CSPS Privacy Impact Assessment (PIA) Summary: Public Service Learning, Training and Development Activities
Description of the project
The Canada School of Public Service (CSPS) delivers learning, training, and development activities to public sector employees. These include online courses, virtual and in-person classes, webinars, learning programs, and supporting tools such as videos and job aids. To provide these services, the CSPS uses a range of digital platforms to manage course registration, deliver training, evaluate learning, and support users. These systems collect and use personal information from learners, instructors, and other participants to administer training, track progress, and improve its programs.
Why a privacy impact assessment was completed
This PIA was conducted to assess how personal information is collected, used, disclosed, and protected across CSPS learning and training activities. It also reflects a shift from previously separate, system-specific assessments to a single, comprehensive PIA covering all learning and development activities under CSPS's mandate. This broader approach ensures consistency, strengthens compliance with legislative and regulatory privacy requirements, and better reflects how personal information is managed across interconnected systems.
Additional information
No medium or high privacy risks were identified. All identified risks are low and are being addressed through ongoing monitoring, user guidance, and planned updates to security authorizations and risk assessments (target completion: Q2 2026, where applicable). The following table lists risks identified, the date that any corresponding mitigation measures were implemented, and other information:
| Risk description |
Affected privacy principle(s) |
Risk level |
Mitigation measures |
| Training Orchestra does not publish annual audits and compliance checks. |
Accountability |
Low |
Mitigation: Periodic monitoring of the Training Orchestra support portal for breach notifications.
Lead: ATIP
Target completion: Ongoing
|
| There remains a risk that users may over-share personal information not specifically required because of the use of open text fields in some instances. |
Limiting collection |
Low |
Mitigation: Individuals are advised not to share unnecessary personal information, particularly while using open-text fields.
Lead: USXB
Target completion: Ongoing
|
| ATOs for Training Orchestra and Qualtrics have expired. |
Safeguards |
Low |
Mitigation: ATOs for system components of the Public Service Learning, Training and Development activities will be completed by CSPS (see Information Technology Solutions Table).
Lead: IT Security
Target completion: Q2 2026
|
| TRAs for Training Orchestra and Qualtrics have expired. |
Safeguards |
Low |
Mitigation: TRAs for system components of the Public Service Learning, Training and Development activities will be completed by CSPS (see Information Technology Solutions Table).
Lead: IT Security
Target completion: Q2 2026
|
| One vendor, Training Orchestra, does not publish annual systems safeguard audit results. |
Safeguards |
Low |
Mitigation: Although Training Orchestra does not demonstrate the same transparency as other platform vendors, it is a European company based in France and is therefore subject to the stringent safeguard requirements of the General Data Protection Regulation (GDPR).
|
Related personal information banks
Public Service Learning, Training and Development
- Bank number: CSPS PPU 015
- TBS Registration Number: Pending TBS approval
Legal authority for program
Canada School of Public Service Act, sections 4 and 5.
|
Government Official responsible for the PIA
Jodi Brouillard
Vice-President
User Experience and Service Branch
|
Delegate for section 10 of the Privacy Act
Ginny Sutcliffe
Director General
Communications and Engagement
|
- Date modified: