Language selection

Search CSPS

CSPS Privacy Impact Assessment (PIA) Summary: Public Service Learning, Training and Development Activities

Description of the project

The Canada School of Public Service (CSPS) delivers learning, training, and development activities to public sector employees. These include online courses, virtual and in-person classes, webinars, learning programs, and supporting tools such as videos and job aids. To provide these services, the CSPS uses a range of digital platforms to manage course registration, deliver training, evaluate learning, and support users. These systems collect and use personal information from learners, instructors, and other participants to administer training, track progress, and improve its programs.

Why a privacy impact assessment was completed

This PIA was conducted to assess how personal information is collected, used, disclosed, and protected across CSPS learning and training activities. It also reflects a shift from previously separate, system-specific assessments to a single, comprehensive PIA covering all learning and development activities under CSPS's mandate. This broader approach ensures consistency, strengthens compliance with legislative and regulatory privacy requirements, and better reflects how personal information is managed across interconnected systems.

Additional information

No medium or high privacy risks were identified. All identified risks are low and are being addressed through ongoing monitoring, user guidance, and planned updates to security authorizations and risk assessments (target completion: Q2 2026, where applicable). The following table lists risks identified, the date that any corresponding mitigation measures were implemented, and other information:

Risk description Affected privacy principle(s) Risk level Mitigation measures
Training Orchestra does not publish annual audits and compliance checks. Accountability Low

Mitigation: Periodic monitoring of the Training Orchestra support portal for breach notifications.

Lead: ATIP

Target completion: Ongoing

There remains a risk that users may over-share personal information not specifically required because of the use of open text fields in some instances. Limiting collection Low

Mitigation: Individuals are advised not to share unnecessary personal information, particularly while using open-text fields.

Lead: USXB

Target completion: Ongoing

ATOs for Training Orchestra and Qualtrics have expired. Safeguards Low

Mitigation: ATOs for system components of the Public Service Learning, Training and Development activities will be completed by CSPS (see Information Technology Solutions Table).

Lead: IT Security

Target completion: Q2 2026

TRAs for Training Orchestra and Qualtrics have expired. Safeguards Low

Mitigation: TRAs for system components of the Public Service Learning, Training and Development activities will be completed by CSPS (see Information Technology Solutions Table).

Lead: IT Security

Target completion: Q2 2026

One vendor, Training Orchestra, does not publish annual systems safeguard audit results. Safeguards Low

Mitigation: Although Training Orchestra does not demonstrate the same transparency as other platform vendors, it is a European company based in France and is therefore subject to the stringent safeguard requirements of the General Data Protection Regulation (GDPR).

Related personal information banks

Public Service Learning, Training and Development

Legal authority for program

Canada School of Public Service Act, sections 4 and 5.

Government Official responsible for the PIA

Jodi Brouillard
Vice-President
User Experience and Service Branch

Delegate for section 10 of the Privacy Act

Ginny Sutcliffe
Director General
Communications and Engagement

For more information about this privacy impact assessment please contact atipaiprp@csps-efpc.gc.ca.


Date modified: