Privacy Impact Assessment - Pre-Employment Screening Project
Privacy Impact Assessment (PIA) for the Canadian Forces Recruiting Group (CFRG) Pre-Employment Screening Project.
Canadian Forces Recruiting Group (CFRG) is responsible for the development and maintenance of performance standards for the recruiting process, to train CF members who are involved in the recruiting process, and to coordinate the attraction, processing and enrolment of suitable applicants in the CF.
The mission of CFRG is two-fold:
- To support the operational capability of the CF by recruiting Canadian citizens to join the Regular Force; and
- To process the requests of Canadians who wish to join the Primary Reserve or the Cadet Instructors Cadre.
In order for the DND to achieve its goals and to retain the confidence of Canada's citizens and allies, each member must meet established operational standards of reliability.
The Government Security Policy (GSP) Article 10.9, states that the Government of Canada must ensure that individuals with access to government information and assets are reliable and trustworthy. The GSP specifies that all government employees be screened regarding reliability before commencing employment with the federal government. The GSP also details the criteria under which a reliability screening will be carried out and the inter-departmental standards that will be applied. The National Defence Security Policy (NDSP) Article 35.02 states that the GSP applies to all government institutions including the CF.
Reliability Screening (RS) is a systematic method of confirming that an individual can be expected to be reliable and trustworthy in the performance of duties and in the protection of the assets and interests of the Canadian Forces. The RS process is a requirement in support to the subsequent Security Clearance process for which Director Provost Marshall Security (DPM Secur) at National Defence Headquarters (NDHQ) in the Ottawa is the sponsor.
DND has the responsibility for conducting the reliability program with respect to prospective members of the CF. The GSP assigns full authority for the application of all aspects of security to the Chief of the Defence Staff for all CF members. Article 35.24 of the GSP further states that the Reliability Status is a mandatory condition for enrolment in the CF. The GSP directs that every CF applicant must complete the Reliability Screening process and be conferred with Reliability Status prior to enrolment.
Reliability Screening is a systematic method of confirming that an individual can be expected to be reliable and trustworthy in the performance of duties and in the protection of the assets and interests of the CF and its personnel. The RS process is not to be confused with the Security Clearance process.
As stated in the GSP Chap 2-4, a RS check must involve the verification of the following six (6) checks:
- Personal data;
- Employment History;
- Education / Professional Qualifications;
- Personal and Employment References;
- CRNC / Fingerprints as required; and
- Credit background.
More specifically the Contractor or private Personnel Security Contracting firm shall be required to assist the ten (10) Canadian Forces Recruitment Centres (CFRC's) and their Detachments, located across Canada, by conducting RS Checks a. to d. above. DPM Secur will continue to perform RS Checks e. and f..
A decision to grant or deny a reliability status must be based upon adequate information and detailed analysis by CFRCs/Dets staff. Where such information does not exist, is not provided or cannot be obtained, a reliability check cannot be authorized. Approving authorities for conferral or denial of RS regarded as a condition of enrolment in the CF are the CF Recruiting Centre (CFRC) Commanding Officers (COs), detachment commanders and commanding officers of enrolling Units.
The Deputy Provost Marshall Security (DPM Secur) oversees the certification aspect of the DND/CF Security Screening Program, which includes both the RS and the Security Clearance. DPM Secur is responsible for conducting the Criminal Records Name background check (CRNC) and holding all files related to security screening. DPM Secur is also responsible to conduct the Credit background check.
Under the auspices of this project and resulting contract, the contractor will have a secure location, which is in conformity with the GSP regarding Physical Security under the rules and regulations governing overall security for Information Systems, and the Privacy act which is within Canada to operate and service this contract and can provide this service on a national basis.
The Contractor will be provided with a Personnel Screening Consent and Authorization form (TBS 330-23) for each applicant or prospect (Protected B once completed). This form and all Reports (5) Protected A and B will be transmitted electronically to the respective CFRC's RS Approving Authority via a certified and accredited DND Information System (IS) Connection or DND/IS Internet Connection to the Contractor's site or/and a hard copy transmitted via courier.
This PIA identifies the following privacy risks/issues along with measures for their mitigation:
- Information Security. Disclosure, Destruction, Interruption or Removal of Personal Information (Information Security); also includes Information Technology (IT) Security;
- Physical Security. Unauthorized access, destruction/damage to Contracting Facility housing IS in which Personal Information is being stored;
- Personnel Security. Disclosure, modification, interruption, disruption, removal of Personal Information by disgruntled or unauthorized employee;
- Procedural Security. Non compliance to Privacy Laws, Policies and Regulations which deals with Personal Information and to Access Control and procedures for Connections between DND IS and Contractor IS when implementing new RS process with all parties involved; and
- Information Protection (IP). Non-compliance with the governmental Information Assurance (IA) program mainly the Certification and Accreditation (C&A) process (IS Security); causing Disclosure, Modification, Destruction, Interruption or Removal of IT assets including Information/data, Hardware, Software, Facility and communications links and backbone.
Summary Table
This table provides a summary of the privacy risks, likelihood of occurrence and mitigation measures.
Meaning of Risk Levels:
Low : There is a possibility that the risk will materialize but there are mitigating factors.
Medium : There is a strong possibility that the risk will materialize if no corrective measures are taken.
High : There is a near certainty that the risk will materialize if no corrective measures are taken.
Principle | Risk | Like-lihood | Mitigation | Comments |
---|---|---|---|---|
Principle 1 - Accountability for Personal Information |
(1) Information Security (2) Procedural Security (3) Personnel Security |
Low |
- Staff cleared to appropriate level with the required safeguards in place. - Compliance with the Privacy and Access to Information Act. GSP and NDSI. - Local ISSO nominated with IS Security Orders and program available at all sites including Contracting site. - Proper personnel related safeguards in place including screening, audit, and indoctrination/training programs at all sites. |
N/A |
Principle 2 – Collection of Personal Information |
(1) Information Security (2) Procedural Security (3) Personnel Security |
Low |
- Staff cleared to appropriate level with the required safeguards in place. - Compliance with the Privacy and Access to Information Act, GSP and NDSI. - Contracting firm shall have a well published privacy policy and a designated Privacy Officer. - Local ISSO nominated with IS Security Orders and program available at all sites including Contracting site. - Proper personnel related safeguards in place including screening, audit, indoctrination/training programs at all sites. |
N/A |
Principle 3 - Consent |
None |
N/A |
N/A |
N/A |
Principle 4 – Use of Personal Information |
(1) Procedural Security |
Low |
- Compliance with the Privacy and Access to Information Act, GSP and NDSI. Use of personal information by CFRCs/Dets staff shall be done in accordance with policies and regulations including GSP Chap 2-4, NDSP Chap 35, APM 245, QR&O Chap 6, DAOD 500-2 and CFAOs 49-10 & 49-11. |
N/A |
Principle 5 – Disclosure and Disposition of Personal Information |
(1) Information Security (2) Procedural Security (3) Personnel Security |
Low |
- Staff cleared to appropriate level with the required safeguards in place. - Compliance with the Privacy and Access to Information Act, GSP and NDSI. - Local ISSO nominated with IS Security Orders and program available at all sites including Contracting site. - Proper personnel related safeguards in place including screening, audit, indoctrination/training programs at all sites. |
|
Principle 6 – Accuracy of Personal Information |
(1) Procedural Security |
Low |
- Compliance with the Privacy and Access to Information Act, GSP Chap 2-4, NDSP Chap 35, APM 241 & 245, QR&O Chap 6, DAOD 500-2 and CFAOs 49-10 & 49-11. - Contracting firm shall have a well published privacy policy and a designated Privacy Officer. |
|
Principle 7 – Safeguarding Personal Information |
(1) Information Security (2) Physical Security (3) Procedural Security (4) Personnel Security (5) Information Protection (IP) |
Low |
- Staff cleared to appropriate level with the required safeguards in place. - Proper physical security safeguards in place such as camera monitoring devices, swipe and PIN access control, police patrols, ERP and DRP. - Compliance with the Privacy and Access to Information Act, GSP and NDSI. - Contracting firm shall have a well published privacy policy and a designated Privacy Officer. - Local ISSO nominated with IS Security Orders and program available at all sites including Contracting site. - Proper personnel related safeguards in place including screening, audit, indoctrination/training programs at all sites. - Information Assurance (IA) process strictly adhered to through the C&A of the DND IS Connection to the Contracting site and obtention of proof of C&A at the Contracting site prior to "Go Live". - Contractor available at all times for DND accreditor for DND security inspection and verification. - IS Connectivity rules to be contained in an MOU and required SOPs. |
|
Principle 8 - Openness |
(1) Procedural Security |
Low |
- Contracting firm shall have a well-published privacy policy and a designated Privacy Officer. - CFRG HQ will nominate a Privacy Officer in support to the RS Project. - Communication Plan to be drafted by CFRG HQ PAO. |
N/A |
Principle 9 – Individual's Access to Personal Information |
None |
N/A |
N/A |
N/A |
Principle 10 – Challenging Compliance |
None |
N/A |
N/A |
N/A |
Residual Risk. In summary, the overall Residual Risk ( Rr) has been assessed as Low with the implementation of mitigating measures that have been identified.
Page details
- Date modified: