information requested under 12(1) as outlined in section 22 of the Act.
i The RPAS PIA Executive Summary will be posted to the RCMP web site, this documents the
management and handling of the images and video collected. Furthermore, a description of how
personal information obtained from the RPAS program will be handled is available in the
description of the Personal Information Bank tvMP PPU 005 in brfnSvurce.

Is there a communication plan tv explain tv the public how personal information s~vill be managed
and protected? (Provide details as well of any multi-institutional andlor multi-institutional
communications plan, if applicabtej ~T'hc>n appraprivte, wild public consultation take place v» tfre
privacy implications of the proposal, irtcludiug the privacy risks and the plans for resakttivn?

A communication plan is currently being developed. The communications strategy will inform the
public of the RCMP's use of Remotely Piloted Aircraft Systems and when and why the camera will
be activated. The RCMP will also communicate how personal information will be managed and
protected.

It is not considered necessary or cost-efective to undertake public consultations on the RPAS

~i
000029
 o~iam~. ww~i.~i.am.~~r.r4mre.m.~

s.16(2)
.
A.IRCRAt-"F
KEMO"rEt:Y PiLC)Tt~D SYST'F..MS
(RPAS)PRiXiRAM Prote~~ted
"r1"
PRIVACY IMPACT ASSESSME'sVT REPOR~{'

Program. The RPAS Program has been utilized by the RCMP since 2010 and enhances the
RCMP ability to perform investigations and assists in maintaining public and police ofcer
safety. The RCMP's use of RPAS has been reported on publicly by media and the RCMP will
continue to communicate its use of RPAS to the public.

d) il~Itereappropriate, have key stakeholders (eg. OPC, Legal Services, IM, etc.) been provided with
an opportunity to comment cm the privacy implications of the pre~pr~sui? {illsn pr©vide details of
any cr~rnmentsfrom arry stakeholders irtvc~lved inmulti-ittstitutianal initiatives.}

Yes. Discussions have taken place with key stakeholders including the RCMP Access to
Information and Privacy Branch, Departmental Security Branch, the Ofce of the Privacy
Commissioner, RCMP Legal Services

Section VI —Statement of Risks and Recommendations

•
i
•
r

•
•
•
•
•

•
•
•
•
a
S

~~ 000030
 s.76(21
REMO'T'ELYPI[.ATED AIRCRAFT SYSTEMS{RPAS1PRfX,RAM Protected "A"
PRTVACY 1'viPACTASSESST~tL-NT REP©RT
, ••••••!•

Section VII -References

Stakeholders
The individuals listed below participated in the development of the PIA or were consulted as part of the
development process.

Name Title Rale

Alana Paquette Research Student, CAP Conduct and Prepare PIA
Daniel Campbell Legislative Conformity Analyst, CAP Conduct and Prepare PIA
Sgt. Keith Derksen. RPAS Program Manager, C1P Reviewer
Steven Morgan Director General Privacy Commissioners Ofce
Victoria Baldwin ATIP Advisor ATIP
Mike Dale Counsel Legal Services
Kevin Therrien Senior Technical Security Consultant DSB
Holly Power Manager, ITSS TTSS/DSB
Shannon Toomey Research Analyst, CIP Conduct and Prepare PIA

Supplementary Documents
The following documents were used. in the development of the PIA as a source of reference.

Expectations: A Guide for Submitting Privacy Impact Assessments to the Ofce of the Privacy
Commissioner of Canada (DRAFT}
Directive on Privacy Impact Assessment (Treasury Board)
RCMP Guidelines on Preparation of a Privacy Impact Assessment (PIA)
••••i•••••r••••••••••••••••!••••t•

Legislation and Policy

The following legislation and policy were used in the development of the PIA as a source of reference.

Access to Information Act

Library and Archives of Canada Act
Policy on Government Security
Policy on Privacy Protection
Privacy Act
RCMP Act
RCMP Operational Manual

27
000037
REMOTELYPILOTED AlRCRAF'CSYSTEMS(RPAS}PROGRAM Pr~ieM~d "A"
PRIVACY IMPACTASSESSMENTREPOR"I'

~~?~?r£ViaftOnS

ALV Audit Log Viewer

AM Administration Manual

ATIP Access to Information and Privacy

CIP Contract and Indigenous Policing

GPS Global. Positioning System

GSP Government Security Provider

IM Information Management.

PI' Information Technology

NOTAM Notice to Airmen

O/RMS Operational Records Management System

OPC Ofce of the Privacy Commissioner i

OPI Ofce of Primary Interest

PIA Privacy Impact Assessment

PIB Personal Information Bank

PKI Public Key Infrastructure

PROS Police Reporting and Occurrence System

RBAC Role Based Access Controls

RCMP Royal Canadian Mounted Police

RPAS Remotely Piloted Aircraft Systems
RPA Remotely Piloted Aircraft

SD Secure Digital

SUA Small Unmanned Aircraft

TBS Treasury Board Secretariat

TRA Threat Risk Assessment

UAS Unmanned Aerial System

UAV Unmanned Aerial Vehicle

USB Universal Serial Bus

28 000032
 Diwip,lU~-w e~fw ~d
' wr~i',W. ~ itMamuuon.

REMOTELYPIl_O'fFI) AIRCRAFTSYSTEMS(RPAS? PROGRAM Protectcxt"A"

R.1~.PORT
PRIVACY IMPACTASSF..SSMtrN7'

Section VIII -Formal Approval

Program Approval

1 approve of this PIA and commit to comply with sections 4 to 8 of the PrivacyAc~t and thosepolicies and
directives which support its administration in re lation to the present initiative.

Sgt. Keith llertice ~`~

RPAS Program Manager, Contract &Indigenous Policing

ATIP Approval

As the delegate responsible for establishing personal information banks in accordance with section 10 of
the Privacy Act, I approve this PIA and am satisfed that it complies with the Government of Canada's PIA
Directive.

Supt, Richard T~~fe

RCMP Access to Information and Privacy Branch Coordinator

Departmental Approval

I have revi ed this PIA and confrm that it complies with sections 4 to 8 of the Privacy Act and those
policies directives which support. the Act's administration in relation to the present initiative.

1 12o1a
•••i••••••••••i•••••••••••••i••t•••S••••••

QEC
. Kevin Brosse~u
D .ut ; ~ ommissioner, Contract &Indigenous Policing

2~3
000033
 ~.way.,.,..~a.w~a...,.u
•

REII~IOTEL,Y PIL(}TED AIRCRAFT

SYSTET~IS (RPASjPR(xiRAbt I'roierted "A" •
PR14'ACY IA~IPACTASS6SSME1vT~REPORT

Appendix "A"
Personal Information Bank
©perativnal Case Records

Description: This bank contains persona] information on individuals who have been involved in
investigations under the Criminal Code, federal and provincial statutes, municipal bylaws and
territorial ordinances. This bank contains investigational an d occurrence reports, statements,
exhibit reports, copies of court documents such as summonses, warrants, etc., court briefs, and in
some instances records relating to criminal histories. Information in this bank is entirely
searchable but can be restricted from the view of certain user groups depending on the sensitivity
and a user's requirement to see the information. In addition to the requirements indicated on the
Personal Information Request Form, individuals must provide their full name, date of birth and the
location where the investigation occurred. Individuals wishing to access only specifed
information should identify the material desired to expedite the processing of their requests.
Information in this bank may be maintained in hard copy f les as well as in automated form such. as
the Canadian Police Information Centre {CPIC), the Police Information Retrieval System (PIRS),
the Police Reporting and Occurrence System (PROS), the Police Records Information
Management Environment {PRIME), the Halifax Regional Municipality Police Records
Management System, the Missing Children/Persons and Unidentifed Remains database
(MC/PUR db), the Violent Crime Linkage Analysis System (ViCLAS), the DNA Bank, the Secure
Criminal Information System {SCIS), the Secure Police Reporting and Occurrence System
(SPROS), the Integrated Query Tool (IQT), the Police Information Portal (PIP), the Police Access
Tool (PAT), the Secure Integrated Information Service {SeLIS), the National Criminal Data Bank
{NCDB), Automated Criminal Intelligence information System (ACIIS}, the Integrated
Collaborative Environment (ICE}, the Subject Beha~rior/Ofcer Response {SB/OR}, the National
Money Laundering Database {NMLDB}, Canadian Anti -Fraud Centre (CAFC) fraud reporting
system, a single Web site where citizens can report everything fr om credit card fraud to major
corporate corruption, the National Security Tip Line created to encourage Canadians to notify the i
RCMP of any criminal acti~rity which may be associated to terrorism, the File Management
System (FMS) established in order to enter inf©rmation regarding frearms registry and to track
fles, the Laboratory Information Management System {LIMS), a commercial of the shelf
application operating an the RCMP WAN (wide area network) platform which permits the six
RCMP Forensic Laboratory sites to function as a single virtual laboratory system to support the
sharing/reporting ofcase related information required to support a national forensic casework
service to recognized law enforcement agencies an d the Canadian legal system. Personal
information contained in LIMS-Plus is minimal (Surname, Given Name 1, Given Name 2, Date of
Birth, Sex and Subject Type and complies with P[RS (Police Information Retrieval System)
requirements for reporting) and is monitored/managed respecting the regulations for the storage
and retention of information under the Library an d Archives of Canada Act and Privacy
legislation. LIMS-Plus also contains DNA profles generated from crime scene evidence.
LIMS-Plus operates in a Protected'B' security environment via Contivity and subject information
for Protected "C', Secret or Top Secret is not entered. or maintained in the LIMS-Plus system.
LIMS-Plus administration has a feature to 'sequester' information if required for sensitive case
information to restrict access to data to a specifc user.

30
000034
 aw~~.,:~:~a
~~w~,Ku::~
~`~.~.

REMOTELYPILO'fEU AIRCRAFTSYS~'EMS {RPAS}PROGRAM Protected "A"

PRIVACY IMPACFASSESSMEtvT R.EPt}R'f

Class of Individuals: Individuals involved in or the subject of criminal, municipal, provincial and
federal statute investigations.

Purpose: Compiled in the administration or enforcement of the law and in the detection,
i prevention, or suppression of crime generally. Information in this PIB is collected in accordance
with section 18 of the RCMP Act and section 17 of the RCMP Regulations. Asper Treasury Board
Directive on Social Insurance Number (SIN) in respect of Lawful investigation and SIN collection
and use, the SIN is used only for the following purposes: to establish the accurate identifcation of
i an individual; to aid in the identifcation of a deceased person and locate their next-of--kin; orto
identify and locate the owner of lost or stolen property that has a SIN inscribed.

Consistent Uses: This information is used by accredited domestic and foreign law enforcement
and foreign investigative agencies, departments of the Criminal Justice System and Courts in the
administration or enforcement of the law and in the detection, prevention, or suppression of crime
generally. This information is also used by federal departmental security ofcers for security and
reliability screening. Records are created. by RCMPrecruiting units that refect indices checks that
are conducted in order to determine the suitability of applicants for the RCMP. Firearms ofcers
have access to a subset of information in PIRS, PROS, PRIME and Halifax RMS in order to
administer the Firearms Program. In fact, frearms ofcers have direct access to a limited subset of
information in PIRS. This data is used to supplement information in the Firearms Interest Police
(FIP) category of the Canadian Police Information Centre (CPIC), in accordance with the general
criteria set forth in subsection 5(2) of the Firearms Act. This information may also be used for
research, planning, training, evaluation and audit, statistical purposes and maybe matched with
information from other personal information banks andlor program records. All linkages for the
purpose of administration or enforcement of the law and in the detection, prevention or
suppression of crime are in compliance with the provisions of the Privacy Act. Information
collected and stored in the National DNA Bank maybe shared with Interpol, Canadian Criminal
Real Time Identifcation Services (CCRTIS), CPIC, public forensic laboratory and National
Police Services (NPS).

Retention and Disposal Standards: Information in this bank is retained by the RCMP for a
minimum of two years. If the fle has been designated as having enduring value it will be
transferred to the control of Library and Archives Canada, otherwise it will be retained by the
RCMP until it no longer has business value. At that point, it will be destroyed or made anonymous
if kept only for statistical and research purposes. Information in the Crime Scene Index (CSI}, in
the Convicted Ofender Index and DNA samples (bodily substances) will. be destroyed in
accordance with sections 8.1 to 10.1 of the DNA identifcation Aci.

RDA Number: 911015, 951003, 951009,95101 1,96

Related Record Number: RCMP OPS 1111, RCMP OPS 1112, RCMP OPS 1113,
RCMP OPS 11.14, RCMP OPS 1.1.21,RCMP OPS 1122, RCMP OPS 1123, RCMP OFS 1124,
RCMP OPS 1125, RCMP OPS 1126, RCMP OPS 1127, RCMP OPS 1131, RCMP OPS 1132,
RCMP OPS 1133, RCMP OPS 1134, RCMP OPS 135, RCMP OPS 113'7, RCMP OPS 1211,
RCMP OPS 1212, RCMP OPS 1213, RCMP OPS 1214, RCMP OPS 1215, RCMP OPS 1216,

3t
000035
REMOTELY PILOTED AIRCRAFT SYSTE'~1S (RI'AS) PRC)GRAM Protected'":~"
PRIVACY IMi'A("f ASSESSME'w7T REPORT

RCMP OPS 1217, RCMP aPS 121$, RCMP OPS 1222, RCMP fPS 2121, RCMP OPS 2122,
RCMP IJPS 2123, RCMP QPS 2124, RCMP ©PS 2125

TBS Registration: 000997

Bank Number: RCMP PPU 005

Notes: The CSI information contained within the NDDB is populated electronically through a
secure encrypted data link using the Combined DNA Index System (CODIS) software program.
The Sample Tracking and Control System (STaCS), is used to manage the processing of ofender
DNA samples as part of Canada's NDDB.

r
•

•
•
•
•
•

~~ 000036
t2[~'~YIOTELY P[I.OTED
AtItCR.AFTSYSTE!viS (RPAS> PRtJGRAM "A"
Protectrr~I
PRIVACY IMPACTASSESS?YIENT REPORT

Appendix "B"
Executive Summary
The Remotely Piloted. Aircraft System {RPAS} Program is used by the RCMP to capture aerial
images and videos in support of RCMP operations. A RPAS is apower-driven aircraft where its
components, such as a camera, are operated without a fight crew member on board. It is also
commonly referred to as a drone, Small Unmanned Aircraft {SUA), Unmanned Aerial Vehicle
{UAV}, and Unmanned Aerial System {UAS). The RCMP c'uirently operates several diferent
systems that carry both still and y~deo cameras, infrared cameras or Thermal imagery. When in.
operation, the RPAS is fown by a pilot remotely, while a payload operator is responsible to
capture any images and video.

The RPAS program started in Saskatchewan in January 2010 with one RPAS used for collision
reconstruction. RPAS have since advanced RCMP operations in the areas of crime scene
investigation, forensic collision reconstruction, search and rescue, monitoring critical incidents,
Emergency Response Team {ERT), border integrity, VIP events, surveillance and researching
RPA countermeasures. The RCMP does not use RPAS to perform widespread surveillance under
normal circumstances. RPAS are used for surveillance purposes only with prior judicial
authorization, or where urgent or exigent circumstances make it impractical to frst obtain a search
warrant. The RCMP currently operates several diferent systems that carry both still and video
cameras, infrared cameras or thermal imagery. Additional payloads such as magnetometers,
hyperspectral imaging, and LASERILIDAR technology are also being examined. These advances
contribute to the success of the RCMP's mission of preserving the peace, upholding the law and
providing quality service in partnership with our communities. The RPAS Program is designed to
add value to evidence gathered during an investigation and should not be relied on as the sole
sourceof evidence.

All information obtained via RPAS is manually transferred from an SD card to a workstafon in a
secured RCMP building. Following the transfer of information to the workstation, it is deemed
either evidentiary, administrative, or transitory in nature. Evidentiary information is passed to the
lead investigator of an occurrence {event} and associated to it through the RCMP Operational
Records Management Systems {OIRMS) called Police Reporting and Occurrence System {PROS).
Evidentiary information is retained by the RCMP for a minimum of two years and until it nn
longer has business value, at which point it will be destroyed or made anonymous if kept only for
statistical and research purposes. Administrative and transitory information is retained for a
predetermined period of time before being disposed of.

RPAS strengthen the RCMP's ability to achieve its mandate of preventing and investigating crime;
maintaining peace and order; enforcing laws; contributing to national security; ensuring the safety
of state ofcials and visiting dignitaries; and providing vital operational support services to other
police and law enforcement agencies within Canada. RPAS are able to provide an overhead view
on a scene to support RCMP members, helping the RCMP provide the highest quality service.

The RCMP is committed to safeguarding personal information collected and continuously reviews
its policies and procedures to ensure compliance to federal legislation.

33
000037