CSPS Privacy Impact Assessment (PIA) Summary: Client Services Environment
Description of the project
The purpose of this project was to examine the privacy impacts associated with the development, improvement of Client Services with the implementation of Customer Relationship Management by Salesforce and Amazon Connect integrated solution to improve the services offered to Public servant under the registrar's office, Business Enablement and Assurance Services Branch (BEASB) of the Canada School of Public Service (CSPS).
Why the PIA was necessary
A privacy impact assessment (PIA) is being conducted because Salesforce and Amazon Connect gathers personal information (Name, PRI, Email, Classification, Department) from federal public servants.
The PIA is intended to help ensure that Salesforce and Amazon Connect at CSPS remains compliant with the Privacy Act, and to help identify and mitigate any risks associated with the personal information that Salesforce and Amazon Connect collects in the database of both systems for processing clients requests by web form system or by telephone line. It is also intended to help raise awareness within Client Contact Centre and Client Service Management team of the privacy concerns related to the work that we do.
This project involved taking stock of the personal information that Salesforce and Amazon Connect gathers and understanding better how that information should be processed going forward.
PIA findings and risk summary
Privacy risks arising from Salesforce and Amazon Connect data gathering are considered to be medium , as they involve collections of sensitive data. Data are collected and used for administrative purposes (i.e., to improve School products and services, not to make decisions about individual respondents or collaborators). Client Contact Centre and Client Service Management manager's will allow very limited access only for the employees with a need to know to perform their duties and provide service to our clients and honour our Memorandum of Understanding (MOU) agreements with other federal institutions.
- Ensure that CSPS-employees are aware of privacy considerations in all outreach work
- Ensure that all personal information captures is safeguarded in accordance with the Privacy Act and that it not be disclosed to a third party without the consent of the individual concerned
- Ensure that all surveys conducted include a "Privacy Notice" informing respondents of the purpose and used of information being gathered
- Ensure that Salesforce will promptly notify CSPS of the Security Incident and investigate the security incident and provide CSPS with detailed information about the Security Incident
- Ensure Salesforce will maintain a record of security breaches and or incidents with a description of the breach, the time period, the consequences of the breach, the name of the reporter and, to whom the breach was reported and the procedure for recovering data, and coordinate any privacy incident and/or breach to the CSPS ATIP Unit
- Ensure that security and privacy incidents and or breaches are to be recorded and reported immediately to the CSPS ATIP Unit, as per CSPS Privacy Breach Protocol
- Creation of Staff Guidance Tools including :Training for those who have privileged access re: privacy data sensitivity, breach procedure and information Sessions on Privacy with ATIP Unit