Privacy Impact Assessment Summary for the Public Service Performance Management Application (PSPM App)
Table of Contents
- Overview and Privacy Impact Assessment (PIA) Initiation
- Summary of the project / initiative / change
- Description of the Class of Record and Personal Information Bank
- Legal Authority for Program or Activity
- Privacy Impact Assessment Findings: Summary of Risk and Mitigations
- 1. Notice and consent is not sufficient:
- 2. Necessity to collect personal information must be clear:
- 3. A retention and disposal schedule for the data has not been established:
- 4. Accounting for new uses in Info Source and the Personal Information Bank (PIB):
- 5. Insufficient safeguards for the protection of privacy:
- 6. Notice of contact:
Overview and Privacy Impact Assessment (PIA) Initiation
- Treasury Board of Canada Secretariat
Government official responsible for the PIA
- Debra Tattrie, Senior Director, Governance, Planning and Policy (GPP), OCHRO
Head of the government institution or delegate of section 10 of the Privacy Act
- Zivana PavicFootnote 1, Senior Director, Ministerial Services, Strategic Communications and Ministerial Affairs
- Danielle Golden, Director, Access to Information and Privacy (ATIP) Office
Name of program or activity of the government institution
- Office of the Chief Human Resources Officer (OCHRO)
- Performance Management Program
- Public Service Performance Management Application (PSPM App)
Summary of the project / initiative / change
OCHRO is the organization responsible for implementing the Directive on Performance Management in the core public administration of the Government of Canada. The project charter for the performance management project outlines the roles and responsibilities of OCHRO in implementing the directive:
Governance, Planning and Policy (GPP) sector, Office of the Chief Human Resources Officer (OCRHO), Treasury Board of Canada Secretariat (TBS) works across all human resources (HR) disciplines to strengthen people management in departments and agencies, while undertaking transformation initiatives to improve the functionality and efficiency of HR management and systems infrastructure. In the People Management Program Architecture, these two areas of activities are referred to as Direction Setting and Enabling Infrastructure.
The project charter also says the following:
Deputy heads are primarily responsible for people management in their organizations. GPP's role is to support deputy heads in fulfilling their people management responsibilities.
GPP has launched the Performance Management (PM) project to strengthen and standardize performance management across the Core Public Administration (CPA) for all employees below the level of Executives. For the EX group, a separate, but related performance management process exists that is standardized across the CPA and has been in operation since .Footnote 2
A PIA was required in order to identify and assess any risks to privacy once users—both employees and managers/supervisors—begin to complete the new standardized performance agreement. They are obliged to provide personal information to the Treasury Board of Canada Secretariat (TBS) as a part of the evaluation and assessment of employee performance. The PIA is a means to identify the sensitivity of personal information and the effectiveness and efficiency of appropriate controls to protect against the possible risk of unauthorized or inadvertent disclosure, the possible corruption or modification of data, and the lack of availability of the data. The PIA also addresses compliance of the program or service of a federal department with existing legislation such as the Privacy Act and related regulations such as the Privacy Regulations, and the policies, standards, directives and guidelines of the Treasury Board and of TBS. The PIA must also follow the Policy on Privacy Protection, the Directive on Privacy Impact Assessment, the Directive on Privacy Practices, and other relevant documents in the policy framework.
The Directive on Performance Management came into force on . In order to support all 88 departments and agencies across the core public administration in adhering to the directive, TBS developed an enterprise-wide solution. The PSPM App was designed to allow all employees and their managers to use a web form to complete their performance agreements and to capture discussions and ratings related to performance. The PSPM App requires public service employees to register in the TBS Applications Portal (TAP). First-time TAP users must complete mandatory field information such as their given name, surname, Personal Record Identifier (PRI), or Human Resources Management Information System (HRMIS) number for members of the RCMP, and provide their government email address. The email address is necessary so that the PSPM App can generate and send an email notification to employees indicating that their manager/supervisor has selected them as their employee and that they are required to confirm this selection. Login authentication of all users requires the use of myKEY from Internal Credential Management, Shared Services Canada.
The PSPM App is considered an interim step prior to the migration to PeopleSoft version 9.1 for human resources management across the Government of Canada. Managers may also be users of the PSPM App if they are subject to performance agreements themselves. Senior managers in the EX group are not subject to the Directive on Performance Management.Footnote 3
Description of the Class of Record and Personal Information Bank
Class of Record
- Performance Management Reviews (PRN 946)
Includes records related to the evaluation of the performance of employees based upon regularly established objectives. May include information related to training requirements, employee/employer objectives and expectations, competencies, employee misconduct, performance compensation, annual increments, probation, and discipline.
- Performance Assessments
- Performance Agreements
- Learning and Development Plans
- Talent Management Plans
- Investigation Reports
- Action Plan Reports
Related Personal Information Banks
- Employee Performance Management Program, PSE 912
This bank describes information that is used in support of performance management of employees of the government institution. The personal information may include name, biographical information, educational information, employee personnel information, medical information, employee identification number, other identification numbers, signature, and views and opinions of and about an individual.
- Performance Management Program for Employees, TBS PCE 754
This bank describes information that is used in support of the performance management of employees of the core public administration. The personal information may include name, biographical information, educational information, employee personnel information, medical information, employee identification number, other identification numbers, signature, and views and opinions of and about an individual.
Legal Authority for Program or Activity
The PSPM App supports the consistent collection, secure storage and controlled access to and reporting on performance management data. It is managed and maintained by OCHRO, TBS.
The information provided in an individual's performance agreement is collected under the authority of subsection 11.1 of the Financial Administration Act for the purpose of supporting performance management of employees in the core public administration.
Use of this performance agreement fulfills the responsibility of departments' deputy heads to establish an employee performance management program, including annual written performance assessments for all employees as set out in the Directive on Performance Management, issued pursuant to section 7 and subsection 11.1 of the Financial Administration Act. All employees are required to be assessed in accordance with their terms and conditions of employment.
The information provided may be used or disclosed for the purposes of policy analysis, research, audit, evaluation, statistics, staffing and recruitment, talent management, and succession planning. Specifically, it may be used by federal departments and agencies (listed in Schedules I and IV of the Financial Administration Act) for staffing and recruitment purposes, talent management and succession planning, and by TBS for policy analysis, research and evaluation purposes.
Privacy Impact Assessment Findings: Summary of Risk and Mitigations
1. Notice and consent is not sufficient:
There is an insufficient level of detail in the proposed Privacy Notice on the TAP and PSPM App, which includes a statement that the collection of performance agreements is a new function for OCHRO and that sensitive personal information may be shared or is accessible by third-party service providers. It is also not made clear that the performance agreement is a mandatory requirement for all full-time employees and managers/supervisors in the core public administration, and that consent is waived subject to the Directive on Performance Management.Footnote 4
OCHRO developed a Privacy Notice for the PSPM App in consultation with TBS's Legal Services and ATIP Office to describe the appropriate authority and purpose for the collection, use, disclosure, sharing, storage and disposal of personal information for this program and service.
2. Necessity to collect personal information must be clear:
OCHRO may be collecting more personal information than is required for the administration of this program. There is a plan to extract data from the PSPM App for use in reporting and statistical analysis that may contain personal information that is not anonymized and that may contain data from a performance agreement of an employee.
The standardized performance agreement automated within the PSPM App collects and will continue to collect minimal personal information that is necessary to manage the performance of employees across the core public administration. It also allows for the production of information that supports planning and program delivery that is necessary to ensure that employees and managers are receiving the support required to maintain and improve performance as envisioned in the Directive on Performance Management.
3. A retention and disposal schedule for the data has not been established:
There is currently no Record Disposition Authority that meets the business requirements of maintaining performance agreements beyond the existing five-year period of retention. Performance agreements must be retained for a longer duration.
OCHRO would like to establish a new retention and disposition schedule for performance management data captured by the PSPM App. Options for the timing of this schedule will be determined once the operational needs and business requirements concerning data retention have been identified and explored. In consultation with Library and Archives Canada, employee performance management artifacts are not considered to be of enduring value and have never been part of the employee file sent to the Manitoba Regional Service Centre once an employee leaves the federal public service.
OCHRO will be working with the TBS Information Management and Technology Directorate as well as departments and agencies to establish the Records Disposition Authority for this new program in light of the requirement to maintain the performance agreements of employees for longer than the current limit of five years.
4. Accounting for new uses in Info Source and the Personal Information Bank (PIB):
The PIB in Info Source is inaccurate and does not account for the proposed use or sharing of personal information by OCHRO and the departments and agencies of the Government of Canada.
A central TBS PIB in Info Source was created to account for the uses of personal information by OCHRO and the departments and agencies of the Government of Canada.
5. Insufficient safeguards for the protection of privacy:
- There is a lack of detailed documentation on business requirements from the business unit in OCHRO to the IT service providers in TBS's Information Management and Technology Directorate, especially with regard to the requirements for data extraction for reporting.
- At the time of this privacy impact assessment, limited information was available regarding robust logging, auditing, monitoring and review of system activity.
The environment is fully accredited and authorized to operate up to the Protected B level by the Chief Information Officer, TBS. This authorization was based on the results of a detailed threat risk assessment and vulnerability assessment performed by third parties engaged through TBS's IT Security Assessment and Authorization Team.
Segregation of duties and the need-to-know principle have been implemented, which limits access to specific functions and information based on role. This segregation was applied to users, managers, departments, OCHRO and TBS alike. Controls and safeguards currently in place address access, ability to read and edit, account management, logging, and auditing.
6. Notice of contact:
The contact listed for questions on the collection of personal information should refer the user to TBS's ATIP Office, with an email contact, telephone number and postal address. Coordinates for the departmental ATIP Office should not be used as contact information.
TBS and OCHRO are responsible for the centralized collection of sensitive personal information and can act directly to make corrections to the accuracy and completeness of personal information.
- Date modified: