Employee Wellness Surveys - Privacy impact assessment summary

Introduction

This privacy impact assessment (PIA) is to assess the privacy impact of the Employee Wellness Surveys (EWS) and associated Pulse check Surveys, which will operate under the Financial Administration Act and link self-response data (from the internally administered online survey) to existing administrative databases.

Objective

A privacy impact assessment for EWS and associated Pulse check Surveys was conducted to determine if there were any privacy, confidentiality or security issues with this initiative and, if so, to make recommendations for their resolution or mitigation.

Description

The HR Business Intelligence, Wellness, and Transformation Division at Statistics Canada has the mandate of developing robust EWS and associated Pulse Check Surveys for internal collection (i.e., the survey will only be administered to Statistics Canada and Statistical Survey Operations employees). These surveys will use valid and published scales (please see project description for specific information on these scales) which will be linked to relevant administrative databases -in order to offer up-to-date and representative measurement of the state of Statistics Canada’s psychological health and safety, all while reducing unnecessary response burden on participants. These robust and representative data will then inform evidence-based and appropriate interventions, and provide practical insights and recommendations to all levels of management. More specifically, the EWS will allow the Organizational Health team to understand where challenges to psychological health and safety reside, where resources to help bolster psychological health and safety exist, and how to best improve overall psychological health and safety, and ultimately, performance. Since this program is an internal survey, it will be conducted under the Financial Administration Act, and not the Statistics Act.

Risk Area Identification and Categorization

The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:

a) Type of program or activity

Program or activity that does not involve a decision about an identifiable individual.

Risk scale: 1

b) Type of personal information involved and context

Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

Risk scale: 2

c) Program or activity partners and private sector involvement

Within the institution (among one or more programs within the same institution)

Risk scale: 1

d) Duration of the program or activity

Long-term program or activity.

Risk scale: 3

e) Program population

The program's use of personal information for internal administrative purposes affects all employees.

Risk scale: 2

f) Personal information transmission,

The personal information is used in a system that has connections to at least one other system.

Risk scale: 2

g) Technology and privacy

All personal information will be kept within Statistics Canada, and on Statistics Canada servers. Because of the security measures already in place, a technology or privacy breach risk is low.

h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

In the case of a privacy breach, there will be an intermediate impact on employees, as this breach could bring embarrassment and slight discomfort to those affected.

i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.

There should be very low impact to the institution in the event of a privacy breach.

Conclusion

This assessment of the EWS did not identify any privacy risks that cannot be managed using existing safeguards.