Privacy impact assessment – Personal Information Profile

PIP) version 3.0 (2004) is an enhancement of the existing PIP On-line (PIP 2.0). This enhancement includes the automation of the leave entry/approval process, the elimination of inconsistent data between the HRIS Leave and Time Accounting Systems, and miscellaneous improvements based on needs identified since its launch. Some of the tangible and intangible benefits of PIP 3.0 are:

• ease of leave entry/approval by CNSC staff and management
• savings in labour, time and space
• improved accuracy and timeliness of data
• elimination of manual checking/validation by management, staff and HR personnel
• elimination of discrepancy between HRIS leave and Time Accounting data (LOUIS)
• improved efficiency with additional HTTP links

Operational information collected in the context of this initiative is described in standard Class of Records, Compensation and Benefits PRN 941. Personal information collected in the context of this initiative is described in standard Personal Information Bank, Employee Personnel Records PSE 901.

Legal authority for program or activity: Nuclear Safety and Control Act, section 16(1).

Risk area identification and categorization

Type of program or activity

Personal information is used to make decisions that directly affect CNSC employees regarding the application of leave.

Level of risk to privacy – 1

Type of personal information involved and context

Personal information is collected directly from the individual and relates to the authorized compensation and benefits activity.

Level of risk to privacy – 1

Program partners and private-sector involvement

There is no external involvement in this activity.

Level of risk to privacy – 1

Duration of the program or activity

This is intended as a long-term initiative.

Level of risk to privacy – 1

Program population

This initiative will affect all CNSC employees.

Level of risk to privacy – 1

Technology and privacy

A. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program, including collaborative software (or groupware), to support the program or activity with the creation, collection or handling of personal information?

Risk to privacy – Yes

B. Is the new or modified program or activity a modification of IT legacy systems and / or services?

Risk to privacy – Yes

C. Enhanced identification methods: This includes biometric technology, such as facial recognition, gait analysis, iris scan, fingerprint analysis, voice print and radio frequency identification (RFID). It also includes easy pass technology and new identification cards, including magnetic stripe cards and smart cards (i.e., identification cards with an embedded antenna, or a contact pad connected to a microprocessor and a memory chip or connected only to a memory chip with non-programmable logic).

Risk to privacy – No

D. Use of surveillance: This includes surveillance technologies, such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception and computer-aided monitoring, including audit trails and satellite surveillance.

Risk to privacy – No

E. Use of automated personal information analysis, personal information matching and knowledge discovery technique: For the purposes of the Directive on Privacy Impact Assessment, government institutions are to identify activities’ use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends and patterns or to predict behaviour.

Risk to privacy – No

Personal information transmission

Personal information is not transmitted outside the CNSC.

Level of risk to privacy – 1

Risk impact in the event of a breach

In the event of a breach, there could be reputational harm to the CNSC and to individuals whose information is housed in the system.

Level of risk to privacy – 2

Delegated authority

Government official responsible for privacy impact assessment:

Ginette Laflamme
Director General, Human Resources Directorate

Head of the government institution / delegate for section 10 of the Privacy Act:

Phil Dubuc
Senior Access to Information and Privacy Advisor