Author: Valencia IIP Advisors Limited
Date: July 2021
Appropriate Senior Official: Gilles Payant – Manager, Facilties Management and Departmental Security Officer
Section 10 Delegate: Natalie Sabourin, CATSA ATIP Coordinator
This is a summary of the Privacy Impact Assessment (PIA) completed by Valencia IIP Advisors Limited for the Canadian Air Transport Security Authority (CATSA) for the Facestation Access Control System (‘Facestation’). The PIA was conducted using the Treasury Board of Canada Secretariat guidelines for conducting PIAs, which incorporates the ten principles of the Canadian Standards Association (CSA) Model Code for assessing fair information handling practices.
Facestation is a biometric hardware solution installed at access points to CATSA’s offices from public spaces. It requires CATSA employees and contractors to present their faces to be authenticated using a facial recognition scanner. Facestation allows restriction of access to CATSA offices from public spaces. This system is being deployed by Paladin, a Canadian consulting firm. Paladin recommended use of the Facestation 2 designed by Suprema Inc.
In order for Facestation to recognize CATSA employees and contractors, CATSA requires individuals to have their facial template captured. Using infrared-based image analysis, unique identification points on an individual’s face are captured to create a facial template. The templates created are converted to binary code using an algorithm that is proprietary to Suprema Inc. The system does not store any images, facial or otherwise. Instead it relies upon the binary code used to recognize each authorized individual.
The PIA did not reveal any major concerns in terms of compliance with the Privacy Act.
| Type of Program | Compliance |
|---|---|
| Administration of Programs / Activity and Services | Yes |
| Type of Personal Information Involved and Context | Compliance |
|---|---|
| Personal Information, with limited contextual sensitivities, collected (in) directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | Yes |
| Sensitive Personal Information, (i.e., Biometric, template/facial scan, employee name, employee ID, validity period, access level). | Yes |
| Program Partners and Private Sector Involvement | Compliance |
|---|---|
| Within CATSA (amongst one or more programs within CATSA) | Yes |
| Private sector organizations or international organizations or foreign governments | Yes |
| Duration of the Program | Compliance |
|---|---|
| Long-term program | Yes |
| Program Population | Compliance |
|---|---|
| The program affects all individuals for internal administrative purposes. | Yes |
Conclusion
In July 2021, a copy of this PIA was submitted to the Office of the Privacy Commissioner (OPC) for review.