Privacy Impact Assessment for the enhanced TBS Application Portal and TBS Identity Hub
This document summarizes the results of a Privacy Impact Assessment (PIA) that has been conducted on the enhanced TBS Application Portal (TAPx) of the Office of the Chief Information Officer, Treasury Board of Canada Secretariat (TBS). This PIA also includes an assessment of the TBS Identity Hub (TIH).
The TBS Application Portal (TAP) is an enterprise-wide solution that has been in use since 2014 and provides Government of Canada (GC) employees with access to TBS enterprise applications, including but not limited to the following:
- Public Service Performance Management
- Executive Talent Management System
- myWorkArrangements
- myEmployees
TAP is available to GC employees within the core public administration (CPA) and to GC employees within certain non-CPA institutions who are registered for an account.
TBS has undertaken to enhance the TAP-TIH application with the goals of improving the user experience and security and enhancing technical capabilities. The most current release of TAPx and TIH went live on .
Why a privacy impact assessment was completed
This PIA was completed to assess privacy risks with the enhanced TAP-TIH application.
Additional information
The following table lists risks identified, the date that any corresponding mitigation measures were implemented, and other information:
| Risk number | Description of potential risk | Implementation date or other information |
|---|---|---|
| 1. | Unvalidated authority for the collection of personal information may result in unauthorized collection of personal information pursuant to relevant legislative and/or regulatory instruments | 2025–26 fiscal year |
| 2. | Lack of public description of personal information as part of a personal information bank entry | 2025–26 fiscal year |
| 3. | Partial governance framework for TAPx or TIH | Accept the risk |
| 4. | Lack of guidance or restriction on the collection of personal email addresses | |
| 5. | Lack of a privacy notice regarding personal information that may be collected, used, disclosed or retained within the system | |
| 6. | Failure to periodically test backups of information, including personal information | Risk accepted |
| 7. | Partial methods and procedures associated with retention and disposition of personal information | Identify strategy by end of 2025–26 fiscal year |
| 8. | Use of inaccurate personal information to verify user identity | No action required |
| 9. | Enabling optional change to first name and last name within TAPx without clear guidance | |
| 10. | Error messages regarding accuracy of personal information used in identity validation that provide too much system information | Completed |
| 11. | Partial agreement instruments between TAPx, GC institutions, identity providers, or relying parties can result in unclear accountabilities and responsibilities for the protection of personal information in transit and at rest | 2025–26 fiscal year |
| 12. | Outdated Statement of Sensitivity may mean that sensitivity values for confidentiality, availability or integrity of TAPx-TIH information assets are not current | |
| 13. | Partial implementation of requisite security controls | Completed |
| 14. | Minimal documentation that details TBS-specific system and application architecture, configuration, deployment and maintenance characteristics | 2025–26 fiscal year |
| 15. | Partial account management policies and procedures | 2025–26 fiscal year |
| 16. | Partial privacy breach management processes | 2025–26 fiscal year |
| 17. | Partial service continuity procedures | 2025–26 fiscal year |
| 18. | Unknown status of role-based security and privacy training | 2025–26 fiscal year |
| 19. | Partial testing strategy, plan and processes | Completed |
| 20. | Unknown status of application-specific auditing, logging and continuous monitoring approach, strategy, tools, and processes | 2026–27 fiscal year |
Related personal information banks
Treasury Board of Canada Secretariat Application Portal (TAP)
Bank number: TBS PCE 815
For more information
For more information about this Privacy Impact Assessment, contact the following:
Nancy Violette-Fehr
Executive Director and Chief Information Officer
Organization and Evaluation of Work
Office of the Chief Information Officer
Treasury Board of Canada Secretariat