Privacy Impact Assessments
Human Resources Information System, Version 3.4 Privacy Impact Assessment
Introduction
The Human Resource Information System (HRIS) is an integrated system designed to meet the human resource management needs of Canadian government organizations. The purpose of the HRIS is to assist in the management of human resource transactions such as staffing, training, position classification and leave credits. Consequently it captures employee and contractor information relating to their official languages, education, employment equity, conflicts of interest, security classification and other career management issues. HRIS consists of seven main tools that can be configured by the user to meet operational needs. The tools are: Administration, Position, Employee, Staffing, Training, Leave and Reports.
The Treasury Board Secretariat has endorsed the HRIS as one of the shared systems initiatives currently used by 32 small- and medium-sized federal departments and agencies.
Privacy Impact Assessment
Elections Canada completed a privacy impact assessment (PIA) of the HRIS system in 2005. Elections Canada has initiated the self-serve leave module and has consequently updated its PIA.
The HRIS self-serve leave module involves the collection, use and disclosure of personal information of Elections Canada employees and does not affect or deal with the personal information or privacy issues related to the general public. The module contains the following personal information: leave types, entitlements, credits and history, time taken, outstanding balance and holidays. The system automatically calculates leave entitlements and credits, and applies them against leave taken.
The PIA has made two recommendations to strengthen the privacy protection of the personal information contained in the HRIS system.
The first recommendation is to ensure that users of the system are provided with adequate instruction on the operation of the module and on general privacy policies. In addition to the HRIS-specific training, general privacy training sessions are being offered to all agency employees.
The second recommendation is to develop a written complaints procedure to ensure that complaints are fully documented and resolved. The procedures are being developed and details will be provided to employees when they have been approved.
The PIA recommendations are being implemented. A threat and risk assessment was also conducted and authentication issues have been addressed. With the implementation of the recommended enhancements, it has been determined that there are no significant risks in Elections Canada's use of the self-serve system.