CSPS Privacy Impact Assessment (PIA) Summary: AMANDA Enterprise Case Management Solution
Description of the project
The AMANDA Enterprise Case Management Solution is a cloud-based application implemented by the Canada School of Public Service (CSPS) to support the administration of the Access to Information Act and the Privacy Act. The solution replaces the legacy Access Pro Case Management (APCM) system and provides an integrated platform for managing access to information requests, privacy requests, consultations, complaints, privacy breaches, and informal requests.
The system serves as a case management and workflow tool that supports the receipt, tracking, processing, review, and closure of ATIP files throughout their lifecycle. The solution also includes integrated redaction functionality to support the review and severing of records in accordance with legislative requirements. In addition, the system facilitates the collection and reporting of statistical information required to meet annual reporting obligations to Parliament and the Treasury Board of Canada Secretariat.
The implementation of the AMANDA Enterprise Case Management Solution modernizes and streamlines ATIP operations at CSPS, improving the efficiency, consistency, and accountability of request processing while supporting compliance with federal access to information and privacy legislation.
Why a privacy impact assessment was completed
This PIA was conducted to assess the privacy implications associated with the implementation and use of the AMANDA Enterprise Case Management Solution. As the solution collects, uses, stores, and processes personal information in support of the administration of the Access to Information Act and the Privacy Act, the PIA was undertaken to ensure compliance with applicable legislative, policy, and privacy requirements.
The assessment examined the collection, use, disclosure, retention, and safeguarding of personal information within the solution, including the security of the cloud-based environment, user access controls, records management practices, and the protection of personal information throughout its lifecycle. The PIA assessed the adequacy of privacy and security controls to ensure that personal information is appropriately protected and that privacy risks are effectively managed.
Additional information
Potential privacy risks relating to access controls, information security, cloud-based processing, and records management were assessed and mitigated through the implementation of appropriate technical and administrative safeguards. Following implementation of these measures, no residual privacy risks requiring further mitigation were identified. All mitigation measures were in place prior to system implementation.
Related personal information banks
Access to Information and Privacy Act requests PSU 901
Security Incidents and Privacy Breaches PSU 939
Legal Authority
|
Government Official responsible for the PIA and Delegate for section 10 of the Privacy Act Ginny Sutcliffe Director General Communications and Engagement
|
|
- Date modified: