Exchange of Personal Information between Correctional Service Canada and Passport Canada

Overview

The Salary Management System (SMS) is a salary budgeting and forecasting tool that will interface with other departmental information systems which will allow CSC to examine their expenditures on an ongoing basis to ensure responsible spending.

The assessment demonstrates that the proposed information sharing was developed in accordance with the Privacy Act, the Financial Administration Act and the Government of Canada Security Policy.

Summary of Risks and Recommendations:

General

Risk

The lack of a quality assurance and audit program to assess the ongoing state of the safeguards applicable to the system may result in privacy-compliance problems going undetected.

The lack of documented security and privacy procedures on the requirements of handling personal information increases the risk of unauthorized access to PI.

Failure to obtain express consent for collection of SMS-related PI may create ill will and a perceived lack of transparency and increased risk of complaints.

The lack of appropriate privacy safeguards in the contract with Infuatec increases the risk of non-authorized disclosure of PI.

Recommendations for mitigation

Implement appropriate quality assurance and audit programs, policies and procedures.

Develop, document and disseminate PI handling security and privacy procedures in accordance with Departmental Directives.

Train users on the security and privacy requirements of PI collected in both paper and electronic form.

Consider building "opt-in", express consent mechanisms into SMS process, where possible, when dealing with Public Service hiring and compensation issues.

Discuss with PWGSC the possibility of negotiating appropriate privacy safeguards with Influatec.