CSPS Privacy Impact Assessment (PIA) Summary: Telework Agreement Digital Platform
Description of the project
The purpose of this PIA was to examine the privacy impacts associated with the Canada School of Public Service's (CSPS) telework agreement digital platform.
Why the PIA was necessary
The school collects and uses personal information from their employees when they complete the telecommuting arrangement form while employed at the CSPS.
The personal information was already collected in the past using a different format and the CSPS is now using a digital platform to collect the information related to telecommuting arrangements for its employees. The information is collected directly from the employee.
PIA objectives
The PIA is intended to help ensure that the CSPS undertakes and implements the proper safeguards regarding the collection of personal information being collected, remains compliant with the Privacy Act, and helps identify and mitigate any reputational risks associated with the CSPS Telework Agreement Digital Platform. It is also intended to help raise awareness of potential downstream risks emanating from the collection and use of employees telework information.
PIA findings and risk summary
Privacy risks arising from the CSPS's new Telework Agreement Digital Platform are considered to be moderate to low, as they involve limited collections of non-sensitive data. For the most part, data is collected and used for non-administrative purposes.
Recommendations
While present impacts on the privacy of individuals are being adequately managed by the CSPS through legal, policy and technical measures geared at the protection of personal information, a number of recommendations have been formulated.
- obtain the employee's consent prior to the collection of personal information and include a privacy notice on the digital platform
- the performance of a Statement of Sensitivity to confirm the level of protection and security designation to be afforded to the CSPS's existing components of its Data-House
- restrict the sharing of personal information to those with a need-to-know
- communicate the action plan to the individuals involved in this initiative
- ensure that the employees involved with the collection of personal information understand their responsibilities in regards to the collection, use, disclosure and retention of personal information by taking the mandatory training offered to all CSPS employees "Access to Information and Privacy Fundamentals"
- Date modified: