Privacy Impact Assessment Summary: Online Testing Recruitment Service - VidCruiter
Legal Authority:
- Public Service Employment Act - Sections 15(1), 16, 24(2), 30, 36 & 51(4)
- Financial Administration Act (for Internal Services) - Sections 7 & 11.1 Policy on People Management
- Employment Equity Act
- Canadian Human Rights Act – Section 16
Description of the program/activity
A staffing process typically involves four stages: planning, screening for prerequisites, assessment, and appointment. The assessment stage of a staffing process allows managers to evaluate candidates against the staffing requirements. Immigration, Refugee, Citizenship Canada (IRCC) is seeking a provider of online recruitment services, including all related training and technical support services, to streamline IRCC staffing processes. The contractor will provide access to its online recruiting services, including an applicant tracking system, asynchronous video interviewing, online testing services, and reference checks.
The PIA identifies and assesses privacy risks to personal information for the assessment stage of the staffing process. The PIA covers the information collected, stored, maintained, and managed in the applicant tracking system, the asynchronous video interviewing solution, the online skill testing solution, and the reference checking solution. All staffing activities that generally occur post-assessment in the staffing process are out of scope.
Personal Information Banks
The following Personal Information Banks apply to this initiative and do not require modification:
- Access to Information Act and Privacy Act Requests (PSU 901)
- Applications for Employment (PSU 911)
- Employment Equity and Diversity (PSE 918)
- Official Languages (PSE 906)
- Staffing (PSE 902)
Summary of Risk Identification and Categorization
Below is the risk identification and categorization table corresponding to this initiative.
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual | Checkbox: unchecked ☐ 1 |
| Administration of program or activity and services | Checkbox: unchecked ☐ 2 |
| Compliance or regulatory investigations and enforcement | Checkbox: unchecked ☐ 3 |
| Program or activity DOES involve a decision about an identifiable individuals | Checkbox: checked ☒ 4 |
| Criminal investigation and enforcement or national security | Checkbox: unchecked ☐ 5 |
| b) Type of personal information involved and context | Risk scale |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the individual's consent for disclosure under an authorized program. | Checkbox: unchecked ☐ 1 |
| Personal information, with no contextual sensitivities after the time of collection, is provided by the individual with consent to use personal information held by another source. | Checkbox: unchecked ☐ 2 |
| Personal information of minors. legally incompetent individuals or involving a representative acting on behalf of the individual. | Checkbox: unchecked ☐ 3 |
| Social Insurance Number, medical, financial, or other sensitive personal information or the context surrounding the personal information is sensitive; | Checkbox: checked ☒ 4 |
| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information, is particularly sensitive | Checkbox: unchecked ☐ 5 |
| c) Program or activity partners and private sector involvement | Risk scale |
|---|---|
| Within the institution (among one or more programs within the same institution) | Checkbox: unchecked ☐ 1 |
| With other government institutions | Checkbox: unchecked ☐ 2 |
| With other institutions or a combination of federal, provincial, territorial, and municipal governments | Checkbox: unchecked ☐ 3 |
| Private sector organizations | Checkbox: checked ☒ 4 |
| International organizations or foreign governments | Checkbox: unchecked ☐ 5 |
| d) Duration of the program or activity | Risk scale |
|---|---|
| One-time program or activity | Checkbox: unchecked ☐ 1 |
| Short–term program or activity | Checkbox: unchecked ☐ 2 |
| Long-term program or activity | Checkbox: checked ☒ 5 |
| e) Program population | Risk scale |
|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | Checkbox: unchecked ☐ 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | Checkbox: unchecked ☐ 2 |
| The program's use of personal information for external administrative purposes affects specific individuals. | Checkbox: checked ☒ 4 |
| The program's use of personal information for external administrative purposes affects all individuals. | Checkbox: unchecked ☐ 5 |
| f) Technology and privacy (A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation). | Risk scale |
|---|---|
| Does the new or substantially modified program or activity involve implementing a new electronic system or using an emerging technology to support the program or activity in terms of creating, collecting, or handling personal information? | Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
| Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? | Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
Specific technological issues and privacy Does the new or substantially modified program or activity involve the implementation of new technologies or one or more of the following activities: enhanced identification and matching methods, enhanced data collection methods use or disclosure of personal information, surveillance interjurisdiction or trans-border sharing of personal information or use of Artificial Intelligence technology for automated personal information analysis, personal information matching, and knowledge discovery techniques. If Yes to any of the above, it indicates the potential for privacy concerns and risks, which will require consideration and possible mitigation. |
Checkbox: unchecked ☐ Yes Checkbox: checked ☒ No |
| g) Personal information transmissionty | Risk scale |
|---|---|
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet, or any other system, and the circulation of hardcopy documents is controlled). | Checkbox: unchecked ☐ 1 |
| The personal information is used in a system with connections to at least one other system. | Checkbox: unchecked ☐ 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium, or printed. | Checkbox: unchecked ☐ 3 |
| The personal information is transmitted using wireless technologies. | Checkbox: unchecked ☐ 4 |
| The personal information is transmitted through a Cloud service. | Checkbox: checked ☒ 5 |
Risk and Mitigation Strategies
The PIA has identified four key risks associated with the implementation of VidCruiter.
An initial risk identified was the potential for IRCC employees to collect, use, and disclose personal information for personal purposes beyond what is necessary and proportionate to the legal authority. To address this risk, procedures have been developed that clearly articulate the appropriate collection, use, and disclosure of personal information. As part of those procedures, IRCC employees are aware not to use or disclose personal information without first seeking written authorization. Further, IRCC employees have signed the code of conduct, and inappropriate access is subject to disciplinary measures up to and including termination. A protocol for auditing and limiting access to information has been established.
The second risk is that the candidate's personal information could be compromised when transferred from the service provider to the IRCC. The transmission is encrypted and over a secure line to mitigate the risk. The protocol requires data storage on the Amazon Web Services (AWS) Network cloud, with servers located in Canada. AWS is approved by the federal government and considered the world's most secure cloud data hosting solution.
The third risk was related to the potential of a privacy breach of assessment questionnaires, applicant responses, and board member ratings. This risk was identified as low. It was decided that new assessment tools could be built in the event of a breach.
Lastly, there was the risk of accidentally collecting personal information (background in videos). Candidates were made aware that their background is being recorded as a risk mitigation measure.
By implementing these mitigation strategies, the risks associated with testing online recruitment services for staffing processes can be minimized, ensuring the protection of personal information and compliance with privacy regulations.
Page details
- Date modified: