Language selection


CSPS Privacy Impact Assessment (PIA) Summary: Learning Management System (Brightspace)

Description of the project

The purpose of this project was to examine the privacy impacts associated with the Canada School of Public Service's (CSPS) new learning management system (LMS).

Why the PIA was necessary

The School collects, uses and discloses personal information in the development and delivery of courses, events and other learning resources. The learning management system (LMS) is populated with data migrated from the existing legacy systems. This includes the personal information of everyone who has registered for a course with the School, either directly or indirectly. The LMS assigns a unique student number to each learner, in order to improve data integrity and enhance the School's reporting capability.

PIA objectives

The PIA is intended to help ensure that the CSPS remains compliant with the Privacy Act, and to help identify and mitigate any reputational risks associated with the School's new LMS (Brightspace). It is also intended to help raise awareness at the School of potential downstream risks emanating from the use of registration and learning activities information.

This project involved taking stock of the School's personal information inventory and understanding better how that information is currently being processed.

PIA findings and risk summary

Privacy risks arising from the School's new learning management system(Brightspace)are considered to be moderate to low, as they involve limited collections of non-sensitive data. For the most part, data are collected and used for non-administrative purposes.


While present impacts on the privacy of individuals are being adequately managed by the School through legal, policy and technical measures geared at the protection of personal information, a number of recommendations have been formulated.

They include in the short term:

  1. the development of a standard privacy notice and the acknowledgement of responsibilities statement for the collection of personal information by the LMS
  2. the wholesale review and revision of the School's LMS personal information banks (PIBs)
  3. the development and update of privacy documents when additional components are implemented in order to augment our system (i.e. resource management functionality)
  4. the performance of a Statement of Sensitivity to confirm the level of protection and security designation to be afforded to the School's existing components of its LMS

Medium term recommendations have also been formulated:

  1. Implement GC wide sponsored upstream systems in order to develop highly secure and highly private solutions
  2. Share our PIA with partners that will implement our LMS solutions and improve on our documentation as a collaborative

Date modified: