Privacy Impact Assessment Summary for the Electronic Procurement and Payment System (EPP)

Executive Summary

The Electronic Procurement and Payment system (EPP) is a business transformation initiative to streamline the way SSC procures, pays and interacts with vendors. EPP will enable SSC to modernize business practices, expedite processing and payment with suppliers and will result in an end-to-end service delivery experience for clients to realize efficiencies.

The purpose of the EPP system is to automate the procure-to-pay process (previously a paper-based procedure) with a supplier self-service portal.  This will help SSC to advance the Department’s mandate to streamline the delivery of Government of Canada IT services and to achieve savings.

To openly account for the personal information collected for this program, and in compliance with Section 10 of the Privacy Act, SSC will be registering a new Institution-Specific Personal Information Bank (PIB), "Procurement Services" in relation to the EPP.

Overview

The EPP is part of SSC’s Internal Service Transformation Initiative, to help improve internal efficiencies.  As such, it supports SSC’s 2017-18 Program Alignment Architecture’s strategic outcome of “Modern, reliable, secure, timely and cost-effective IT infrastructure services to support government priorities and program delivery.

Potential suppliers will use EPP to create vendor profiles and submit bids using their vendor accounts.  Shared Services Canada will use EPP to assess submitted bids using the information the vendors supplied.  The EPP solution will also streamline the processing of vendor invoices.

SSC will continue to post procurement opportunities to Buy and Sell, the Government of Canada website for suppliers to find procurement information, tools and help to complete tasks related to selling goods and services to the Government of Canada. To bid on procurement opportunities within SSC, suppliers will be directed from Buy and Sell to the EPP portal.

The collection and use of the personal information provided for EPP is in accordance with the federal Privacy Act.  On June 29, 2012, the Shared Services Canada Act received Royal Assent and is SSC’s legal authority to collect personal information for its programs.

Order in Council No. 2015-1071 confers on Shared Services Canada the authority to provide services related to end-user information technology, email, data centres and networks. Pursuant to Section 7 of the Shared Services Canada Act, the Minister has the authority to conduct procurement in order to provide those shared services.

Risk Mitigation

In keeping with the guidance from the Office of the Privacy Commissioner of Canada and the Treasury Board Directive, all of the privacy risks identified in the PIA have been aligned with the ten universal privacy principles found in the Canadian Standards Association’s (CSA’s) Model Code for the Protection of Personal Information.  In addition, the PIA includes details on the software solution such as the description of the technical safeguards provided to protect personal information. Shared Services Canada takes the protection of Canadians’ personal information very seriously and is committed to taking further action to mitigate the residual privacy risks that were identified during the PIA process.