Privacy Impact Assessment for the enhanced TBS Application Portal and TBS Identity Hub

This document summarizes the results of a Privacy Impact Assessment (PIA) that has been conducted on the enhanced TBS Application Portal (TAPx) of the Office of the Chief Information Officer, Treasury Board of Canada Secretariat (TBS). This PIA also includes an assessment of the TBS Identity Hub (TIH).

The TBS Application Portal (TAP) is an enterprise-wide solution that has been in use since 2014 and provides Government of Canada (GC) employees with access to TBS enterprise applications, including but not limited to the following:

TAP is available to GC employees within the core public administration (CPA) and to GC employees within certain non-CPA institutions who are registered for an account.

TBS has undertaken to enhance the TAP-TIH application with the goals of improving the user experience and security and enhancing technical capabilities. The most current release of TAPx and TIH went live on .

Why a privacy impact assessment was completed

This PIA was completed to assess privacy risks with the enhanced TAP-TIH application.

Additional information

The following table lists risks identified, the date that any corresponding mitigation measures were implemented, and other information:

Risk number Description of potential risk Implementation date or other information
1. Unvalidated authority for the collection of personal information may result in unauthorized collection of personal information pursuant to relevant legislative and/or regulatory instruments 2025–26 fiscal year
2. Lack of public description of personal information as part of a personal information bank entry 2025–26 fiscal year
3. Partial governance framework for TAPx or TIH Accept the risk
4. Lack of guidance or restriction on the collection of personal email addresses
5. Lack of a privacy notice regarding personal information that may be collected, used, disclosed or retained within the system
6. Failure to periodically test backups of information, including personal information Risk accepted
7. Partial methods and procedures associated with retention and disposition of personal information Identify strategy by end of 2025–26 fiscal year
8. Use of inaccurate personal information to verify user identity No action required
9. Enabling optional change to first name and last name within TAPx without clear guidance
10. Error messages regarding accuracy of personal information used in identity validation that provide too much system information Completed
11. Partial agreement instruments between TAPx, GC institutions, identity providers, or relying parties can result in unclear accountabilities and responsibilities for the protection of personal information in transit and at rest 2025–26 fiscal year
12. Outdated Statement of Sensitivity may mean that sensitivity values for confidentiality, availability or integrity of TAPx-TIH information assets are not current
13. Partial implementation of requisite security controls Completed
14. Minimal documentation that details TBS-specific system and application architecture, configuration, deployment and maintenance characteristics 2025–26 fiscal year
15. Partial account management policies and procedures 2025–26 fiscal year
16. Partial privacy breach management processes 2025–26 fiscal year
17. Partial service continuity procedures 2025–26 fiscal year
18. Unknown status of role-based security and privacy training 2025–26 fiscal year
19. Partial testing strategy, plan and processes Completed
20. Unknown status of application-specific auditing, logging and continuous monitoring approach, strategy, tools, and processes 2026–27 fiscal year

Related personal information banks

Treasury Board of Canada Secretariat Application Portal (TAP)
Bank number: TBS PCE 815

For more information

For more information about this Privacy Impact Assessment, contact the following:

Nancy Violette-Fehr
Executive Director and Chief Information Officer
Organization and Evaluation of Work
Office of the Chief Information Officer
Treasury Board of Canada Secretariat

Nancy.Violette-Fehr@tbs-sct.gc.ca

Page details

2026-01-27