CSPS Core Privacy Impact Assessment (PIA) Summary
Description of the project
The purpose of this project was to examine the privacy impacts associated with the Canada School of Public Service's core registration and evaluation activities.
Why the PIA was necessary
The School collects, uses and discloses personal information in the development and delivery of courses, events and other learning resources. The key processes and procedures surrounding registration and evaluation activities had, however, never been the subject of a formal review. In the context of both the School's new Data Strategy, and its future innovation plans, it appeared timely to undertake a Privacy Impact Assessment (PIA).
The PIA is intended to help ensure that the CSPS remains compliant with the Privacy Act, and to help identify and mitigate any reputational risks associated with the School's core activities. It is also intended to help raise awareness at the School of potential downstream risks emanating from the use of registration and evaluation information.
This project involved taking stock of the School's personal information inventory and understanding better how that information is currently being processed.
PIA findings and risk summary
Privacy risks arising from the School's core registration and evaluation activities are considered to be moderate to low, as they involve limited collections of non-sensitive data. For the most part, data are collected and used for non‑administrative purposes (i.e., to improve School products and services, not to make decisions about individual learners). New and novel uses of personal information emanating from the work of the Innovation and Policy Services Branch under the School's new Data Strategy could however increase potential privacy impacts on individuals. These new activities could also increase the privacy risk profile of CSPS.
While present impacts on the privacy of individuals are being adequately managed by the School through legal, policy and technical measures geared at the protection of personal information, a number of recommendations have been formulated.
They include in the short term:
- the development of a departmental privacy framework
- he development of a standard privacy notice for the collection of personal information
- the wholesale review and revision of the School's Info Source's personal information banks (PIBs)
- the development and implementation of a formal data retention policy for learner and faculty data
- the performance of a Statement of Sensitivity to confirm the level of protection and security designation to be afforded to the School's existing inventory of personal information
Medium term recommendations have also been formulated:
- the performance of Algorithmic Impact Assessments in all instances where the School intends to use machine learning or artificial intelligence in the processing of personal information
- the development of standard information sharing agreements or information sharing protocols in support of data-sharing arrangements with client departments
- the development of a PIA plan or strategy to ensure that the performance of PIAs at the School is in keeping with the privacy risks related to the School's future programming