Language selection


CSPS Privacy Impact Assessment (PIA) Summary: InStage

Description of the project

The purpose of this project was to examine the privacy impacts associated with the Canada School of Public Service's core registration and learning activities.

Why the PIA was necessary

InStage and CSPS collects and uses personal information in the development and delivery of the virtual reality training simulation. The key processes and procedures surrounding registration, learning activities and questionnaires had, however, never been the subject of a formal review.

PIA objectives

The PIA is intended to help ensure that the InStage and CSPS remains compliant with the Privacy Act, and to help identify and mitigate any reputational risks associated with the School's core activities. It is also intended to help raise awareness at the School of potential downstream risks emanating from the use of registration and learning activities information.

This project involved taking stock of a InStage, and the School's personal information inventory and understanding better how that information is currently being processed.

PIA findings and risk summary

Privacy risks arising from the InStage's core registration and learning activities are considered to be moderate to low, as they involve limited collections of non-sensitive data. For the most part, data are collected and used for non-administrative purposes. New and novel uses of personal information emanating from the work of the Innovation and Policy Services Branch under the School's new Data Strategy could however increase potential privacy impacts on individuals. These new activities could also increase the privacy risk profile of CSPS.


While present impacts on the privacy of individuals are being adequately managed by InStage and the School through legal, policy and technical measures geared at the protection of personal information, a number of recommendations have been formulated. They include in the short term:

  1. the development of a departmental privacy framework
  2. the development of a standard privacy notice for the collection of personal information
  3. the wholesale review and revision of InStage and the School's Info Source's personal information banks (PIBs)
  4. the development and implementation of a formal data retention policy for learner and faculty data
  5. the performance of a Statement of Sensitivity to confirm the level of protection and security designation to be afforded to the School's existing inventory of personal information

Medium term recommendations have also been formulated:

  1. the performance of Algorithmic Impact Assessments in all instances where InStage and the School intends to use machine learning or artificial intelligence in the processing of personal information
  2. the development of standard information sharing agreements or information sharing protocols in support of data-sharing arrangements with client departments
  3. the development of a PIA plan or strategy to ensure that the performance of PIAs at the School is in keeping with the privacy risks related to the School's future programming

Date modified: