Privacy Impact Assessment Summary for Phoenix Claims Process

From: Treasury Board of Canada Secretariat

Introduction

This document provides the results of the privacy impact assessment (PIA) for the Treasury Board of Canada Secretariat (TBS) Claims Office (October 2019).

Background:

When the Phoenix pay system was implemented in February 2016, issues with the accuracy of public service payments were reported almost immediately throughout federal institutions. To deal with these issues, TBS established a new claims process for current and former Government of Canada (GC) employees to provide compensation for damages resulting from the implementation of the Phoenix pay system. Beginning in May 2017, employees who required tax advisory services because of Phoenix pay system issues were eligible to claim a reimbursement of up to $200.

A detailed PIA was completed in April 2017 on the out-of-pocket claims process and the expanded coverage for tax advisory services.

In 2019, members of the joint union-management committee on Phoenix damages reached an agreement with bargaining agents that would cover more than 146,000 current and former employees who may have been severely impacted by the Phoenix pay system. The agreement:

  • identified 3 tiers of compensation that these employees are eligible for
  • further expanded the scope and amount of personal information that the TBS Claims Office will need to obtain

Therefore, the Claims Office has decided to revise their 2017 PIA to:

  • account for the new practices
  • assess and mitigate potential privacy risks

Description and Scope:

The PIA assessed risks associated with the TBS claims process for compensation of out-of-pocket expenses and lost investment interest as described in the Memorandum of Agreement on Damages Caused by the Phoenix Pay System.

The TBS Claims Office uses, discloses, transmits and retains sensitive personal information associated with claims for unexpected expenses incurred by claimants (current or former employees) as a result of issues with the Phoenix Pay System. Personal information collected, used, disclosed, transmitted or retained by the Claims Office can include a wide range of particularly sensitive personal information, including, but not limited to:

  • social insurance numbers, Personal Record Identifiers (PRIs), dates of birth, mailing addresses
  • employment or pay information (classification, years worked, gross pay, deductions, net pay, payroll taxes)
  • personal bank account, credit card, line of credit or mortgage statements, and default notices
  • rental arrears or eviction notices
  • loan or repossession statements for vehicles, boats, trailers or other assets
  • utility bills, disconnection notices, tuition receipts or service bills and notices (if an employee was unable to pay bills and was charged interest)
  • claims for the reimbursement of tax advisory services
  • claims for lost investment interest
  • claim payment amount

Why the Privacy Impact Assessment Was Necessary

Under subsection 6.3 of the TBS Interim Directive on Privacy Impact Assessment, institutions must undertake PIAs for programs and activities when:

  • personal information is used or intended to be used in a decision-making process that directly affects individuals
  • substantial modifications are made to existing programs or activities where personal information is used or intended to be used for an administrative purpose
  • contracting out or transferring programs or activities to another level of government or to the private sector results in substantial modifications to the program or activities

The 2019 agreement on Phoenix damages includes 3 tiers of damages. These tiers required the collection of additional personal information in order to make an administrative decision on specific damages, as defined in each tier of the claims process. As a result, a PIA was required to comply with the rules governing the collection, use, disclosure and protection of personal information.

Privacy Impact Assessment Objectives:

This document summarizes the results of the PIA of the TBS claims process. The PIA includes an analysis of the potential privacy risks related to the collection, retention, use, disclosure and disposition of personal information associated with the assessment and resolution of claims that were processed by the Claims Office. The PIA was conducted to ensure sound management and decision-making practices in the claims process, as well as careful consideration of privacy risks with respect to the collection and handling of sensitive personal information.

Privacy Impact Assessment Findings and Risk Summary:

This PIA identified 3 high-level privacy risks:

  • the disclosure or sharing of personal information
  • over-retention of information
  • the necessity to formalize processes surrounding the removal of temporary information from interim media

The Claims Office is working to mitigate all high-level privacy risks in a timely manner and has resolved the third risk since the PIA was submitted.

In addition, 3 medium risks and 5 low-level risks were identified relating to the operational readiness of the Claims Office. The Claims Office is working to mitigate all identified privacy risks.

Action Plan – Risk Mitigation:

Mitigation measures have been developed in response to each privacy risk identified in the PIA. These mitigation measures are intended to ensure that TBS and departments involved in the processing of claims comply with:

  • the Privacy Act
  • the rules concerning the collection, use, disclosure and protection of personal information

All risks are actively being mitigated based on the recommendations put forth as part of this PIA.

Page details

Date modified: