Introduction
This PIA assesses the privacy impact of the Employment and Accessibility Survey and the associated asynchronous online engagement, which will operate under the Financial Administration Act and link self-response data (from the internally administered online survey) to existing administrative HR databases.
Objective
A privacy impact assessment for the Engaging DisAbility Innovation study was conducted to determine if there were any privacy, confidentiality, or security issues with this initiative and, if so, to make recommendations for resolution or mitigation.
Description
The Equity, Diversity, Talent Management and Workforce Strategy Division at Statistics Canada has the mandate of improving the accessibility of every aspect of the employee journey. This includes, but is not limited to recruitment, retention, promotion and workplace accommodation. As such, the Engaging DisAbility Innovation study was created, consisting of the quantitative Employment and Accessibility Survey via Statistics Canada's standard statistical Electronic Questionnaire System and associated qualitative asynchronous online engagement via the Recollective platform.
The HR Business Intelligence, Wellness, and Transformation Division at Statistics Canada has the mandate of developing robust evidence for decision-making in response to the requirements of the Accessible Canada Act. These studies will use valid research methods linked to relevant administrative HR databases in order to offer up-to-date and representative measurements of the accessibility of Statistics Canada's operations. These robust and representative data will help inform evidence-based and appropriate interventions and provide practical insights and recommendations to all levels of management.
More specifically, the study aims to help the Accessibility Secretariat to understand where challenges of accessibility and safety reside, where resources to help bolster accessibility exist, and how to best improve overall accessibility of Statistics Canada's recruitment, retention and promotion process, operational practices, and ultimately, employee performance.
This survey and accompanying engagement will only be administered to Statistics Canada and Statistical Survey Operations employees. Since this program is internal, it will be conducted under the Accessible Canada Act and the Financial Administration Act, and not the Statistics Act.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
a) Type of program or activity
Program or activity that does not involve a decision about an identifiable individual.
Risk scale: 1
b) Type of personal information involved and context
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
Risk scale: 2
c) Program or activity partners and private sector involvement
Within the institution (among one or more programs within the same institution)
Risk scale: 1
d) Duration of the program or activity
One-time program or activity.
Risk scale: 1
e) Program population
The program's use of personal information for internal administrative purposes affects all employees (i.e., not a single employee, but the data is used to improve internal processes to increase accessibility, which ultimately will benefit all employees)..
Risk scale: 2
f) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Risk scale: 2
g) Technology and privacy
This new program activity involves the use of a new application called Recollective, which will be used for qualitative engagement purposes. All personal information (including EAS data and de-identified EDI engagement responses) will be stored in a secure Statistics Canada environment.
This new program activity does not require any modifications to information technology (IT) legacy systems.
This new program activity does not involve the implementation of new technologies, or one or more of the following activities:
- enhanced identification methods (e.g., biometric technology);
- surveillance; or
- automated personal information analysis, personal information matching and knowledge discovery techniques.
h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.
The risk of a breach of the personal information being disclosed without proper authorization is very low. The impact on the individual would be minimal, as Human Resources will hold the administrative data in its databases, the survey data on the Corporate Access Request System (CARS) and the engagement data within protected digital workspaces. None of the databases will leave Statistics Canada Human Resources' network, and survey microdata will only be shared with the analysts within the Demographic and Sociocultural Statistics Division with special dispensation to work with these data. If a breach of Statistics Canada administrative databases were to occur, this would impact the agency more broadly than a breach of the databases holding these data would. Information contained in the Employment and Accessibility Survey (EAS) pertains to engagement, motivation, workload management, and other psychological variables that could cause embarrassment and inconvenience, but nothing more (i.e., these surveys do not contain sensitive information). Only aggregate data at the field level will be presented to supervisors of respondents. In the cases where supervisors within the Accessibility Secretariat and the Diversity and Sociocultural Statistics Division might be consulted on the data analysis, they will not view or have access to the microdata.
Recollective, the platform used for the engagement component, uses proactive system monitoringFootnote 1 with real-time tracking of the health of its infrastructure. Recollective uses the Suricata IDS system installed on our VPN firewall to log and track activities and trigger notifications. Servers, domains, network devices and SSL certificates are monitored 24/7 and alerts are escalated to one or more team members that are on-call. In the unlikely event of a security incident, several key steps will be taken by the contractor, including: (1) immediate action required to protect impacted sites and their data such as closing access or resetting all user passwords; (2) a detailed review of log files generated by intrusion detection devices, VPN access points, web servers, application servers, operating systems and databases to assess the impact of any reported incident; (3) formal notification to impacted customers within 24 hours of the data breach detection; and (4) remediation plans are assessed, actioned, and communicated to all stakeholders on a continuous basis.
i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.
There is a very low risk of a breach of the personal information being disclosed without proper authorization. In the event of a breach of Statistics Canada's administrative databases, the impact on the institution would be significant and more broadly than a breach of the survey data would. Information contained in the Employment and Accessibility Survey pertains to engagement, motivation, workload management, and other variables that could cause embarrassment and inconvenience, but nothing more (i.e., these surveys do not contain sensitive information).
The technological risk of a privacy breach on Recollective is minimal, as described above. However, the risk of participants disclosing identifying information about themselves or others during the engagement is higher and of most risk to the participants themselves (rather than the agency). This is because certain information could put a participant at risk of reprisal or change their standing in the workplace, should they be inadvertently identified by their colleagues or supervisor(s). To mitigate this risk, Statistics Canada will create the conditions for participants to choose their own anonymous usernames for the engagement. The project team will also monitor the engagement platform regularly over the course of the time-limited engagement to ensure participants do not reveal identifying information. If a participant mistakenly identifies themselves or others, then the engagement facilitators will quickly act to remove that personal information. Statistics Canada will also ensure that participants are not placed in the same study group as their supervisors (should an employee and their supervisor both sign up for the engagement).
Conclusion
This assessment of the Engaging DisAbility Innovation study did not identify any privacy risks that cannot be managed using existing safeguards.