Privacy Impact Assessment Summary for the Tier 3 Phoenix Claims Process
Introduction
This document provides the results of the privacy impact assessment (PIA) for the administration of Tier 3 - Damages for severe impacts and other demonstrable cases - claims in accordance with the terms and conditions of various agreements between bargaining agents and Treasury Board Secretariat related to damages caused by the Phoenix pay system.
Background
When the Phoenix pay system was implemented in February 2016, issues with the accuracy of public service payments were reported almost immediately throughout federal institutions. To deal with these issues, TBS established a new claims process for current and former Government of Canada (GC) employees to provide compensation for damages resulting from the implementation of the Phoenix pay system. Beginning in May 2017, employees who required tax advisory services because of Phoenix pay system issues were eligible to claim a reimbursement of up to $200.
In June of 2019 and October of 2020, joint union-management committees on Phoenix damages reached agreements with bargaining agents that would cover current and former employees who may have been severely impacted by the Phoenix pay system. The agreement identified 3 tiers of compensation. In 2017 and 2019 respectively, privacy impact assessments were completed for Tier 1a and 1b and Tier 2 claims, but none had been completed for the Tier 3 process, claims for severe impacts until May of 2021.
Tier 3 claims dealt with severe impacts that included the following claim types:
- Financial costs and lost investment income – Current and former employees who have been financially impacted by Phoenix may request compensation if, for example, they cashed in investments, missed opportunities to earn interest on savings accounts, or experienced delays in receiving severance, pension or pay and were not able to earn interest on those sums.
- Severe personal or financial hardship – Current and former employees who, because of Phoenix pay issues, experienced severe personal or financial hardship such as, but not limited to, bankruptcy, impacts to credit ratings, mental anguish or trauma may submit a claim.
- Leave taken because of health issues related to Phoenix – Current and former employees who took sick leave or other types of paid or unpaid leave because of an illness caused by problems with Phoenix can also be compensated.
Description and Scope
This PIA assessed the aspects of the collection, use, disclosure, retention and disposal of personal information as they relate to the proposed processes for the implementation of the Tier 3 claims under the Phoenix pay system damages agreements. This included:
- the collection of Tier 3 claims applications through the Tier 3 Claims Website Portal or via regular mail or courier to the TBS Claims Office; and
- the processing of Tier 3 claims by the TBS Claims Office.
Why the Privacy Impact Assessment Was Necessary
Under subsection 6.3 of the TBS Directive on Privacy Impact Assessment, institutions must undertake PIAs for programs and activities when:
- personal information is used for or is intended to be used as part of a decision-making process that directly affects the individual;
- upon substantial modifications to existing programs or activities where personal information is used or intended to be used for an administrative purpose; and
- contracting out or transferring a program or activities to another level of government or the private sector results in substantial modifications to the program or activities.
The 2019 and 2020 (Memorandum of Agreements) MOA on Phoenix damages included three tiers of damages. These tiers required the collection of additional personal information to make an administrative decision on specific damages, as defined in each tier of the claims process. As a result, a PIA was required to comply with the rules governing the collection, use, disclosure, and protection of personal information.
Privacy Impact Assessment Objectives
This document summarizes the results of the Tier 3 claims under the Phoenix pay system damages agreements. The PIA includes an analysis of the potential privacy risks related to the collection, retention, use, disclosure, and disposition of personal information associated with the assessment and resolution of claims that were processed by the Claims Office. The PIA was conducted to ensure sound management and decision-making practices in the claims process, as well as careful consideration of privacy risks with respect to the collection and handling of sensitive personal information.
Privacy Impact Assessment Findings and Risk Summary
This PIA identified three medium-level privacy risks:
- the formal processes, the contracts for third-parties concerning complex cases not being finalized;
- retention and disposal standards as being “under development”; and
- claims procedures, privacy control documentation and readiness training content to be updated.
The Claims Office is working to mitigate all medium-level privacy risks in a timely manner.
In addition, three low-level risks were also identified however, the Claims Office is working to mitigate all identified privacy risks.
Action Plan – Risk Mitigation
Mitigation measures have been developed in response to each privacy risk identified in the PIA. These mitigation measures are intended to ensure that TBS and stakeholders involved in the processing of claims comply with:
- retention of personal information;
- accountability; and
- safeguards.
All risks are actively being mitigated based on the recommendations put forth as part of this PIA.
Page details
- Date modified: