In 2012, the Canadian Security Intelligence Service (CSIS) upgraded their recruiting program on their Website. The purpose of the program is to attract potential applicants.
As an employer under the Financial Administration Act, CSIS is governed by the Privacy Act. In addition, CSIS is compliant with Treasury Board Secretariat policies, standards, guidelines and best practices.
The recruiting Website utilizes a third party recruiting service provider and uses their recruiting workflow products to collect the required recruitment information. This includes the applicant’s consent to the disclosure of personal information, contact information, official languages, additional foreign languages, education, post-secondary education, employment equity designated groups, along with their resumé and covering letter.
The third party web recruiting service provider is under a contractual obligation to collect and transfer the collected information to CSIS Human Resources. Collected information is not retained by the service provider for any secondary use.
This information is stored in Personal Information Bank (PIB) CSIS Candidates, CSIS PPU 025. Personal information in this PIB is retained a minimum of two years. However, unsolicited applications are destroyed after six months.
The PIA concludes that no privacy risks were identified and that applicable legislation, policies and privacy principles were observed.
Overview and PIA Initiation
CSIS is currently in the process of implementing a new project that entails the deployment of a 3rd party Web Recruiting application software to support its human resourcing and staffing requirements. The project consists of the installation, integration and deployment of the 3rd party’s application for the purposes of seeking talent and initial screening via the internet.
The existing on-line recruiting system will be decommissioned and replaced by the new 3rd party’s products and services. The existing application did not have a PIA completed. With the new system and increased capabilities, the organization has indicated that a PIA is required in order to meet established Treasury Board Guidelines.
The Director of the Service is responsible for this program and the legal authority is derived from the CSIS Act.
Determination of the need for a Privacy Impact Assessment was a result of the development of the Statement of Sensitivity (SoS) and for the following reasons:
- designing a new program or service;
- making significant changes to an existing program or service; and
- no PIA exists for the current programs.
Risk Area Identification and Categorization
|a) Type of program or activity||Risk
|- Program or activity that does NOT involve a decision about an identifiable individual||1|
|- Administration of program or activity and services||2||2|
|- Compliance or regulatory investigations and enforcement||3|
|- Criminal investigation and enforcement or national security||4|
|b) Type of personal information involved and context||Risk
|- Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.||1||1|
|- Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.||2|
|- Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.||3|
|- Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive.||4|
|c) Program or activity partners and private sector involvement||Risk
|- Within the institution (among one or more programs within the same institution)||1|
|- With other government institutions||2|
|- With other institutions or a combination of federal, provincial or territorial, and municipal governments||3|
|- Private sector organizations, international organizations or foreign governments||4||4|
|d) Duration of the program or activity||Risk
|- One-time program or activity||1|
|- Short-term program or activity||2|
|- Long-term program or activity||3||3|
|e) Program population||
|- The program's use of personal information for internal administrative purposes affects certain employees.||1||1|
|- The program's use of personal information for internal administrative purposes affects all employees.||2|
|- The program's use of personal information for external administrative purposes affects certain individuals.||3|
|- The program's use of personal information for external administrative purposes affects all individuals.||4|
|f) Technology and privacy|
|- Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?||YES|
|- Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?||NO|
Specific technological issues and privacy
|A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.||3rd part Web Recruitment service provider – no privacy issues exist|
|g) Personal information transmission||Risk
|- The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled).||1|
|- The personal information is used in a system that has connections to at least one other system.||2||2|
|- The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed.||3|
|- The personal information is transmitted using wireless technologies.||4|
h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. In the case of a breach, the intent of the individual to seek employment could jeopardize his existing circumstances as the application is made in confidence.
Report a problem or mistake on this page
- Date modified: