Privacy Impact Assessment Summary: IRCC Notification System (ERMS Advantage)
About the Program
Guided by Treasury Board Secretariat’s (TBS) Policy on Government Security, Immigration, Refugees, and Citizenship Canada (IRCC)’s Corporate Security Directorate is responsible for protecting, and therefore for ensuring the safety and security, of information, assets, and individuals (i.e., IRCC employees). Defined by TBS as ‘security management’, this responsibility also covers security event and emergency management. which necessitates that IRCC Corporate Security continuously assess the risks as well as the implementation, monitoring and maintenance of appropriate internal management controls in 4 (four) distinct areas of emergency management: prevention (mitigation), detection, response and recovery.
Consequently to meet the requirements outlined above, IRCC is introducing a fully hosted, web-based emergency mass notification system (MNS) called ERMS Advantage (labelled the IRCC Notification System by the department). Owned and operated by a Canadian vendor, RMS Software Incorporated (Inc.), the mass notification system is a two-way system enabling immediate alerts to be sent to employees through a variety of different modes of communication all at once. In short, the ability to communicate effectively is fundamental to saving lives and protect critical infrastructure. The IRCC Notification System allows the department to rapidly communicate with IRCC employees during various security-related events (e.g., security incidents, emergencies, crises) through pre-defined distribution lists to registered employees by various methods (e.g. email, text message, telephone, teletypewriter), and therefore can be received and read by employees while in and away from the office. It is this software and program that is the focus and subject of the Privacy Impact Assessment (PIA).
Scope of the PIA
More specifically, the PIA covers all the modules associated with the IRCC Notification System/ERMS Advantage software solution (e.g., Messenger, HotLine, Roll Call, Crisis Manager, and Mapper) as well as the two mobile applications (ERMS Messenger App and ERMS Mobile App) provided and offered with the system. Lastly, this PIA also covers the current self-registration model implemented for the program so that IRCC employees may register and provide their personal information to obtain notifications for desired work locations.
Summary of Privacy Issues and Mitigation Strategies
The PIA noted six potential privacy risks, categorized as low to medium, related to retention, use, and security of information collected, for which mitigation strategies were identified, including :
- Implementing and establishing a Directive that outlines the purpose and use for the mass notification system, including outlining the requirements around personal information collected, stored, accessed, and retained;
- Inclusion of the IRCC Notification System within the Separation Clearance Form, as well as obtaining reports from Information Technology (IT), so as to ensure employee accounts no longer needed are deleted and removed from the system and servers; and
- Providing administrative access rights only a few individuals that require it to manage the system.
Report a problem or mistake on this page
- Date modified: