ELITE Software Upgrade

Overview And Privacy Impact Assessment Initiative

Name and Description of the Program or Activity of the Government Institution

Elite software upgrade

Legal Authority

CSIS Act, R.S.C., 1985, c. C-23

Employee Equity Act, S.C., 1995, c. 44

Financial Administration Act, R.S.C., 1985, c. F-11

Privacy Act, R.S.C., 1985, c. P-21

Personal Information Bank(s) (PIB)

The following existing PIBs apply to the upgrade of the Elite software and the personal information collected as a result:

1. EX Talent Management (PSU 934)
2. Employee Management Performance Program (PSE 912)
3. Training and Development (PSE 905)

Short Description of the Project, Initiative or Change

In 2012, the Canadian Security Intelligence Service (CSIS) acquired a software that served as the Service’s platform for employee learning and development. In the past 6 years, the software has become outdated while the Service’s business processes have expanded.  In order to modernize the existing software and meet business needs, CSIS will obtain the most recent version of this software. By doing so, CSIS will not only continue managing employee learning and development but will also deliver an enhanced performance management system.

The performance module of the latest software contains new features that will enable the organization to centralize, streamline and automate the performance review cycle. The software

has the capability to increase employee engagement through more relevant, timely and continual performance feedback. It comes with goal-setting capabilities that clearly align employee goals to the larger corporate objectives and creates employee development plans in which ongoing progress can be documented. An enhanced performance management system will ensure that the Service is gathering consistent and accurate data with respect to achieving employee objectives and strategic goals and will also bring value to decision-making processes.

Risk Area Identification And Categorization

Overall Risk Assessment

The Service has demonstrated due diligence in assessing privacy risks and has ensured that mitigation strategies are well established and enforced by:

• Ensuring that robust auditing capabilities and loggin functions are embedded in the software which identifies employee usage;
• Limiting access to those with a need-to-know;
• Enforcing internal policies regarding the need-to-know principle;
• Enforcing the retention and disposition policy; and
• Limiting the viewing availability to 10 years.

CSIS is committed to safeguarding personal information collected and continuously reviews its policies and procedures to ensure compliance with Federal Legislation.