Overview and PIA Initiation
Government Institution
Immigration and Refugee Board of Canada
Government Official Responsible for the PIA
Kathleen Baker
Senior Director, Workforce Management
Human Resources Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Eric Villemaire
Manager
Access to Information and Privacy
Name of program or activity of the government institution
Human Resources Management
Description of the class of record and personal information bank
Standard or institution specific personal information bank:
- Staffing Activities – PPE 902
- Applications for employment – PSU 911
Standard or Institution specific Class of Records:
- Recruitment and Staffing – PRN 920
- Classification of Positions – PRN 919
Legal authority for program or activity
Public Service Employment Act
About the Immigration and Refugee Board
The IRB is Canada's largest independent administrative tribunal. Its mandate is to resolve immigration and refugee cases efficiently, fairly and in accordance with the law. The institution has five primary program activities: Refugee Protection, Immigration Appeal, Admissibility Hearings and Detention Reviews, and Refugee Appeal and Internal Services. Under the first program activity, the IRB decides which individuals require refugee protection in Canada. Its decisions have a significant impact on the lives and security of the individuals appearing before it. Board decisions not only contribute to the security of Canadians, but to the integrity of Canada's immigration and refugee systems, and the strength and diversity of the country.
IRB’s ability to fulfill its mandate in an effective and efficient manner depends, in large part, on its ability to attract and maintain a highly motivated, knowledgeable and innovative workforce. Despite its significant mandate, IRB currently employs approximately 2000 full-time equivalents, many of whom have been staffed on a temporary basis. Since 2018 the IRB has been increasing resources in order to respond to increased number of irregular border crossers. Although IRB has added many new staff members over the past few years (and attracted many new members to its management team), its ongoing success depends on its ability to add to and augment the skills of its temporary and permanent workforce. It also depends on having effective systems in place to support key human resource functions such as hiring, in line with the organization’s long-term strategic plans.
Modernizing Staffing and Recruitment
In keeping with the Public Service Commission’s New Direction in Staffing, and the IRB’s own interests in modernizing its hiring and employee onboarding processes, the IRB wishes to acquire and implement an on-line recruitment platform to better manage its entire recruitment life cycle. Once fully implemented and operational, the platform is expected to automate portions of the IRB recruitment process, and to help in the application of more modern data-intelligence techniques to its hiring campaigns.
By investing in digital recruitment software, the IRB expects to be able to improve the efficiency of its recruiting efforts, and to better reach and attract hard-to-find talent. The recruitment software is also expected to assist in building better talent pools, and in hiring the right people in the right positions so that new recruits become long-term and productive employees of the organization.
Purpose and Scope of the Privacy Impact Assessment (PIA)
The IRB is named in the Schedule to the Privacy Act and is subject to the privacy policies and directives of the Treasury Board of Canada Secretariat (TBS). Under the TBS Policy on Privacy Protection, all federal institutions subject to the Privacy Act are required to undertake an assessment of the privacy impacts associated with the development or design of new programs or services involving personal information (or when making significant changes to an existing program or service).
In keeping with the above, the IRB elected to undertake a PIA in relation to the acquisition, implementation, and use of a DRP. The use of a DRP is expected to result in the collection of new elements of personal information, some of which may be used to make decisions that directly affect identifiable individuals. DRPs may also affect the manner in which personal information is collected and handled by the IRB.
Privacy Analysis
Based on the results of the PIA, privacy risks arising from the collection, use, disclosure, and retention of personal information using a DRP are expected to be moderate. Potential impacts on the privacy of individuals are being properly managed by the IRB through appropriate legal, policy and technical measures geared at the protection of that information. Recommendations included in PIA are expected to reduce Frisks to a low (or acceptable) level.
Risk Area Identification and Categorization
A) Type of Program or Activity
Administration of Programs - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.)
Level of Risk to Privacy: 2
B) Type of Personal Information Involved and Context
Personal information provided by the individual with consent to also use personal information held by another source / with no contextual sensitivities after the time of collection.
Level of Risk to Privacy: 2
C) Program or activity partners and Private Sector Involvement
- Within the department (amongst one or more programs within the department).
- With other federal institutions.
- With other or a combination of federal/ provincial and/or municipal government(s).
- Private sector organizations or international organizations or foreign governments.
Level of Risk to Privacy: 1,2,3,4
Details:
IRB intends to acquire and administer a third-party DRP. The DRP vendor is expected to host an online portal that will be used to collect, use, and share information, including audio and video recordings. Audio and video recordings, along with other information collected through the DRP will be saved by the vendor and stored in the cloud. Cloud service providers may vary but are expected to retain data on servers physically located in Canada. Currently, Amazon Web Services (AWS) is approved by the federal government for cloud hosting. It is generally regarded as one of the most secure cloud data hosting solution in the world.
D) Duration of the Program or Activity
Short–term program
Level of Risk to Privacy: 2
E) Program Population
The program affects certain individuals for external administrative purposes.
Level of Risk to Privacy: 3
F) Technology and Privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to Privacy: Yes
Does the new or modified program or activity require substantial modifications to IT legacy systems and / or services?
Risk to Privacy: No
The new or modified program or activity involves the implementation of potentially privacy invasive technologies?
Risk to Privacy: No
G) Personal Information Transmission
The personal information is used in system that has connections to at least one other system.
The personal information may be printed or transferred to a portable device.
Level of Risk to Privacy: 2, 3
H) Risk Impact to the Individual or Employee
Inconvenience. Reputation harm, embarrassment.
Level of Risk to Privacy: 1,2
I) Risk Impact to the Individual or Employee
Managerial harm. Processes must be reviewed, tools must be changed, change in provider / partner.
Organizational harm. Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.
Financial harm. Lawsuit, additional moneys required reallocation of financial resources.
Level of Risk to Privacy: 1,2, 3