Privacy Impact Assessment for Government of Canada Relocation Support Services

Introduction

The Privacy Impact Assessment (PIA) for Government of Canada Relocation Support Services (GCRSS) outlines the measures that the Government of Canada has in place to maintain the privacy of employees' personal information when they use GCRSS. The PIA also assesses the privacy implications of using an external service provider to manage GCRSS on behalf of the Government of Canada.

Background

GCRSS is a program that helps Government of Canada employees with their move to new work locations when such a move is necessary for the government's operational requirements.

In early 2016, a new procurement process was initiated for an external service provider to manage all activities related to relocating federal government employees. The contract was awarded in . Under the contract, the provider is responsible for the following:

All GCRSS relocation activities are managed through the Information Management Expenditure Tracking System (IMETS), which is a secure electronic system.

PIA requirements

Under the Treasury Board's Directive on Privacy Impact Assessment, institutions must undertake PIAs for programs and activities in the following circumstances:

Why this PIA was undertaken

With the award of a new contract for administrating GCRSS, a PIA was recommended to be conducted to determine privacy risks and risk mitigation strategies for the contractor's collection, use and disclosure of personal information. Although substantial modifications have not been made to GCRSS, the recommendation to conduct a PIA was made because a thorough privacy assessment of the program had never been undertaken.

The PIA involves analyzing privacy compliance based on the collection, use and disclosure of personal information, as well as the processing of personal information between departments and the contractor. A review of the Request for Proposal (RFP), the Statement of Requirements (SOR) and the contractual provisions for the procurement process were included in the review of the PIA in order to identify risks and propose mitigation strategies.

An implementation period of six months started on the date of contract award and will be completed on the anticipated service effective date (SED). During this period, the contractor must ensure that the specific requirements of the RFP, SOR and contractual provisions are met. These requirements include but are not limited to the following:

Any risks identified through the PIA process should be mitigated, or be in the process of mitigation, prior to the SED.

Objectives of the PIA

The PIA's overall objective is to assess, reduce and mitigate potential risks associated with collecting and using personal information in the administration of GCRSS. A thorough analysis of all personal information elements was completed to ensure that only individuals who can access and use GCRSS data have a need to know such data.

PIA findings and summary of action plan

The PIA provides an informed assessment of the privacy risks associated with the collection, use and disclosure of personal information in relation to GCRSS. It also provides recommendations to mitigate identified privacy risks to an acceptable level. The recommendations are as follows:

Once privacy risks have been fully mitigated, GCRSS will likely present minimal risk to the privacy of individuals who use the service.

Date modified: