Recruitment and Staffing Activities using Virtual Staffing Tools

Government institution

Canadian Space Agency

Government official responsible for the PIA

Human Resources

Head of the government institution or Delegate for section 10 of the Privacy Act

Name of program or activity of the government institution

Human Resources Management

Description of the class of record and personal information bank

Recruitment and Staffing (CSA HR 010)

Recruitment and Staffing Activities using Virtual Staffing Tools (CSA PIB 015)

Legal authority for program or activity

Personal information is collected under section 16(1) of the Canadian Space Agency Act.

Overview of the Program or Activity

This report examines the privacy impacts associated with the collection, use, disclosure and retention of personal information by the Canadian Space Agency (CSA) in the administration of the staffing process, particular to the use of a third party, hosted software.

VidCruiter is a suite of hiring applications, hosted in a third-party cloud environment, that facilitates scheduling, testing against merit criteria established by the Hiring Manager, providing a central repository of the information in a digital platform, enabling recorded video / audio and live interviews and the reference checking process.

As the CSA intends to implement most of the solution suite offered by VidCruiter (excluding the onboarding feature), this PIA examines the potential privacy risks for five of the solution offerings by the company.

Necessity for a Privacy Impact Assessment

The VidCruiter suite of applications records personal information in order to assess candidates with virtual staffing tools. With users' consent, it captures an individual's image / voice to facilitate the screening process, to be tested against the merit criteria, to participate in a video / audio recorded interview and for the reference check process all of which are part of the staffing process. These new collections of personal information are considered to be a substantial modification to program delivery which has necessitated the completion of a Privacy Impact Assessment, in compliance with the Directive on Privacy Impact Assessment.

Section II — Risk Area Identification and Categorization

This PIA focused on the CSA's processes and its handling of personal information to ensure compliance with the Privacy Act and associated Treasury Board privacy policies and directives. The PIA analysis of the risks reflects 10 universal privacy and fair information practice principles of the Canadian Standards Association's Model Code for the Protection of Personal Information.

1. Type of Program or activity

   Administration of Programs

   Level of risk to privacy: 2

   Details:

   Personal information is collected by the CSA or, in the case of candidate assessments, created by the CSA during the staffing process. For example, the digital platform will be used to collate information pertaining to the staffing process such as assessments by the Assessment Committee Members and results of the candidate; the testing function to assess candidates; the interview function to record video / audio of the candidates in the VidCruiter platform.

2. Type of personal information involved and context

   Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

   Level of risk to privacy: 2

   Details:

   Biographical information such as work experience, education, competencies, skills, knowledge, capacities, personal suitability qualifications, assets, as well as personal contact information, are provided by the candidate via the PSC online portal jobs.gc.ca, and/or via VidCruiter if applicable. In addition, personal information about the candidate is obtained from their references.

3. Program or Activity Partners and Private Sector involvement

   Private sector organizations or international organizations or foreign governments.

   Level of risk to privacy: 4

   Details:

   The software suite that the CSA will use to expedite and enhance the selection process is hosted by a private sector company, including hosting the personal information collected and used by the CSA. The Agency will contract VidCruiter, a Canadian company, to obtain service of the suite of applications and information storage.

   While the PSC will be the initial point of contact for the collection of information related to staffing, this PIA is focused on the new approaches facilitated by the VidCruiter software. The PSC is not a partner in the VidCruiter portion of the staffing process.

4. Duration of the Program or Activity

   Long-term program

   Level of risk to privacy: 3

   Details:

   The CSA intends to use virtual staffing tools and assessment techniques on a long term, as and when required basis.

5. Program population

   The program affects certain employees for internal administrative purposes.

   The program affects certain individuals for external administrative purposes.

   Level of risk to privacy: 1, 2

   Details:

   Individuals who apply for employment with the CSA and agree to participate in the staffing process using VidCruiter services would be affected since they will have to access the platform and use their virtual staffing tools.

6. Technology and Privacy

   Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?

   Risk to privacy: Yes

   Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?

   Risk to privacy: No

   Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:

   • Enhanced identification methods
   • Surveillance
   • Automated personal information analysis, personal information matching and knowledge discovery techniques?

   Risk to privacy: No

7. Personal information transmission

   The personal information is used in a system that has connections to at least one other system.

   The personal information is transferred to a portable device or is printed.

   The personal information is transmitted using wireless technologies.

   Risk to privacy: 2, 3, 4

   Details:

   VidCruiter's functionalities are offered via an online internet platform with data stored in a cloud environment located in Canada, hosted by the company.

8. Risk Impact to the individual or employee

   Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

   Risk to privacy: Yes

   Details:

   In the event of a privacy breach involving routine non-sensitive personal information, the impact to the affected individual(s) may be considered minimal. However, the impact may increase depending in the sensitivity of the personal information, resulting in embarrassment for the individual.