About CDIC

Privacy Impact Assessments

Privacy Impact Assessments ensure that all new or substantially modified activities involving the collection, use, retention and disclosure of personal information are conducted in accordance with the Privacy Act.

2015 – Regulatory Reporting System (RRS)


The Privacy Impact Assessment (“PIA”) is a joint initiative undertaken by the Bank of Canada, Canada Deposit Insurance Corporation (“CDIC”) and the Office of the Superintendent of Financial Institutions (“OSFI”) (collectively referred to as “the Agencies” or individually as an “Agency”), concerning the Regulatory Reporting System (RRS). It collects, validates and maintains financial and corporate data and returns filed by federally regulated financial institutions and private pension plans, required by law to do so. While operational since 1998, the Agencies have determined to comprehensively replace the Tri-Agency Database System’s (TDS) capabilities to better meet the needs of users, clients and downstream systems.

Some of the significant objectives of the TDS renewal and RRS redevelopment initiative were to:

  • reduce the effort required to introduce or modify returns and reduce the time required to accept, validate and distribute a larger volume of regulatory information;
  • integrate the collection and validation of deposit taking institutions, insurance and private pension plans regulatory filings into a single system;
  • simplify administration of filer accounts and communication;
  • permit the use of a self-service model for filers and users, including contact management, password maintenance and client communication; and
  • facilitate interactions between the RRS application and downstream systems to allow faster and improved access to information and data.

The PIA was completed to adequately assess and address the privacy implications involved with the new software (RRS) and to fulfill OSFI and CDIC’s obligations under the Treasury Board of Canada directive on PIAs.

The PIA concluded that the implementation of the RRS does not require specific recommendations with respect to improving the collection, use or disclosure of the minimal personal information collected. Much of that information is often made publicly available by the institutions submitting the filings.

Back to top