Human resources business intelligence

Human Resources Branch

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Sonia Côté
Assistant Commissioner
Human Resources Branch 

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Human resources management services include determining strategic direction, allocating resources among services and processes, analyzing exposure to risk, and determining appropriate countermeasures. They ensure that the service operations and programs of the federal government comply with applicable laws, regulations, policies, and plans.

Standard or institution specific class of record:

Classification of Positions Class of Record (PRN 919)

Recruitment and Staffing Class of Record (PRN 920)

Occupational Health and Safety Class of Record (PRN 922)

Official Languages Class of Record (PRN 923)

Labour Relations Class of Record (PRN 926)

Training and Development Class of Record (PRN 927)

Relocation Class of Record (PRN 936)

Awards (Pride and Recognition) Class of Record (PRN 940)

Compensation and Benefits Class of Record (PRN 941)

Employment Equity and Diversity Class of Record (PRN 942)

Performance Management Reviews Class of Record (PRN 946)

Human Resources Planning Class of Record (PRN 949)

Standard or institution specific personal information bank:

Employee Personnel Record (PSE 901)

Staffing Personal Information Bank (PSE 902)

Attendance and Leave Personal Information Bank (PSE 903)

Pay and Benefits Personal Information Bank (PSE 904)

Training and Development Personal Information Bank (PSE 905)               

Official Languages Personal Information Bank (PSE 906)

Disclosure of Wrongdoing in the Workplace Personal Information Bank (PSU 906)

Occupational Health and Safety Personal Information Bank (PSE 907)

Relocation Personal Information Bank (PSU 910)

Grievances Personal Information Bank (PSE 910)

Applications for Employment Personal Information Bank (PSU 911)

Discipline Personal Information Bank (PSE 911)

Employee Performance Management Program Personal Information Bank (PSE 912)

Values and Ethics Codes for the Public Sector and Organizational Code(s) of Conduct (PSE 915)

Employee Assistance Personal Information Bank (PSE 916)

Employment Equity and Diversity Personal Information Bank (PSE 918)

Harassment Personal Information Bank (PSE 919)

Recognition Program Personal Information Bank (PSE 920)

Canadian Human Rights Act – Complaints Personal Information Bank (PSU 933)

EX Talent Management Personal Information Bank (PSU 934)

Human Resources Planning Personal Information Bank (PSU 935)

Legal authority for program or activity

As the employer under the Canada Revenue Agency Act, the Canada Revenue Agency (CRA) is responsible for making sure the personal information of its employees is administered according to the Privacy Act.

Personally identifiable information exists in employee and job applicant records. The collection, use, disclosure, retention, and disposal of this information must be managed in a way that takes into account the Privacy Act’s principles of confidentiality, accuracy, and relevance.

The CRA collects personal information about its employees. Its authority to collect this information comes from the following legislation:

Summary of the project, initiative or change

Overview of the Program or Activity

The Human Resources Branch (HRB) enables effective people management by providing programs and services that support workforce and workplace excellence while sustaining a culture of integrity.

The systems and related processes that support these functions enable employees, managers and authorized human resource officers to enter, validate and, where necessary, update employee information. The personal information, collected from individual employees, is used by the HRB to provide employees with all employment services and benefits to which they are entitled and permit HRB employees and CRA managers to access the data needed to administer the CRA’s human resource services.

The HRB enables CRA employees to provide tax and benefit services to every Canadian. Its activities include:

What’s New

Improvements are needed to modernize the technology that supports the HRB’s core functions. This is essential for enhancing the HRB’s ability to develop programs and deliver client services that support employees.

The Strategic Business Integration Directorate (SBID) is responsible for developing modern and sustainable HRB Business Intelligence (BI).

The HRB uses BI to collect knowledge and insight from available data. BI is a technology driven process that helps management make operational decisions and better achieve corporate objectives. BI refers to processes, technologies, tools, and analytical methods that turn data into information, information into knowledge, and knowledge into plans for program activities. BI includes data warehousing, analytics tools, content management, and the statistical methods used to extract and synthesize new insights. These insights are used to track business performance, detect patterns, and forecast. This gives program areas better insight into complex business questions and supports better-informed strategic responses and decisions.

The HRB BI will address the CRA’s need to track, report on, and assess the effectiveness of human resources programs by providing secure, reliable, and auditable access to a centralized and authoritative source of data. This will help the CRA better understand current issues and prepare for emerging human resources challenges.

The BI will improve the HRB’s ability to use data to develop strategies that will help the CRA deliver human resources services and recruit, develop, and retain the workforce of the future. For example, it will make it possible to identify candidates with specific experience or create a list of employees that have an interest in management. Consequently, this will improve the HRB’s ability to be an effective and efficient human resources service provider and strategic business partner, helping the CRA better understand current concerns and prepare for emerging human resources challenges.

Additionally, the robust, modern, and sustainable BI infrastructure allows the CRA to analyze, research, and explore human resources activities more efficiently while empowering users to discover data and perform their own analysis with less reliance on other branches, such as the Information Technology Branch. It will increase the BI capabilities and reduce the effort, time, and cost associated with the current processes. It will also make human resources data accessible to other branches. The BI infrastructure will help foster a culture of innovation and collaboration at the CRA. It will also be used to streamline the reporting processes and implement new reporting tools and technologies.

In conclusion, the BI infrastructure will allow the HRB to meet the CRA’s strategic objective to make effective, evidence-based decisions by making exponentially better use of the HRB’s data assets. This will also allow the CRA to recruit and retain the employees it needs to be a world-class tax and benefit administration.

Activities related to HRB BI include:

To begin BI activities, analysts need easy access to up-to-date data and information about that data. A variety of tools and statistical analysis software is used to access employees’ personal information. Data marts, CRA data warehouse, copies of the source system, external data, and tools will be housed in a CRA BI appliance platform. The BI users will use Workspaces to conduct their work.

Because there is a lot of data available, there will be various tools for users, such as data dictionaries, data models, and a metadata environment. BI resources will support the BI infrastructure by providing access, verifying test data validity, fixing data errors, and updating information.

The HRB BI infrastructure may share information with a human resources initiative that uses artificial intelligence or machine learning. The programs using the human resources data in an artificial intelligence tool must conduct their own corresponding security, privacy, and ethical evaluation the CRA’s algorithmic impact and alignment assessment process.

Scope of the Privacy Impact Assessment

This privacy impact assessment (PIA) focuses on the BI activities carried out by the SBID on behalf of the HRB to improve the delivery and effectiveness of human resources programs.

The BI information will allow the human resources management programs to administer and measure human resources programs and services and discover new insights about how those programs and services could be delivered in more efficient and effective ways.

The HRB BI process will provide support to existing human resource programs, the use of personal information gathered through HRB BI process will be consistent with what has been identified within the standard Personal Information Bank’s (PIB’s).

The intent scope of this PIA is not to asses the HRB program themselves but is limited to the scope of the HRB BI activities, such as but not limited to; data matching, performance measurement, business intelligence analytics, reporting, and human resource related research.

Any planned new use of personal information for human resource purposes not consistent with Government of Canada standards are outside the scope of this PIA and will be evaluated separately using the CRA’s existing privacy practices.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services 

Level of risk to privacy: 2

Details:

The results of BI activities such as performance measurement, business analytics, and data exploration are to establish the demographics, explore potential workloads, and monitor inventory. Personal information will be used to produce these results. The information from these types of reports will be at the summary and detail level and will not involve a decision about an identifiable individual, unless the program responsible for the decision has the mandate that specifically permits such action. As part of workload development, BI services may send lists containing identifiable information to the HR Programs.

The HRB uses personal information to identify and assess trends in employees’ behaviour. The HRB also uses personal data to develop and improve predictive data mining models and predictive data models. The Human Resources Management programs decided to use the output from predictive data models to support HRB programs and activities.

The results of the BI activities will allow the HRB programs to administer and measure their services and learn how those programs and services could be delivered in ways that are more efficient and effective. The use of BI information ensures program areas are more agile in addressing emerging risks and challenges and in providing better service to employees.

HRB BI will provide data to human resources programs to support program monitoring, development, and workload management. The data may be used by human resources programs to support decisions resulting in administrative consequences affecting employees

HRB BI infrastructure will not collect external data from third-party sources at this point. However, the HRB plans to collect the third-party data in the future, and the PIA will be updated before that, according to the PIA action plan, to include external data sources.

B) Type of personal information involved and context

Social insurance number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or personal information involving a representative acting for an individual

Level of risk to privacy: 3

Details:

Personal information will include identification numbers, contact information, biographical information, gender, date of birth, language, employment information, and other sensitive personal information. The data will be used in performance and operational reports and for research and analysis purposes. In the majority of circumstances, the data will be compiled at an aggregate level to establish demographic, trend analysis and workload management. The detailed level data may also used for workload development.

All CRA staff must follow the CRA’s stringent policies and procedures on privacy and confidentiality, security, and information management.

At this point, HRB will not use external source data, which is data that is collected from third-party sources and not by CRA sources.

The data to be housed within the HRB BI infrastructure will include copies of CRA source systems. The personal information extracted from these sources will be subjected to the same considerations applied to all data repositories in the CRA.

C) Program or activity partners and private sector involvement

With other federal institutions 

Level of risk to privacy: 2

Details:

The data used for HRB BI activities comes from existing internal CRA source systems that create data as a result of CRA Human Resources functions and programs. The information was originally created for the purpose of CRA human resource programs, from sources including;

The HRB shares aggregated data with the Treasury Board of Canada Secretariat from employee surveys, the pay system, and the pension system.

The HRB BI will include only research, analytics, and development activities performed within the CRA. A select number of researchers and analysts from the HRB will be involved in HRB BI activities within the CRA.

D) Duration of the program or activity

Long-term program

Level of risk to privacy: 3

Details:
BI activities play an important role in achieving the CRA’s mandate. BI activities within the CRA are long-term. The HRB does not foresee that they will be discontinued.

E) Program population

The program affects most or all employees for internal administrative purposes.

Level of risk to privacy: 2

Details:

The HRB BI activities include data on all CRA employees. The data will be provided to human resource programs to support program monitoring, development, and workload management. The data may be used by human resource programs to support decisions resulting in administrative consequences affecting employees.

F) Technology & privacy

  1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

    Risk to privacy: Yes

  2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

    Risk to privacy: No

  3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies.  

Level of risk to privacy: 4

Details:

The data used for BI activities comes from data gathered from human resources programs and activities. This data is stored in human resources, source-system databases, and copied to the BI infrastructure.

The information stored on the platform is then used by data analysis software to conduct various BI activities that support human resources program functions such as workload management, inventory monitoring, and establishing trends related to employee behaviour.

Some of the BI data will be aggregated, and it will be transmitted to the human resources programs through internal systems, including by email.

The use of wireless technology is increasing, as well as the need for greater accessibility to the CRA environment from anywhere. Secure remote access (SRA) is used when accessing the CRA environment while away from the office. Sending Protected A and B information using wireless technology has low risk. Protected C or Classified information must not be discussed, stored, or processed on a cellular or wireless device.

Many of the BI tools and applications are accessible to users through a secure site, which allows them to create and run performance reports on their own.

All queries against the BI platform are logged and subject to monitoring. Access permissions exist.

Anyone granted access to data on the BI platform is bound by the business intelligence platform policies and guidelines, employees are aware result sets that contain personal information should not be shared with anyone outside their program area or branch unless authorized to do so.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

In the event of a privacy breach, an individual may become a victim of identity theft, and the identity information may be used without their knowledge or consent in ways that could result in a financial or reputational loss to them.

However, it is very difficult to access personal information about an employee because both their social insurance number (SIN) and their personal record identifier (PRI) are masked.

When sharing sensitive data internally for administrative purposes, the CRA protects data using one or more of the following methods:

When providing sensitive data for administrative purposes to a person who does not have the right to see the sensitive information, the CRA suppresses the data that could lead to residual disclosure of confidential information before sharing it.

Page details

Date modified: