Privacy Impact Assessment Summary for Government of Canada Financial and Material Management (GCFM) Solution
Description Of The Project
The Treasury Board of Canada Secretariat (TBS) Government of Canada Financial and Material Management (GCFM) is a financial and management solution that provides business service functionality to GC departments and agencies across a wide spectrum of financial transactions. This solution addresses capacity, business continuity and control risks repeatedly identified by departments and agencies concerning their aging financial and material management (FM) systems’ services. GCFM intends to go-live with its initial target population of approximately 8,000 users (replacing 17 FreeBalance Cluster departments). The solution will be expanded in successive phases, adding incremental FM functionality, and on-boarding additional Departments and agencies in successive years.
The GCFM solution will be delivered on a centralized basis with a foundation of a common SAP S/4HANA solution integrated with other solution components managed by a centralized SAP Centre of Expertise (COE).
Why The PIA Was Necessary
This Privacy Impact Assessment (PIA) for GCFM was conducted to:
- identify potential privacy issues by assessing compliance with privacy protection legislation, policies and principles;
- forecast probable impacts associated with issues or non-compliance; and to
- identify actions and strategies to eliminate/reduce privacy risks.
This current PIA is part of the overall Security Assessments and Authorization (SA&A) processes. At the time of this report, the SA&A was still in progress. The finalization of the SA&A process may require an update to this PIA, considering the significant impact a security vulnerability may have on privacy risks.
Several dependencies have been noted and will need follow-up, namely:
- Legislative authority to collect, use, disclose and retain personal information for GCFMS is provided in the memorandum of understanding (MOU) to all on-boarding departments and agencies. Project Delivery needs to ensure that privacy compliance and requirements are communicated, understood, and followed;
- A Notice and consent form has been developed and will be included as part of the login banner screen. The banner requires the individual’s consent at time of data collection;
- Personal Information Banks (PIBs) describing information that is about the individual and all personal information that would flow through the GCFM business processes are maintained as required;
- Processes that need guidance on risk tolerance, or on the sensitivity of private information are identified;
- Privacy is integrated into the risk management framework (SA&A) as a Key Performance Indicator; and
- TBS controls related to the design, onboarding, and management of GCFM services handling Privacy Information have been developed to demonstrate compliance to privacy requirements and obligations.
There remain some risks to address, including:
- fundamental issues at the more technical and operational levels with the on-boarding process, where on-boarder department have not established processes for:
- approving the release and the uploading of files into GCFM,
- determining who specifically is responsible for the content of the data,
- verifying, identifying, and correcting errors prior to loading data files, and
- validating the protection of the file (from a privacy point of view).
- the need to formalize the requirement that on-boarders must do their own PIA since they own their data, and as such are responsible for the protection of their data's security and privacy, and are ultimately accountable and liable for any breaches. TBS would share their expertise and guidance to support them in this effort.
- the lack of information regarding Business Intelligence/Business Data Warehouse (BI/BW) solutions for analytical and operational management that are presently being developed. An assessment of potential privacy risks associated with
- information analysis,
- potential personal information matching,
- record information matching,
- record linkage,
- personal information mining,
- personal information comparison,
- knowledge discovery,
- information filtering or
- will be required once more information is available.
- Advise the user departments of the details of the MOUs so that all levels of their organization from executives to operational and technical support are aware that they own their data, and are responsible for its security and privacy, and must follow government guidelines to that end.
- User departments must do their own PIAs in keeping with the TBS Directive on Privacy Impact Assessment. Departments must ensure their usage of data with GCFM does not differ from that agreed to in the MOU.
- Related policy, procedures or process documents should be referenced within the GCFM documentation in a more granular fashion to support privacy requirements.
- Roles and responsibilities need to be further detailed into specific processes and procedures. When faced with specific processes, it may be that staff of individual on-boarder departments are losing sight of their departmental obligations towards the privacy and accuracy of their own data. They may view those concerns as ‘out of scope’ for the specific work they are doing or the responsibility of the system itself, as a separate entity.
- Processes handling private information, as identified in the Recommendations section, still need to be verified as how the data sets are limited and controlled specifically to the on-boarder Table Summarizing GCFM Business Processes Calculated Risks. This is in addition to the safeguards that are being assessed currently by the appropriate SA&A processes.
- Verification that safeguards in support of on-boarder GCFM privacy awareness and training provided by TBS are enough for the requirements of the business processes and roles before live release dates.
- Periodic reporting of log analysis activity of security team or internal audit. Log analysis tools and search utilities offer powerful method of inference of application and component log data, where knowledge of source address, transaction type, frequency of activity, and various other heuristics may be used to infer the personal information of the subject plus the type of transaction activity.
- Date modified: