Privacy Impact Assessment Summary for the Tier 3 Phoenix Claims Process

Introduction

This document provides the results of the privacy impact assessment (PIA) for the administration of Tier 3 - Damages for severe impacts and other demonstrable cases - claims in accordance with the terms and conditions of various agreements between bargaining agents and Treasury Board Secretariat related to damages caused by the Phoenix pay system.

Background

When the Phoenix pay system was implemented in February 2016, issues with the accuracy of public service payments were reported almost immediately throughout federal institutions. To deal with these issues, TBS established a new claims process for current and former Government of Canada (GC) employees to provide compensation for damages resulting from the implementation of the Phoenix pay system. Beginning in May 2017, employees who required tax advisory services because of Phoenix pay system issues were eligible to claim a reimbursement of up to $200.

In June of 2019 and October of 2020, joint union-management committees on Phoenix damages reached agreements with bargaining agents that would cover current and former employees who may have been severely impacted by the Phoenix pay system. The agreement identified 3 tiers of compensation. In 2017 and 2019 respectively, privacy impact assessments were completed for Tier 1a and 1b and Tier 2 claims, but none had been completed for the Tier 3 process, claims for severe impacts until May of 2021. 

Tier 3 claims dealt with severe impacts that included the following claim types:

Description and Scope

This PIA assessed the aspects of the collection, use, disclosure, retention and disposal of personal information as they relate to the proposed processes for the implementation of the Tier 3 claims under the Phoenix pay system damages agreements. This included:

Why the Privacy Impact Assessment Was Necessary

Under subsection 6.3 of the TBS Directive on Privacy Impact Assessment, institutions must undertake PIAs for programs and activities when:

The 2019 and 2020 (Memorandum of Agreements) MOA on Phoenix damages included three tiers of damages. These tiers required the collection of additional personal information to make an administrative decision on specific damages, as defined in each tier of the claims process. As a result, a PIA was required to comply with the rules governing the collection, use, disclosure, and protection of personal information.

Privacy Impact Assessment Objectives

This document summarizes the results of the Tier 3 claims under the Phoenix pay system damages agreements. The PIA includes an analysis of the potential privacy risks related to the collection, retention, use, disclosure, and disposition of personal information associated with the assessment and resolution of claims that were processed by the Claims Office. The PIA was conducted to ensure sound management and decision-making practices in the claims process, as well as careful consideration of privacy risks with respect to the collection and handling of sensitive personal information.

Privacy Impact Assessment Findings and Risk Summary

This PIA identified three medium-level privacy risks:

The Claims Office is working to mitigate all medium-level privacy risks in a timely manner.
In addition, three low-level risks were also identified however, the Claims Office is working to mitigate all identified privacy risks.

Action Plan – Risk Mitigation

Mitigation measures have been developed in response to each privacy risk identified in the PIA. These mitigation measures are intended to ensure that TBS and stakeholders involved in the processing of claims comply with:

All risks are actively being mitigated based on the recommendations put forth as part of this PIA.

Page details

Date modified: