Recruiting Module of the Human Resources Management System (HRMS)

Executive Summary

The Department of Foreign Affairs and International Trade (DFAIT) manage their HR data across the Government of Canada (GC) Human Resource Management System (HRMS) version 8.9.  A Privacy Impact Assessment (PIA) of version 8.9 was completed and approved in February 2010. Subsequently, DFAIT implemented the Recruiting Module of the People Soft Version 8.9.

A PIA was completed to adequately assess and address the privacy implications involved with the Recruiting Module. It was DFAIT’s response to its obligations under the Treasury Board of Canada Directive on PIA.

The PIA focussed on personal information collected, used, disclosed and retained within the HRMS Recruiting Module.  It did not encompass HR-related information that exists outside of the Module, nor did it depict information within the system that is not considered “personal” as defined in the Privacy Act.

At the time the PIA was completed, the HR community administered their staffing business processes through various internal and external systems ranging from customized spreadsheets to black book systems. On January 27, 2010, Veterans Affairs Canada (VAC) has successfully implemented a series of enhancements to allow end-to-end automation of the recruiting process, including interfacing with the Public Service Resourcing System (PSRS) and PubliService. The business drives to undertake these enhancements to the existing Recruiting Module were as follows:

The PIA concluded that the implementation of the Recruiting Module would not involve the collection of additional personal information.

The nature and scope of the Recruiting Module indicated few privacy issues as contemplated by the PIA Guideline questionnaires as well as proper mitigation strategies to respond to those issues.

The PIA only identified the following area as non-compliant with privacy requirements and recommended proper mitigating measures described below:

  1. Procedures and documentation (medium-level risk)
    • There were no retention and disposal schedules in place for the personal information collected. Establishing a HRMS data retention and archiving, disposal policy and schedules for the personal information were identified as mitigating strategies.
    • There was no existing policy to address privacy breaches involving personal information from the HRMS Recruiting Module. Establishing a HRMS documented privacy breach policy as well as subsequently communicating it to employees was identified as mitigating strategies.
Date Modified: