Privacy Impact Assessment (PIA) Summary of PeopleSoft Version 8.9 and Security Module

Section I – PIA Overview

1. Name of program or activity:

   PeopleSoft Version 8.9 and Security Module

2. Institution responsible for maintaining the application:

   Department of Justice Canada

3. Government official responsible for the privacy impact assessment:

   Director General, Human Resources Branch

4. Head of institution/delegate:

   Assistant Deputy Minister, Management Sector and Chief Financial Officer (CFO)

5. Description of program or activity:

   PeopleSoft is a shared-systems initiative begun by Treasury Board in 1994. The Department of Justice (hereinafter referred to as the Department) was one of the original six departments to adhere to PeopleSoft as its Human Resources Management System (HRMS) back in 1996.

   PeopleSoft records and provides information that assists in managing, developing, implementing, and advising on a wide variety of human resources (HR) management programs and policies including those in the areas of staffing, classification, labour relations, compensation, employment equity, HR Planning and official languages. In addition, the application also provides self-service functionalities to users such a leave administration, training and security screening.

   This program activity supports both of the Department's strategic outcomes. The high-quality services and support provided by internal services allow the Department to minimize corporate risks and support Government priorities.

   To support internal services, of which HR Management is a sub-sub program in the Department’s Program Activity Architecture, PeopleSoft is utilized to support multiple HR functions across the Department as well as the Public Prosecution Service of Canada.

   Unique to the Department of Justice and a few other departments is the use of a security screening module within the application which assists in processing security screening applications of the Department of Justice employees.

   Information collected in PeopleSoft includes sensitive information such as compensation information, name, date of birth and home address. Processing and assessing security screening applications of employees include self-admissions of criminal convictions, results from the Royal Canadian Mounted Police and the Canadian Security Intelligence Service, credit report results or other sensitive information which is contextually sensitive.

6. Description of the class of record(s) associated with the program or activity:

   There are multiple Standard Class of Records related to PeopleSoft, which are as follows:

   • Awards Pride and Recognition (PRN 940)
   • Classification of Positions (PRN 919)
   • Compensation and Benefits (PRN 941)
   • Employment Equity and Diversity (PRN 942)
   • Information Management (PRN 944)
   • Official Languages (PRN 923)
   • Performance Management Reviews (PRN 946)
   • Recruitment and Staffing (PRN 920)
   • Relocation (PRN 936)
   • Security (PRN 931)
   • Training and Development (PRN 927)

7. Personal information bank(s):

   There are multiple Personal Information Banks related to PeopleSoft, which are as follows:

   • Attendance and Leave (PSE 903)
   • Staffing (PSE 902)
   • Discipline (PSE 911)
   • Employee Personnel Records (PSE 901)
   • Employee Equity and Diversity (PSE 918)
   • Grievances (PSE 910)
   • Harassment (PSE 919)
   • Occupational Safety and Health (PSE 907)
   • Official Languages (PSE 906)
   • Pay and Benefits (PSE 904)
   • Employee Performance Management Program (PSE 912)
   • Recognition Program (PSE 920)
   • Training and Development (PSE 905)
   • Values and Ethics Codes for the Public Sector and Organizational Code(s) of Conduct (PSE 915)
   • Personnel Security Screening (PSU 917)
   • RCMP – Security/Reliability Screening Records (CMP PPU 065)
   • CSIS Employee Security (SIS PPE 815)

8. Legal authority for the program or activity:

   The authority over HR matters in government is divided between the Treasury Board Secretariat (TBS) and the Public Service Commission. The Public Service Commission has responsibility under section 11 of the Public Service Employment Act (PSEA) for staffing management, including staffing delegation, priority administration and workforce adjustment, political activities, employment equity and the conduct of audits and investigations.

   TBS is responsible for HR management for public servants in the federal public administration under sections 7, 11, 11.1, 12, 12.1 and 12.2 of the Financial Administration Act (FAA). The Department is part of the core federal administration. There is provision under subsection 15(1) of the PSEA and subsection 12(1) of the FAA for delegation of certain authority to deputy ministers of departments and under subsection 12.2 of the FAA for sub-delegation from the deputy minister to other officials.

9. Summary of the project/initiative/change:

   The PeopleSoft Government of Canada (GC) HRMS is the HR Management System endorsed by the Government of Canada. The HRMS-PeopleSoft application tracks all Human Resources Management activity as well as all workforce data. It is used to monitor policy applications, departmental progress vis-à-vis the Management Accountability Framework as well as responding to mandatory central agency reporting and departmental reporting requirements (i.e. demographic data for HR planning purposes), to maintain key human resources information both current and historical on all departmental employees. The HRMS-PeopleSoft application is necessary for the effective management of the human resources of the Department. It is also used by specific corporate units for particular workflows, such as the Personnel Security Service Unit for the application and completion of security screening applications, the Finance Division for delegation tracking, and others.

   A PIA has never been authored on the Department’s use of PeopleSoft, which has been utilized by the department since 1996; prior to PIA requirements in the Privacy Impact Assessment Policy.

   In February 2013, PeopleSoft implemented significant new functionality to the Security module which supports the security screening processes for employees and employee applicants.

   The Personnel Security module began collecting and storing almost all information related to both the security screening process and employees. While this cluster of personal information has always been collected by JUS in the past, it had never been maintained in an information system nor was a self-service function available to employees.

   The current PIA addresses the overall functionality of PeopleSoft at the Department as well as detailed description of the security module and how it supports manual processes by security screening officers.

Section II – PIA Risk Area Identification and Categorization

The following section summarizes risks that were identified in the PIA regarding the changes made to PeopleSoft.

A risk scale has been included for each section. The numerical risk scale is presented in ascending order, the first level (1) representing the lowest level of potential risk for the risk area and the fourth level (4) representing the highest level of potential risk. Please refer to Appendix C of the TBS Directive on Privacy Impact Assessments to learn more about the risk scale.

1. Administration of Programs, Activity and Services

   Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.)

   Personal information stored in PeopleSoft are used to facilitate decisions about staffing positions, pay, security screening and other facets of HR. Therefore, a level 2 risk was identified.

2. Type of personal information involved

   Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

   Information collected in PeopleSoft includes sensitive information such as compensation information, name, date of birth and address which are sensitive in the area of identity theft. For these reasons a level 3 risk applies. Additionally, the Department uses PeopleSoft for processing and assessing security screening applications of its employees which may include self-admissions of criminal convictions, results from the Royal Canadian Mounted Police (RCMP) and Canadian Security Intelligence Service (CSIS), credit report results, or other sensitive information which is contextually sensitive. Although data stored in PeopleSoft regarding RCMP, CSIS, and credit report results is limited to a positive or negative response data element (list of values), such a response identifies highly sensitive information. Therefore, a level 4 risk has also been assessed.

3. Program or Activity Partners and Private Sector Involvement

   Within the institution (amongst one or more programs within the same institution) and with other federal institutions.

   PeopleSoft is used by various units within the Department to process pay, track awards, submit/approve training and leave, process security screening activities, and other human resources functions. For these reasons, a level 1 risk has been assessed.

4. Duration of the Program or Activity

   Long-term program – existing program that has been modified or is established with no clear “sunset”.

   The Department’s use of PeopleSoft is a long-term solution, therefore, a level 3 risk has been assessed.

5. Program Population

   The program affects all employees for internal administrative purposes. Please note that the personal information of other individuals, references and emergency contacts, is also collected, but only insofar that they relate to the employee. Therefore, the administrative purpose remains internal.

   The use of PeopleSoft at the Department affects all employees for various internal purposes, including, but not limited to pay, leave, staffing, training, and security screening. For this reason, a level 2 risk has been assessed.

6. Technology and Privacy

   The program requires modifications to information technology (IT) legacy systems and/or services.

   The program will use automated personal information analysis, personal information matching and knowledge discovery techniques. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis, and may involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behaviour.

7. Personal Information Transmission

   The personal information is used in a system that has connections to at least one other system. The program or activity involves one or more connections to the Internet, Intranet or any other system. Circulation of hardcopy documents is not controlled. The personal information may be transferred to a portable device or printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.

   PeopleSoft has connections to several government information systems that are related to the compensation and employment equity of the federal workforce. All connections to other systems utilize appropriate security measures to facilitate the data transfer.

8. Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

   If a privacy breach were to occur on personal information stored in PeopleSoft it could have reputational and financial harm to the individual. The data stored in PeopleSoft contains sensitive financial information and personal details that could be used to support identity theft. Moreover, limited information is stored in PeopleSoft regarding information required for the processing of security screening, such as the applicant’s self-admission of criminal convictions (if any), and response statuses from the RCMP, CSIS and credit bureau. Such information could moderately to severely damage an individual’s reputation and livelihood. There may be a need to evaluate the possibility of putting in place a tracking system of individuals accessing the personal information in order to prevent moles.

9. Potential risk that in the event of a privacy breach, there will be an impact on the institution

   A privacy breach of employee information could have serious reputational harm on the Department. Depending on the scope and severity of the privacy breach, the Department is a department grounded in professionalism and confidentiality. Having a widespread or severe privacy breach would have significant harm to the Department. There may be a need to evaluate the possibility of putting in place a tracking system of individuals accessing the personal information in order to prevent moles.

Section III – Conclusion

The following represents the summary of privacy risks, analyses, and recommendations for a post PIA action plan. This section incorporates risks that were identified in the Threat Risk Assessment (TRA) of PeopleSoft (2012) and the internal audit of PeopleSoft (2011). The issues are enumerated based on the assessed risk (high, medium, and low).

1. Safeguards/Use of Personal Information: The Department currently maintains a process whereby terminated or separated employees’ access to PeopleSoft results in an immediate notification to the PeopleSoft Team, which inactivates the user ID within one business day. However, a similar notification is not made for the beginning/end of acting assignments, promotions, or demotions. This results in employees having inappropriate user rights. In some instances, the delay is several weeks, therefore, this is considered a medium risk. The PeopleSoft Team is currently developing a solution that will result in an immediate notification of all such staff actions so that user rights can be reviewed and modified as needed and in a timely fashion (one business day). The new solution is expected to be completed by March 2014.

2. Safeguards: The PeopleSoft application stores and processes Protected B information; however, the application’s Certification and Accreditation (C&A) expired in December, 2008. Considering the expanded functionality of the security module was implemented in 2013, the lack of a C&A for the application is a medium risk.

3. Safeguards: There is a risk that the Department staff will not afford the appropriate security safeguards to PeopleSoft data due to a lack of an up-to-date security policy and robust security awareness deliverables. First, in the Department’s internal audit of PeopleSoft in March 2011, compensation and financial data was misclassified in the Department’s Information Assurance Guide as being Protected A and not Protected B.

   Second, the internal audit states that more than 100 reports are available in PeopleSoft, which utilize a header stating “PROTECTED” but does not specify whether the data is Protected A or Protected B. As a next step, Human Ressoures Branch (HRB) will review their Reports Library to identify the level of protection for each individual report.

   Third, since at least 2011, security awareness deliverables have not been provided to staff regarding HR data or PeopleSoft in general. In fact, general security awareness to new employees (during orientation training sessions) is also inadequate.

   And fourth, existing security policies within the Department need to be updated so that they are properly aligned with the Policy on Government Security and the TBS policy suite renewal of 2009.

   This risk is exacerbated by the fact that the Security module now collects and stores additional sensitive data on employees, such as self-reported criminal convictions, criminal records check result from the RCMP, security assessment results from CSIS, and credit report results. Therefore, based on these multiple factors, the lack of a properly aligned security policy and security awareness program is considered a medium risk.

4. Safeguards: As of November 2013, the privacy breach procedures for the Department were in draft form. It is important that these procedures are approved and communicated with staff. In conjunction with the security policy and awareness risks (see #3 above) and recent privacy breaches this risk is considered medium.

5. Use of Personal Information/Safeguards: There is a risk that non-Department of Justice employees’ access to Department of Justice employee data will result in a privacy breach. Currently, the Department of Justice lawyers co-locate across most departments in Legal Services Units (LSUs) and are provided support staff by client departments. Some of these support staff are granted access to the Department’s PeopleSoft application. Currently, there is a lack of guidelines, policies, and procedures which would limit the access of these non-Department of Justice support staff. The TRA for PeopleSoft (March 2012) identified a risk in that strict guidelines are not in place for the granting of access privileges to these non-Department of Justice staff. The Department is aware of this risk and has been formulating a guideline to address it. It is expected to be completed by March 2014. This risk is considered low.

6. Use of Personal Information: PeopleSoft data is used for non-administrative purposes (e.g. research, statistics, audit, evaluation), but a Privacy Protocol for Non-Administrative Purposes does not exist, as required by section 6.2.15 of the Policy on Privacy Protection. The protocol document will be drafted by the departmental Access to Information and Privacy (ATIP) Office and is expected to be finalized and communicated by them. In the interim, managers are directed by the ATIP office to general TBS policies and directives as well as to the information provided to them in ATIP awareness sessions when establishing their own practices. This risk is considered low.

7. Retention and Disposal: The Department has not formally documented retention and disposal procedures for data stored in PeopleSoft. This results in information being maintained by the JUS with no definitive plan in place to destroy data past established time limits of an Records Disposition Authority (RDA). However, due to the technical difficulties related to archiving and deleting data considered to be part of the base product, even if procedures were in place the Department would be unable to follow them as the GC HRMS Program Centre has not yet established archival and destruction business requirements for the base product.

   The only procedures that could be developed by the Department are those related to modules that are not considered part of the base product. For the Department, this is restricted to the following modules: FastTrack HR, Performance Pay, and Security. However, it is possible that FastTrack and Performance Pay would present difficulties based on how they interact with the base product.

   The Department will initiate a project to determine if a schedule can be developed for all three modules and, if feasible, establish procedures for the destruction of related information. This risk is considered low.