Privacy Impact Assessment (PIA) Summary for Legal Case Management Solution (LEX) for Legal Services

Description:

The Justice legal case management system (LEX) is an application used to support the practice of law and the management/delivery of legal services to Government of Canada. It includes the following functions: legal file management; timekeeping management; document management and operational dashboards and reports. The system is used by managers, counsels, paralegals, and administrators involved in the provision of litigation, advisory, policy, legislation and regulatory drafting services in headquarters, regional offices and Departmental Legal Services Units (DLSU).

Why a Privacy Impact Assessment Was Completed:

LEX houses a variety of legal files pertaining to JUS and their clients, with the contents of the files potentially containing personal information. Additionally, the collection of social insurance numbers is used as unique identifiers during communications with Canada Revenue Agency in relation to income tax matters. Thus, because of the underlying risks attributed to the access, storage, safeguards, and use of personal information as unique identifiers, a privacy impact assessment was conducted.

Additional Information:

  1. Personal information stored within LEX is not collected directly from the individuals to who it pertains to, but through the Department of Justice’s client (other government departments). Policies are to be implemented, and regular audits conducted to review and correct the information to ensure its accuracy. Target date for this mitigation is March 31st, 2025.
  2. Accidental data modification or corruption of the file could impact the accuracy of the personal information. Access controls in LEX will be limited only to authorized users and those who have a need to know. Legal files in LEX are set to a read only rule, with users only grated edit access to files and documents based on their role. This mitigation is currently implemented.
  3. The personal information is at risk of compromise through improper access, use, disclosure, disposal by unauthorized users. Access controls in LEX will be limited only to authorized users and those who have a need to know. Training is provided monthly for all new users and administrators. Roles and responsibilities are identified in all protocols. This mitigation is currently implemented.
  4. The read access to files by default presents risk of privacy breaches, improper use of access privileges and unauthorized use of data by the user. Access exceptions can be applied on sensitive files with information on a need-to-know basis, blocking access to all users except for the active participants. Access controls, account creation and account deactivation are limited to the Legal Systems Service team. Processes are in place to centralize account modifications. These mitigations have all been implemented.
  5. LEX collects social insurance numbers, which are used as unique identifiers during communications with Canada Revenue Agency when representing that department in relation to income tax matters.  Only specific users, such as Business Unit Administrators, Super Administrators and users identified as participants on CRA files will have access to this information. This mitigation is currently implemented.
  6. Improper sharing or communication of sensitive personal information or third-party legal information through channels that are not appropriately safeguarded (such as through the GC Protected A Network) presents a risk of compromise. Third party legal information is Protected B and must be safeguarded against compromise by the individual entrusted by the Department of Justice to transmit it. Any requirement to communicate Protected B are addressed using the appropriate encryption – myKey, when sending it as attachments in Email, GCSRA/VPN or JusAccess. This mitigation is currently implemented.

Related Personal Information Bank:

Legal Proceedings and Services – JUS PPU 010

For more information about this Privacy Impact Assessment:

Privacy, Policy and Programs Unit, ATIP Division,

Department of Justice,

jus.atip-privacy_aiprp-vieprivee@justice.gc.ca