Language selection

Government of Canada / Gouvernement du Canada

Search

Electronic procurement solutions: Privacy impact assessment summary (Amended in fiscal year 2021 to 2022)

Changes were made to the privacy impact assessment in fiscal year 2021 to 2022. These changes are described in Section 1, under Amendment.

On this page

Section 1: Privacy impact assessment overview

In this section

Government institution

Public Services and Procurement Canada (PSPC), Acquisitions Branch (AB).

Head of institution or delegate for section 10 of the Privacy Act

Bill Matthews, Deputy Minister.

Senior official or executive for the new or substantially modified program or activity

Arianne Reza, Assistant Deputy Minister, Acquisitions Branch.

Name and description of the program or activity of the government institution

The Acquisitions Program delivers its mandated role and services through the following subprograms of services:

  • general procurement services
  • customized procurement services
  • acquisitions stewardship
  • acquisitions support and innovation

Legal authority for program or activity

Department of Public Works and Government Services Act, section 6(a), 6(b), 7(1)(c), 18(1)(2)(3), and 21(1)(2)(3). As amended from time to time.

Orders in council—PC number: 2015-0241—Date: 2015-02-26

Personal information banks

No modification required for the following existing personal information banks.

Summary of the project, initiative, or change

Public Services and Procurement Canada awarded a contract to Infosys Public Services to implement and manage an electronic procurement solution. The contract is for 5 years, with options to extend up to an additional 7 years. The electronic procurement solutions (EPS) delivered by Infosys (IPS) and their partners, Ernst and Young, and SAP Inc., is a cornerstone of procurement modernization. The solution is a bilingual (in English and French), Government of Canada (GC) wide software as a service that combines SAP Ariba, the world’s largest business commerce network, and SAP Fieldglass, an external resource management platform that helps organizations transform how they manage talent across multiple channels. Information related to these services will reside in a public cloud outside of Canada within the cloud provider’s infrastructure. The project has received an exemption from the Treasury Board (TB) Directive on Service and Digital by the Treasury Board Secretariat (TBS) chief information officer. The EPS will provide modern and innovative e-tools and applications for all facets of the procurement process including e-sourcing, contract lifecycle management, spend analysis, supplier relationship management and e-purchasing through catalogues. It also provides 1 portal for all acquisitions needs, facilitates suppliers’ interaction with the GC and provides greater accessibility for public sector clients to procure goods and services at the best value possible.

EPS will have a phased rollout. The deployment will start within PSPC; if successful, next phase would be a GC wide deployment subject to approval by TB. The final phase will give access to some of our functionalities to the provinces/territories.

Amendment

PSPC’s Policy on Social Procurement came into effect on May 3, 2021, and establishes the policy coverage for the collection of personal information related to social procurement programs. PSPC amended the EPS privacy impact assessment (PIA) in order for PSPC to collect, protect, use, disclose, retain, and dispose of personal information in relation to administering the Policy on Social Procurement in respect with the Government of Canada’s privacy obligations. The original EPS PIA was made in 2020.

With the EPS PIA amendment, personal information can be collected with the purpose of administering the social procurement policy and programs. This data can also be used to conduct data analysis and statistical reporting to create baselines of representation for different groups in public procurement and target underrepresented suppliers.

The personal information required for the social procurement programs can be collected through EPS, related procurement methods of engagement (for example, requests for information, letters of interest, industry days, etc.), through the evaluation/negotiation stage and reporting throughout the procurement process (for example, administrative stage).

The amendment to the EPS PIA covers the collection of the following personal information:

  • gender information: male, female or other
  • racial or cultural origins: Arab, Black, Chinese, Filipino, Japanese, Korean, Latin American, Southeast Asian, South Asian, West Asian and other
  • disability status
  • belonging to the community lesbian, gay, bisexual, transgender, queer, 2-spirit and others status
  • Indigenous status: First Nation, Métis or Inuit

Section 2: Privacy impact assessment risk area identification and categorization

In this section

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included for each risk area. The numbered risk scale is presented in ascending order:

Please refer to Appendix C of the Treasury Board Secretariat Directive on Privacy Impact Assessment  to learn more about the risk scale.

Type of program or activity

Risk scale: 2

Personal information is used to make decisions that directly affect the individual (for example, determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).

Types of personal information involved and context

Risk scale: 1
Risk scale: 2
Risk scale: 3

Personal information collected from vendors, suppliers, contractors, references, other government departments (OGDs) and government procurement officials as part of the procurement of goods and services by the Government of Canada.

Program or activity partners and private sector involvement

Risk scale: 1
Risk scale: 2
Risk scale: 4

PSPC provides central and common procurement services to other federal departments. Suppliers will be required to enrol in the SAP Ariba network, a private sector company specializing in on-line tender management. There is some additional existing involvement with some departments such as Canada Revenue Agency to set up and verify the business number, and Indigenous and Northern Affairs Canada in relation to the Set-Aside Program for Aboriginal Business. All OGDs receiving personal data disclosed by PSPC protect that data in conformance with the Privacy Act and TBS requirements, specified in departmental service agreements.

Note

Since procurement are for a “public purpose” of the Government of Canada, only the laws of Canada apply to the handling and protection of personal information.

Duration of the program or activity

Risk scale: 3

Long-term program. Procurement is an ongoing federal program with no planned end date.

Program population

Risk scale: 1
Risk scale: 3

EPS will collect the personal information of suppliers for purchasing and invoicing purpose and monitor system user activity for both the GC and non-GC users to help ensure the ongoing availability, security and integrity of the system.

Technology and privacy

A “yes” response to any of the following may indicate the potential for privacy concerns and risks that will need to be evaluated and mitigated.

Questions

  • Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? Yes
  • Does the new or modified program or activity require any modifications to the information technology legacy? Yes
  • Does the new or modified program or activity involve the implementation of one or more of the following technologies: not applicable
    • enhanced identification methods? No
    • use of surveillance? No
    • use of automated personal information analysis, personal information matching and knowledge discovery techniques? No

Legacy applications will run in tandem with the EPS solution. Rather than decommissioning legacy applications at the end of the year, the plan will involve sun-setting the legacy applications over a period of time by reducing access and operating them in a limited capacity. The PSPC departmental financial material management systems (DFMS) may see “middle ware” additions to allow it to engage with the Ariba network, and Buyandsell may likewise require some modifications.

Personal information transmission

Risk scale: 2
Risk scale: 3
Risk scale: 4

Personal information at rest and in transit are encrypted per PSPC standards (ITSP.40.111 “Cryptographic Algorithms for Unclassified, Protected A, and Protected B information”). Provision of a GC-wide procurement process involves the transmission of personal data to GC departments, third parties, and a third party supplier contracted to deliver related electronic services. Transmission of information will be within a secure tool linked to GC network including the DFMS. The electronic procurement system is designed to be an entirely electronic solution. GC users and administrators will be instructed not to make paper copies of any EPS records, not to use unencrypted portable media, and not to transmit data over unencrypted networks.

Risk impact to the institution

Risk scale: 1
Risk scale: 2
Risk scale: 3

In the unlikely event of a privacy breach some potential risk impact to the individual supplier, employee, or third party may result. IPS has developed and implemented a robust privacy breach protocol to help mitigate any potential negative effects of a privacy breach.

Risk impact to the individual or employee

Risk scale: 1
Risk scale: 2
Risk scale: 3
Risk scale: 4

In the event of a privacy breach, whether material or not, PSPC and client departments may be adversely impacted.

Page details

Date modified: