Public Service Resourcing System, Privacy Impact Assessment Addendum
Executive summary
The objective of this report is to conduct a Privacy Impact Assessment (PIA) of the changes to the Public Service Resourcing System (PSRS) as a result of the Veterans Hiring Act, to serve as an addendum to PSRS’s existing PIA. The assessment identifies and documents the additional personal information collected as a result of the Veterans Hiring Act, the method of collection and its anticipated use, retention, disclosure and protection. The report also identifies and assesses potential privacy risks of the PSRS release, as well as the associated risk mitigation measures.
The Public Service Commission (PSC) draws its authority from the Public Service Employment Act (PSEA). The mandate of the PSC is to promote and safeguard merit‑based appointments and, in collaboration with other stakeholders, to protect the non‑partisan nature of the public service. As part of this mandate, the PSC provides staffing and assessment functions and services to support staffing in the public service. In addition, in exercising its role to oversee the integrity of the staffing system, the PSC maintains and analyses data on the public service, carries out audits and conducts investigations.
Section 11 of the PSEA enables the PSC to offer enabling services to the federal public service. PSRS is an on-line Web-based system designed to provide human resources professionals and hiring managers with information and tools to assist them in filling advertised appointment processes using electronic recruitment. The main purpose of PSRS is to facilitate the process of recruiting for advertised positions to the public service.
The Government of Canada is proposing changes to the PSEA, through the introduction of the Veterans Hiring Act, to enhance employment opportunities in the federal public service for veterans and releasing Canadian Armed Forces (CAF) members:
- New Statutory Priority Entitlement – All CAF members, including reservists, who are medically released for service-related reasons will be given the top level of priority entitlement for appointments to the public service. This means that, if they meet the essential qualifications for the position, they must be appointed ahead of all other applicants and before the hiring organization conducts an internal or external appointment process. The conditions for the new statutory priority will be prescribed by the PSC and will include a five-year eligibility period, followed by a five-year priority entitlement period.
- Preference for Appointment – For up to five years following their release, honourably released veterans with a minimum of three years of military service will have a preference for appointment when participating in advertised external appointment processes. A preference for appointment means that, if these persons meet the essential qualifications for an advertised external appointment process, they must be appointed before others.
- Mobility Provisions – For up to five years following their release, all CAF members and honourably released veterans with a minimum of three years of military service will be able to participate in all advertised internal appointment processes. These persons must meet any employment equity area of selection criteria established for the position. Currently, CAF members are eligible for specific appointment processes only when they are specifically included in the area of selection.
To prepare for the coming into force of the new provisions, the PSC has consolidated the internal recruitment system (Public Service Staffing Advertisements and Notifications) with the external recruitment system (PSRS). PSRS has been enhanced to:
- Handle internal advertised processes and notifications as well as external advertised processes, which introduced new functionality (e.g. the ability to view and apply to internal job opportunities for authorized individuals such as veterans) and the capture of new information (employee information);
- Capture an eligible veteran’s preference for appointment (for external processes) and eligibility to apply for internal advertised processes;
- Capture an eligible individual’s entitlement to a priority for appointment; and
- Provide the authorization mechanism for users of the Priority Information Management System (PIMS).
The information provided by applicants in response to the Veterans Hiring Act will be shared with federal organizations in accordance with the Privacy Act and will be used to identify candidates who might be suitable for referrals and appointments to positions within the public service, in the same manner that applicant information is used today. This information will also be used for statistical analysis and studies, as well as for audit and investigation purposes, as it is today. All personal information collected via PSRS is done so for the purpose of meeting the PSC’s responsibilities under the provisions of the PSEA.
Section I – Overview and Privacy Impact Assessment initiation
a) The government institution or, in the case of a multi-institutional PIA, the lead government institution.
This is an organization-specific PIA for the PSC.
b) The head of the government institution or delegate for section 10 of the Privacy Act or, in the case of a multi-institutional PIA, the head or delegate of each government institution involved in the program or activity.
The PSC’s Director of Access to Information and Privacy and Transition Projects has the delegated authority for section 10 of the Privacy Act.
c) The appropriate senior official or executive for the new or substantially modified program or activity.
The Vice-President, Staffing and Assessment Services Branch.
d) Name and description of the program or activity of the government institution or, in the case of a multi-institutional PIA, of the lead government institution.
Part of the “raison d’être” of the PSC is to deliver innovative staffing and assessment services, which includes the enabling infrastructure. PSRS is an on-line Web-based system designed to provide human resources professionals and hiring managers with information and tools to assist them in filling advertised appointment processes. The main purpose of PSRS is to facilitate the process of recruiting for externally advertised positions. In response to the Veterans Hiring Act, PSRS has been enhanced to handle advertisements and applications for internally advertised positions and to publish notifications.
e) Legal authority for the program or activity or, in the case of a multi-institutional PIA, the legal authority for each government institution involved in the program or activity.
The PSC is mandated to make appointments to and within the public service, based on merit and free from political influence. The PSC reports independently on its mandate to Parliament.
The PSC is authorized to collect personal information in PSRS in accordance with subsection 11(a) of the PSEA to appoint, or provide for the appointment of, persons to or from the public service in accordance the PSEA. In addition, legal authority is found in the Veterans Hiring Act, upon its coming into force, as it modifies the PSEA with respect to preferences, priorities and mobility entitlements of the CAF members and former members.
f) Identification of whether the proposal is related to a new PIB or will substantially modify an existing PIB. Existing PIBs are to be identified by their title, registration number and bank number.
PSRS has an existing PIB (PSC PPU 015). The proposal requires modifications to this PIB, as its purpose is to identify applicants suitable for referrals and appointments to positions within the public service. The PIB descriptions on Info Source will be updated during the next annual cycle, planned for early fall 2015, to specify that the information is for internal as well as external staffing processes.
The personal information under the Priority Administration program is included in the following PIB: PSC PCE 801. Work is currently under way to develop a PIA for PIMS.
(g) Short description of the project, initiative or change.
- Use of PSRS for internal staffing processes
- Existing PSRS functionality has been made available for internal staffing processes, e.g. advertisements and applications, screening tools, communication tools and application referrals (extract files).
- Only individuals who are designated as authorized have access to search, view and apply to internal advertised job opportunities.
- The applicant’s profile includes additional fields to capture their employment status within the public service, including current organization, current work location and substantive classification. Although these fields are new, this information was previously captured from the résumé or cover letter.
- New functionality has been developed to publish notifications (Notification of Consideration, Notification of Appointment or Proposed Appointment and Information Regarding Acting Appointment). No new personal information is being captured as a result of this functionality; however, we can now associate the notifications applicants with a Personal Record Identifier or a CAF service number, for reporting purposes (this information is not displayed to job seekers).
- Collection, use and disclosure of CAF service numbers and related information
- This information is used to identify applicants who are entitled to preference for appointment in the public service and who are eligible to apply to internal advertised positions, as well as to report on the implementation of the Veterans Hiring Act.
- Collection, use and disclosure of Priority Reference Numbers and related information
- PSRS captures limited priority information for all priority types. This information is used to identify applicants who have a priority for appointment in the public service.
h) In the case of a multi-institutional PIA, the lead government institution will describe the approach for the completion and approval of the PIA in support of the program or activity. At a minimum, a multi-institutional PIA will identify the government institutions involved and ensure that the role of each institution with respect to the program or activity is adequately documented, unless otherwise determined by the approach.
The PSC will complete and approve the PIA Addendum.
Section II – Risk area identification and categorization
a) Type of program or activity
Administration of program or activity and services
PSRS is an application designed to facilitate the recruitment process for advertised positions to the public service. It allows applicants to search for and apply to jobs, and allows organizations to advertise job opportunities and to screen, search and refer applications. PSRS has been enhanced to handle internally advertised processes and notifications. Although information is captured in PSRS, it is not an authoritative system and other sources must be used to validate the information supplied.
Risk scale 2
b) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
PSRS collects personal information directly from the individual, including their name, partial date of birth, citizenship, address, education and employment history. This is a voluntary direct collection for the purposes of obtaining employment in the public service, and the individual provides consent to the use of their personal information by logging into their account (Privacy Notice Statement).
PSRS has been enhanced to add a direct voluntary collection of CAF service numbers and Priority Reference Numbers, for verification purposes. Once an individual is validated, additional related information is received from the validation source (a secure file from the Department of National Defense (DND) or PIMS data files), to determine eligibility for preference and to apply for internal jobs or a priority for appointment in the public service. Some of the priority types collected from PIMS and displayed to the Administrators in PSRS include the mention of “medically released,” which raises the risk level to 3.
Risk scale: 3
c) Program or activity partners and private sector involvement
With other government institutions: Internal partners include Audit and Data Services, which uses the information collected to conduct statistical analysis of applications (see the PIB for the PSC Analytical Environment, PSC PCE 761); Investigations, which uses the information collected to conduct investigations pursuant to PSEA sections 66, 68 and 69; and the Personnel Psychology Centre, which conducts analyses, studies and surveys in PSRS.
External partners include federal organizations who may or may not be governed by the PSEA and who may or may not have direct access to PSRS. The PSC regional offices provide advertising services to federal organizations that do not have direct access to PSRS.
Risk scale: 2
d) Duration of the program or activity
Long-term program or activity
PSRS has been in existence since 2003, with data that dates back to 2001. The inclusion of the internal staffing capability is intended as a long-term solution for government hiring.
Risk scale: 3
e) Program population
The program's use of personal information for external administrative purposes affects certain individuals.
Hiring organizations use the personal information collected in PSRS to screen (manually or automatically, based on their established criteria), search for and refer applicants for advertised job opportunities. The information is used to identify the applicants who are suitable for appointments to positions within the public service. PSRS has been enhanced to handle internal advertised job opportunities to which some non–public servants (e.g. veterans) will be authorized to apply.
Risk scale: 3
f) Technology and privacy
Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?
No.
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?
Yes. PSRS has been modified as detailed in section I(g).
Specific technological issues and privacy
Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
- enhanced identification methods;
- surveillance; or
- automated personal information analysis, personal information matching and knowledge discovery techniques?
Yes. The CAF service number and the name provided by the applicant on their PSRS profile is used to verify the same information on a secure file provided by DND. This validates whether the applicant is eligible for internal jobs and is entitled to preference for appointment in the public service. Similarly, the Priority Reference Number and the name provided by the applicant on their PSRS profile is used to verify the same information in the PIMS data files. This validates whether the applicant has a priority for appointment in the public service.
A yes response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.
g) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
The CAF service number and the name provided by the applicant on their PSRS profile is used to verify the same information on a file provided by DND, transferred to the PSC using a secure Web service and stored in a secure zone of the database with restricted access. When the information is validated, PSRS collects the eligibility for preference and internal mobility, as well as the end date of preference and mobility, from the secure file.
The Priority Reference Number and the name provided by the applicant on their PSRS profile is used to verify the same information on the PIMS data files. When the information is validated, PSRS collects the priority entitlement type and end date from PIMS.
The eligibility for preference and internal mobility, the end date of that eligibility and the priority entitlement type and end date are subsequently included in the applicant’s application information, which can be transferred to the hiring organization using a secure account.
Risk scale: 2
h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
The information contained within the system, if compromised, would not cause serious injury to non-national interests.
A Security Assessment and Authorization (SA&A) of PSRS was conducted in preparation for the changes under the Veterans Hiring Act. For this SA&A, the security requirements were reviewed and documented. The security controls for Protected B confidentiality, Medium integrity and High availability were selected. The acceptable level of residual risk for the client was identified as Low. Security controls as applied were reviewed, and some were tested. The following areas were tested via a third party penetration test: Authentication; session hijacks and manipulation; data theft attacks; and injection flaws that result in code execution. Also reviewed were the new data transfer from DND and the new authorization mechanism for users of PIMS. Based on the results of the assessment and on recommendations from the assessor, a Full Authority to Operate was signed by the Program and Service Delivery Manager and Chief Information Officer on March 17, 2015.
i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.
The inappropriate disclosure of the entire PSRS database (or portions of it) could have serious negative impacts on the PSC and PSRS applicants. However, the incremental personal information collected in response to the Veterans Hiring Act does not significantly increase the risks or the impacts. Furthermore, the addition of internal advertisements and notifications does not significantly increase the risks or the impact, as internal processes are using the existing functionality of the system while restricting access to authorized individuals.
In summary, the incremental functionality and personal information captured in response to the Veterans Hiring Act does not significantly impact PSRS to the extent that it would require changes to the infrastructure or data flow. For example, the PSRS data is already stored in a Protected B environment with restricted access. However, some risks are introduced by the capture of the priority entitlement type (especially “medically released”) and the verification of the CAF service number and Priority Reference Number with other data sources. Mitigation strategies associated with each identified risk are detailed in the Privacy Action Plan.
Page details
- Date modified: