Privacy Impact Assessment Summary for the Mosaic Leadership Development Program

Introduction

The Mosaic Leadership Development Program began as a 12‑month program targeted towards EX-01 equity-seeking employees. It was increased to 15 months, based on feedback from the first cohort of program participants. The program is designed to develop participants into potential executives who are equipped with the knowledge, skills, abilities and competencies for an executive position in the public service.

The ultimate goal of the Mosaic program is increased representation of Indigenous Peoples, visible minorities, persons with disabilities, women, and members of 2SLGBTQIA+ communities in executive roles. After completing the program, participants are formally assessed against an EX-01 position.

Why the Privacy Impact Assessment (PIA) was necessary

To help deliver the Mosaic Leadership Development Program, an agreement was established with the Public Service Commission (PSC) for their provision of assessment tools, and with the Ivey Academy, a not-for-profit learning institution based in London, Ontario, for a customized leadership development course for the participants. The Ivey Academy uses a third-party service provider, SIGMA Assessment Systems Inc., to administer a tool called the Leadership Character Insight Assessment (LCIA), which measures leadership character and provides leaders and potential leaders with practical insight into leadership development.

The types of data collected for the Mosaic program include voluntary self-identification data of equity-seeking group candidates, an initial key leadership competencies assessment and final assessment results.

PIA objectives

The objective of the PIA is to assess privacy risks associated with the collection, creation and use of personal information through the Mosaic program. As the program is still only within its second year, there is a special emphasis on identifying opportunities for improvement to ensure that recommendations can be incorporated into program practices in time for receipt of candidate personal information for future cohorts. The scope of the PIA covers personal information specific to the Mosaic program, including the collection of and use of personal information through the Candidate Personal Profile Form.

PIA risk summary

The risks identified in the PIA:

1. A review of the contract between the Centre on Diversity and Inclusion (CDI) and the Ivey Academy determined that there are no clauses around privacy that would require the Ivey Academy to limit the collection, use and retention of personal information for Mosaic participants to the purposes that are outlined within the contract and in accordance with the Privacy Act.
2. There were no markings designating that the Candidate Personal Profile form should be considered Protected B once complete.
3. A review of the service agreements between the PSC and the CDI determined that they were missing most of the expected privacy clauses that should be included with information-sharing agreements between federal government departments.
4. Measures need to be undertaken to ensure that managers and employees with access to personal information collected and retained within the Mosaic program SharePoint folder are made aware of policies, procedures, and legal responsibilities under the Privacy Act.
5. Candidates are not informed at the time of collection of their personal information, that, by participating in the program, a copy of their Participant Achievement Record will be retained by the Mosaic program and the employee’s department respectively. Candidates are also not informed that participation in the program will result in personal information being provided to the PSC and the Ivey Academy.
6. As the Mosaic program is relatively new, it relies on manual process to receive, manage, and transfer personal information that is not supported by procedure manuals and guides.
7. As a new program with an annual cycle of candidates and participants, management will need to review existing processes, procedures and practices, and make adjustments as required.
8. A review of PSC-developed assessment reports and workbooks found no evidence of a Privacy Notice Statement (PNS) that would satisfy the requirements of section 6.2.9 of the Directive on Privacy Practices.
9. The 2 standard Personal Information Banks referenced within the Candidate Personal Profile form have 2 deferring authorities of collection and do not specify the retention period for the personal information collected through the Mosaic program.
10. A privacy notification statement is included by Ivey Academy to indicate the information that will be shared with SIGMA Assessment Systems Inc., the third-party service provider for the assessment of the Leadership Character Insight Assessment (LCIA).

Action Plan

1. The contract between the CDI and the Ivey Academy will be updated for the next cohort to ensure that the specific privacy clauses on the collection, use and retention of personal information of Mosaic participants are limited to the purposes that are outlined within the contract and in accordance with the Privacy Act.
2. The Candidate Profile Form was updated for Cohort 2 with the appropriate marking: Protected B once completed.
3. The next service agreement with the PSC will be updated to include the necessary privacy clauses. The current service agreement includes the following:
   1. Designated contacts in the event of a privacy breach
   2. Notification procedures in the event of security breaches and incidents
   3. Risk management procedures, ensuring that both the PSC and the CDI commit to have in place, in collaboration with Shared Services Canada (SSC), systems that will prevent, detect and respond to unauthorized access to the data that is collected, treated and exchanged between the PSC and the CDI.
4. The manager and employees of the Mosaic program with access to the folders that contain personal information have taken training on the Privacy Act, and the policies, procedures and legal responsibilities under the Privacy Act will be reviewed on a regular basis (that is, at the beginning of each cohort and when new staff are onboarded).
5. A Privacy Notification Statement (PNS) has been included in the Participant Achievement Record, informing candidates that by participating in the program, a copy of their record will be retained by the Mosaic program and by the employee’s department or agency respectively. Candidates in Cohort 2 have been informed, via an updated PNS on the Candidate Profile Form that participation in the program will result in personal information being provided to the PSC and the third-party learning provider.
6. Guides and procedure manuals will be created for the next Mosaic cohort, and an electronic means of exchanging information will be explored with SSC and IT for possible solutions.
7. Management commits to reviewing the existing processes, procedures and practices, and to making adjustments as required in advance of the launch of any subsequent cohorts.
8. The PSC assessment reports are no longer shared with the CDI. The Participation Achievement Record is now the responsibility of the CDI to update. A PNS has been included on the updated version for cohort 2 to satisfy the requirements of section 6.2.9 of the Directive on Privacy Practices.
9. A new Personal Information Bank has been created for the Mosaic Leadership Development Program and the PNS on the Candidate Profile Form will be updated once the reference numbers are received.
10. The PNS on the Candidate Profile Form will be updated to include the information that will be shared with SIGMA Assessment Systems Inc., the third-party service provider for the assessment of the Leadership Character Insight Assessment. Note, that this may change depending on the learning provider for future cohorts.