PeopleSoft v8.9 – Human Resources Management System – Privacy Impact Assessment

Executive Summary

The Privacy Impact Assessment (PIA) that has been completed is directed at the PeopleSoft Government of Canada Human Resources Management System version 8.9 that has been implemented at DFAIT. It (PIA) evaluates whether the Human Resources Management System (GC HRMS) complies with privacy requirements. The focus of the assessment is on personal information collected, used, disclosed and retained within the system. It does not encompass HR–related information that exists outside of HRMS, nor does it depict information within the system that is not considered "personal" as per the Privacy Act.

The PIA is based on current information and reflects HRMS as per the production upgrade effective May 4, 2009, and the planned deployment of the Government of Canada Pay Interface (GCPI) and ePay Card functionality.

In order to ensure that employee records were complete for additional PeopleSoft directed initiatives (e.g. Government of Canada Pay Interface (GCPI)), the upgrade did require that salary information be captured for each employee. This represents a new collection and the capturing of personal information.

The PIA that has been completed addressed the following modules currently in use at DFAIT:

Delivered by GC

  • Position Management
  • Workforce Administration
  • Base Benefits
  • Enterprise Learning
  • Competency Management
  • Employment Equity
  • Labour Administration
  • Employee Self–Service
  • Manager Self–Service

Unique to DFAIT

  • Posting Administration
  • Posting Preferences
  • Foreign Service Allowance
  • Personnel Security
  • General Inquiries

and, modules currently under development for deployment in fiscal 2010–11:

Delivered by GC

  • Government of Canada Pay Interface (GCPI)
  • ePay Card

Unique to DFAIT

  • N/A

Any further additions to this scope will require an update to the completed PIA. The assessment is considered dynamic, requiring periodic reviews and updates in order to keep pace with the addition of new modules or a change in use that could alter privacy risks.

The PIA identifies two areas of non–compliance with privacy requirements for the PeopleSoft GC Human Resources Management System (HRMS) version 8.9. These areas of non–compliance are:

  • Authorization of HRMS users (medium–level risk)
  • Procedures and documentation (medium–level risk)

These identified privacy risks can be mitigated by:

Authorization of HRMS users

  • Managers must report to the Human Resources Management Security Administrator when any access requirements for named users change.
  • Greater use and reliance upon PeopleSoft Audit (PS Audit) for purposes of tracking changes to key elements of HRMS data. Audit reports are available and should be run regularly to confirm the movement of individuals, either within HR or to outside HR.
  • Employees should be provided with periodic reviews of ATIP training on handling of personal information.
  • Periodic audits of compliance with privacy requirements should take place every two years, or as required if there is a breach of privacy requirements.

Procedures and Documentation

Establish a HRMS data retention and archiving policy with a view to establishing schedules for personal information retention and disposition. (Presently this is being risk managed as it is a tolerable risk given the existing operating environment.)

Conclusion

The PIA report constitutes DFAIT’s response to its obligations under the Treasury Board of Canada Privacy Impact Assessment Policy and is intended to ensure that Privacy considerations have been adequately addressed in the deployment of the PeopleSoft GC HRMS v.8.9.

The nature and scope of PeopleSoft GC HRMS v8.9 indicate few privacy issues as contemplated by the PIA Guideline questionnaires. The mitigation strategies presented in this document respond to those issues. Finally, it is important to emphasize that privacy risk management is an on–going exercise to be considered as the nature and use of this tool evolves.