OSFI – Summaries of Privacy Impact Assessments

1. February 2024

Title

VidCruiter

Description of the program or activity

This PIA has been developed to assess the third-party staffing tool VidCruiter for the Office of the Superintendent of Financial Institutions' staffing purposes.

VidCruiter is a Canadian company that offers video interviewing software with live and pre-recorded options. OSFI has procured VidCruiter to increase efficiencies in recruitment and staffing through the Applicant Tracking System (ATS), virtual assessments and interviews. For the length of the contract, a select number of OSFI staffing personnel will be permitted to use VidCruiter to conduct video-based interviews with candidates.

Why a privacy impact assessment (PIA) was completed

The Directive on Privacy Impact Assessment requires that institutions conduct PIAs:

• when personal information may be used as part of a decision-making process that directly affects the individual
• when there are major changes to existing programs or activities where personal information may be used for an administrative purpose (meaning as part of a decision-making process that directly affects the individual)
• when there are major changes to existing programs or activities as a result of contracting out or transferring programs or activities to another level of government or to the private sector

The objective of the PIA is to assess privacy risks associated with the collection and use of personal information by VidCruiter for the recruitment and hiring of OSFI personnel. OSFI is subject to the TBS Directive on Privacy Impact Assessment (PIA), which requires that federal government institutions ensure privacy implications will be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.

More information

1. Collection of personal information that is not relevant/necessary for staffing purposes.
2. User's profile credentials are compromised or not regularly updated resulting in unauthorized access/disclosure.
3. Staff involved in the staffing process have not received appropriate privacy training.
4. There is a risk of sabotage (tampering, vandalism) and espionage (social engineering, eavesdropping) by an unauthorized user obtaining access to VidCruiter due to weak identity and authorization controls.
5. There is a risk of sabotage (tampering, vandalism) and espionage (social engineering, eavesdropping) by an employee obtaining unauthorized access due to a lack of technical controls or process documentation to prevent users from accessing a selection process they are involved in.

2. June 2023

Title

Transformation Office Data Analytics Initiative

Description of the program or activity

The Transformation Office (TO) (a new enterprise function established in April of 2022) is responsible for OSFI's Blueprint Transformation initiatives and ensuring they are fully integrated on both operational and strategic levels. To do this, TO requires access to and sharing of data sources from across different functional units across OSFI. The objective of gaining access to these data sets is to enable data analytics to inform decision-making and monitor progress and the pace of transformational change.

Why a privacy impact assessment (PIA) was completed

The Directive on Privacy Impact Assessment requires that institutions conduct PIAs:

• when personal information may be used as part of a decision-making process that directly affects the individual
• when there are major changes to existing programs or activities where personal information may be used for an administrative purpose (meaning as part of a decision-making process that directly affects the individual)
• when there are major changes to existing programs or activities as a result of contracting out or transferring programs or activities to another level of government or to the private sector

Given that the Initiative involves the collection and use of personal information, OSFI decided to engage an independent privacy consultant to develop a Privacy Impact Assessment (PIA) to ensure that potential privacy risks are accounted for, analyzed and mitigated as required. The personal information collected through the initiative will only involve OSFI employee personal information. Information collected will not be used to make an administrative decision on a specific individual and will only be used at an aggregate level to report on transformation progress and inform decision-making.

More information

At the time of development of this PIA, a contract/licensing agreement was not in place with Voxco and, as such, a review of the privacy and personal information safeguards outlined within the contract/licensing agreement was not possible.

1. The Transformation Analytics (TA) team will be uploading personal information with a potential designation of up to Protected A that will also be linked to employee opinions within the Voxco survey tool. A 2017 Security Requirements Check List (SRCL) was completed back in 2017 but that analysis did not consider uploading of HR demographic data and linkage to employee opinions within the online tool.
2. A review of the Draft Privacy Notice Statement (PNS) included within communication material and the email that will be sent to employees (which will be used to access the questionnaire) determined that, while it has some of the elements required by the TBS Directive on Privacy Practices, the PNS as currently drafted does not include all of the elements required.
3. There are currently no Information Sharing Agreements (ISAs) between TO and the other functional units that will be providing employee PI for the Initiative.
4. The TA Team has begun to draft but has not finalized internal procedures to ensure that personal information is collected, used and safeguarded appropriately in accordance with Trans the Privacy Act and TBS Privacy related policies and directives.
5. At the time of development of this PIA, questionnaires within Voxco had not been developed and the extent to which Voxco functionality and features that limit the collection of PI would be used was not known.

3. February 2022

Title

Annual Confidential Reporting Process

Description of the program or activity

The OSFI Conflict of Interest Policy (March 2021) was implemented in March 2011 and has since been updated. The objective of the policy is to minimize risks associated with conflict of interest situations to preserve public confidence in OSFI's integrity, objectivity, and impartiality, as well as the independence of OSFI in the financial system.

Prior to 2019, the reports were collected from employees through an individual email process and through paper-based submission. The reports and supporting documents were transferred and saved in eSpace, OSFI's system of record.

As part of the Cloud Strategy, OSFI is using the Annual Confidential Report (ACR) process as a pilot along with using the Cloud (Microsoft Azure).

Why a privacy impact assessment (PIA) was completed

OSFI has determined that, pursuant to s. 6.3.1 of the Treasury Board Secretariat (TBS), Directive on Privacy Impact Assessment, a PIA was necessary to assess the collection, use, disclosure, safeguards and retention/disposal of personal information collected in OSFI's Annual Confidential Report (ACR) process (activity) within the HR division.

The justification for this PIA was based on the following factors;

• use of an automated system using Power Automate (a new application);
• location of the personal information at rest, from on premise to the Cloud (MS Azure); and,
• decisions are made on the personal information provided by the employees throughout the ACR process.

More information

1. It is understood that the electronic and automated ACR is a pilot and subject to ongoing updates, upgrades, and changes. During the assessment, it was noted that, PDF (i.e. attachments) were used and not hyperlinks. The use of PDFs in emails have been identified as a risk of inadvertent disclosures of personal information thereby, leading to a privacy breach.
2. It is understood that the electronic and automated ACR is a pilot and subject to ongoing updates, upgrades, and changes. During the assessment, it was noted that, the questionnaire identified "Other", along with Students and Casuals. The Other was later defined as "full-time / indeterminate" employees however, this is not clear on the ACR form. Also, it was noted that, different ACR requirements apply to full-time/indeterminate employees in comparison to students, casual and those on interchange at OSFI (if any).

4. May 2021

Title

Mandatory Cyber Security Awareness via Terranova

Description of the program or activity

This Privacy Impact Assessment (PIA) has been performed on the deployment of a third-party vendor's cyber-security training platform, how that platform is used by the Office of the Superintendent of Financial Institutions (OSFI), and the future deployment of mandatory micro-modules.

Why a privacy impact assessment (PIA) was completed

OSFI has determined that pursuant to s. 6.3.1 of the TBS Interim Directive on Privacy Impact Assessment, a PIA is required as there is a potential for Terranova results to be used within various aspects of the agency's Human Resources Program. That is, an employee's performance or refusal to complete the mandatory micro-modules may be used in an administrative decision.

More information

1. There is a risk that employees will not be made aware of the mandatory aspect of the five modules nor fully understand the consequences of non-compliance. This risk is present only to ensure communiqué is delivered in a timely manner – at the time of deployment in April 2021 but no later than summer 2021.
2. There is a risk that OSFI's procedures for consultants are not as well-defined as that for employees. At the time this PIA was finalized, the processes and procedures on how to address consultant non-compliance were in the early stages of development.
3. There is a risk that user access to Terranova results report created by CSD and provided to L&D will not be controlled appropriately resulting in more access than is necessary and/or inappropriate storage of the report. A similar risk exists for the noncompliance reports created by L&D and shared with CSD and individual managers. The potential negative consequences of inappropriate storage and retention include a potential for privacy breaches. Once a storage location is identified, likely in eSpace, appropriate retention will likely be assigned but must be validated.
4. Because the report retrieval process and creation of multiple CSV files is new, and the HRD Load feature for Terranova reports is new, there is a risk that inaccurate information will be loaded to HRD.