Privacy Impact Assessment (PIA) Summary: Prescribed Presence in the Workplace Monitoring Program

Lead Government Institution

Immigration, Refugees and Citizenship Canada (IRCC)

Name of the Program/Activity

Prescribed Presence in the Workplace Monitoring Program

Description of the program or activity

To perform mandatory reporting on departmental compliance with the Treasury Board Secretariat’s Direction on prescribed presence in the workplace and support managers in pursuing the equitable application of this Direction, IRCC collects and uses the personal information of its employees from various internal data sources such as PeopleSoft (telework agreements, employee ID, employee’s name, employee’s work status, approved vacation, sick leave, information related to Duty to Accommodate and other employee personnel information), network login data (employee’s work email address, work IP login data, etc.) and employee ID badge swipe data, to monitor and identify instances of low on-site connectivity.

Why a privacy impact assessment was completed

In response to the Treasury Board Secretariat’s (TBS) Direction on prescribed presence in the workplace, IRCC’s employees and executives are required to work in-office for 60% and 80% of their schedules, respectively. Under this Direction, IRCC is expected to ensure, and report on, compliance with the on-site requirement at a departmental level. Achieving departmental compliance requires that all non-exempt employees follow the Direction and contribute to the departmental objective. To support managers, who are often not co-located with their employees, in ensuring the equitable application of the Direction with regard to employee compliance, the Prescribed Presence in the Workplace Monitoring Program was developed. While the Program does not collect any new information from employees, it does leverage data already collected for other purposes (such as onboarding of new employees, PeopleSoft profile creation, IRCC network account creation, issuance of building access ID badges, personnel file administration, etc.), and uses that to determine whether employees are connecting to the network from IRCC office locations. This is deemed to be a new use of the already collected information, and so a privacy impact assessment and registration of an institution-specific PIB (PPU 084) were deemed necessary to ensure the program’s activities are in line with the new uses identified in the relevant Personal Information Banks, and adhere to the department’s obligations to safeguard employee’s personal information.

Summary of Risks and Mitigation Strategies

The PIA identified 2 risks and offered mitigation strategies accordingly.

Risk 1

There is an identified risk of privacy requirements (e.g. maintaining and updating access controls and other safeguards) not being maintained and updated when needed, because the program currently has no documented plans to conduct regularly scheduled audits and compliance checks for privacy requirements.

Mitigation: Program audit and compliance check procedures and schedule will be documented and implemented prior to the program implementation on October 1, 2025.

Risk 2

There is an identified risk of employees not being fully informed about all aspects regarding the collection, use and disclosure of their personal information for the purpose of monitoring compliance with the TBS Direction due to the inconsistent presentation of the privacy notice across the department.

Mitigation: The privacy notification will be consistent in its presentation across the department, and multiple channels will be used (message on departmental intranet, message in departmental bulletin email, email message to management, inclusion in the network account request process for new employees) to ensure department-wide reach prior to, and following, program implementation on October 1, 2025.

Personal Information Banks

• Attendance and Leave, Bank Number PSE 903
• Electronic Network Monitoring Logs, Bank Number PSU 905
• Employee Personnel Record, Bank Number PSE 901
• Physical Access Controls, Bank Number PSU 907
• Prescribed Presence in the Workplace Monitoring Program, Bank Number PPU 084

For more information about this privacy impact assessment

Contact the Future of Work general mailbox: IRCC.FutureofWork-AvenirduTravail.IRCC@cic.gc.ca.