Privacy Impact Assessment for the Foreign Service Directives Portal

Executive Summary

The Department of Foreign Affairs and International Trade (DFAIT) administers the Foreign Service Directives (FSD) for over 1,800 employees and dependents who work in Canada’s missions abroad.  These include DFAIT employees as well as employees from other government departments that have signed a Memorandum of Understanding (MOU) for DFAIT to administer the FSDs on their behalf.  FSD expenditures during the 2009-2010 fiscal year represented $131.7 million.

The FSDs describe the terms and conditions of the benefits provided to Government of Canada employees and their dependents when they are posted abroad and form a part of the employee’s collective agreement.

The departmental Foreign Service Directives (FSD) Services and Policy Bureau has initiated the FSD Portal Project to automate the management of FSDs through the delivery of modified business processes and a new application solution. The FSD Portal is an application that will be used to manage Mission Clients (Employees) outside of Canada and their FSDs. The FSD Portal will receive data from the Human Resources Management System (tombstone information) for all DFAIT clients. Other Government Department (OGD) client information will be captured manually within the FSD Portal web application. This application will be linked to LiveCycle, which processes the Travel forms (FSD 50.01, 50.02 &70).  The FSD Portal will also feed the departmental Integrated Management System with the information necessary to assure that the clients get paid in a timely fashion.

The FSD Portal will automate the processing of FSDs for clients at Missions outside of Canada. These clients can be members of this department or members of a number of other departments but they have access to the SIGNET D environment.

A Privacy Impact Assessment (PIA) was completed as part of the Department’s commitment to safeguarding the confidentiality of the personal information under its control. The completion of the PIA also met the Management of Information Technology and Security (MITS) requirements obligating departmental enterprise applications to undergo a security and privacy assessment. 

There are inherent risks associated with information capture, collection, retention, and flow in the context of the operational features of the FSD Portal, an Intranet based system/tool.  The PIA resulted in identification of risks and the following recommendations mitigate the risks encountered and reduce the levels of risks found with the initiative.

• Recommendation 1: It is recommended that all information, including personal information communicated by the FSD portal to the Adobe LiveCycle environment, be disposed of after each request is completed.
• Recommendation 2: The departmental FSD Policy and Monitoring Division and the FSD Client Centre need to develop Information Sharing Agreements with their internal partners such as the departmental Assignment and Pool Management Division who are responsible for human resources and financial system.
• Recommendation 3: While it is outside the scope of the completed PIA to examine the initial “Purpose of collection”, it is recommended that HRMS and Human Resources operations include data sharing with the FSD Portal as part of its Privacy Notice Statement, as well as all related Personal Information Banks.

While these mitigating strategies do not eliminate the risk entirely, they reduce it to a level for which the Department and its senior management could assume the remaining risk with a reasonable expectation that risks in the process of being realized would be caught by monitoring processes before they became untenable. These residual risks will need to be managed in accordance with the executive duties, powers and prerogatives and accountability bestowed upon the Deputy Head.