Departmental security – ID card section

Description

This Privacy Impact Assessment (PIA) presents findings related to the internal personal information handling for Shared Services Canada’s (SSC) security card issuance activity. SSC controls access to its 207 sites by issuing ID cards to approved individuals, including employees, students, contractors and visitors.

Currently, the process of collecting personal information for these cards is done manually. However, SSC is transitioning to the Employee Service Portal (ESP), a solution developed and managed exclusively by SSC. This will simplify the process of requesting and processing ID cards online, while continuing to print and deliver physical cards either in person or by mail.

Why a privacy impact assessment was completed

The PIA was triggered in accordance with the Directive on Privacy Practices, Appendix C: Standard on Privacy Impact Assessment, which states: “When substantial modifications are to be made to an existing program or activity that uses personal information for an administrative purpose, including through the use of any new or modified information technology or other process.”

Additional information

Collecting government-issued identification from individuals outside the National Capital Region introduces privacy considerations, as these documents may contain sensitive personal information, such as place of birth, height, gender and eye color, that may not be strictly necessary for the program’s intended purpose. To address these concerns while ensuring the proper identification of regional applicants, the Security ID team will securely dispose of any copies of government-issued IDs provided by employees following the identity verification process.

The privacy-related clauses from the relevant service contracts, managed by the central procurement authority, were not available for review at the time of this assessment. The Security ID team is actively collaborating with the appropriate internal group to obtain access to these clauses. This proactive coordination aims to ensure that privacy standards are being appropriately applied.

The current employee privacy notice does not fully align with the requirements outlined in the Directive on Privacy Practices. The Security ID team collaborated with the Privacy team to develop an updated privacy notice that meets all requirements set out in the Directive.

Related personal information banks

• Physical Access Controls personal information bank (PSU 907)
• Personnel Security Screening personal information bank (PSU 917)

For more information about this privacy impact assessment

Access to Information and Privacy Coordinator
99 Metcalfe Street
3rd Floor, Room 308
P.O. Box 9808, Station T CSC
Ottawa, Ontario K1G 4A8

Email: ATIP-AIPRP@ssc-spc.gc.ca