PeopleSoft v8.9 – Human Resources Management System – Privacy Impact Assessment

Executive Summary

The Privacy Impact Assessment (PIA) that has been completed is directed at the PeopleSoft Government of Canada Human Resources Management System version 8.9 that has been implemented at DFAIT. It (PIA) evaluates whether the Human Resources Management System (GC HRMS) complies with privacy requirements. The focus of the assessment is on personal information collected, used, disclosed and retained within the system. It does not encompass HR–related information that exists outside of HRMS, nor does it depict information within the system that is not considered "personal" as per the Privacy Act.

The PIA is based on current information and reflects HRMS as per the production upgrade effective May 4, 2009, and the planned deployment of the Government of Canada Pay Interface (GCPI) and ePay Card functionality.

In order to ensure that employee records were complete for additional PeopleSoft directed initiatives (e.g. Government of Canada Pay Interface (GCPI)), the upgrade did require that salary information be captured for each employee. This represents a new collection and the capturing of personal information.

The PIA that has been completed addressed the following modules currently in use at DFAIT:

Delivered by GC

Unique to DFAIT

and, modules currently under development for deployment in fiscal 2010–11:

Delivered by GC

Unique to DFAIT

Any further additions to this scope will require an update to the completed PIA. The assessment is considered dynamic, requiring periodic reviews and updates in order to keep pace with the addition of new modules or a change in use that could alter privacy risks.

The PIA identifies two areas of non–compliance with privacy requirements for the PeopleSoft GC Human Resources Management System (HRMS) version 8.9. These areas of non–compliance are:

These identified privacy risks can be mitigated by:

Authorization of HRMS users

Procedures and Documentation

Establish a HRMS data retention and archiving policy with a view to establishing schedules for personal information retention and disposition. (Presently this is being risk managed as it is a tolerable risk given the existing operating environment.)


The PIA report constitutes DFAIT’s response to its obligations under the Treasury Board of Canada Privacy Impact Assessment Policy and is intended to ensure that Privacy considerations have been adequately addressed in the deployment of the PeopleSoft GC HRMS v.8.9.

The nature and scope of PeopleSoft GC HRMS v8.9 indicate few privacy issues as contemplated by the PIA Guideline questionnaires. The mitigation strategies presented in this document respond to those issues. Finally, it is important to emphasize that privacy risk management is an on–going exercise to be considered as the nature and use of this tool evolves.

Date Modified: