Pay and benefits: Phoenix pay system privacy impact assessment

Public Services and Procurement Canada (PSPC) administers pay for federal employers under the auspices of the Department of Public Works and Government Services Act and a variety of orders in council. The Pay Administration Branch (PAB) within PSPC provides pay services and benefits to approximately 300,000 public servants in 98 departments, agencies and Crown Corporations, as a common service organization.

On this page

Phoenix pay system privacy impact assessment—Executive summary

In 2009, the Government of Canada approved the Transformation of Pay Administration Initiative (the initiative). The initiative was to replace the 40 year-old legacy regional pay system (RPS) and consolidate payroll services into a single pay center. The many shortcomings of that legacy system were vividly described in the 2010 Spring Report of the Auditor General of Canada.

At the outset, the initiative contemplated that the new centralized, consolidated pay model would allow for greater management control, a greater degree of standardization, a reduction of duplication and improved efficiencies for the Government of Canada. Substantial cost savings were also projected.

The initiative included replacement of the old pay system with the new system (“Phoenix”), for 98 departments, and the establishment of the pay center in Miramichi, New Brunswick. Most electronic systems previously supporting the pay services provided by PSPC (for example, Regional Pay System, Extra Duty Pay) have been replaced with a new Phoenix solution.

In the legacy pay system, employees seeking access to specific pay records would, in most cases, need to consult with the compensation advisor in their own department, request their personal information and wait until the compensation advisor could compile the information and finally share it with the employee. With Phoenix, every government employee that uses the system becomes a “user” of the Phoenix Pay System and is therefore automatically accredited to view and access their complete pay profile, including their own pay stub, benefits plan, and personal information. This feature supports the Government of Canada's Open Government Initiative and enables an open data element of that initiative.

In 2017, a new governance structure was implemented to ensure a coordinated end-to-end human resources/pay approach. This new structure integrated human resources policies and processes to pay management, where PSPC and Treasury Board of Canada Secretariat (TBS) Office of the Chief Human Resources Officer (OCHRO) will work together on pay stabilization.

Key components

The Phoenix Pay System represents a significant change to the technology underlying the delivery of the pay program. In accordance with the TBS Directive on Privacy Impact Assessments, a privacy impact assessment (PIA) has been conducted to ensure that the collection, use, disclosure, retention and disposition of personal information in Phoenix is fully aligned with both legal and policy requirements.

This PIA is an update to the previous assessment and has identified new uses and disclosures of personal information. These new uses and disclosures are identified below:

The Privacy Impact Assessment examined the following areas:

The PIA confirmed that Phoenix complies with many privacy requirements and recommends a multi-year Privacy Risk Mitigation Action Plan to achieve full compliance. The action plan includes the following mitigation measures:

Officials from the Access to Information and Privacy Directorate (ATIPD) and the Chief Information Officer Branch (CIOB) have been consulted in the development, update and review of this PIA and support the assessment as well as the proposed action plan.

Senior officials from the Pay Administration Branch (PAB) and the ATIPD Policy Planning and Communication Branch (PPCB) have approved the PIA and are comfortable with the identified risks and the associated action plan to mitigate these risks. The PIA is final as it is approved and signed by all parties and was sent to the OPC and TBS for review.

Section I: Overview and privacy impact assessment initiation

Organizational profile

Government institution: Public Services and Procurement Canada (PSPC)

Government officials responsible for this privacy impact assessment: Marc Lemieux, Assistant Deputy Minister, PSPC, Pay Administration Branch

Delegate for section 10 of the Privacy Act: Marie Lemay, Deputy Minister, PSPC
Annie Plouffe, Director, Access to Information and Privacy, Policy Planning and Security Branch (Recommender)

Name and description of program or activity

The Federal Pay Administration Program is delivered by the Pay Administration Branch (formerly Accounting, Banking and Compensation Branch). The program is part of the department's payments and accounting core responsibility within the PSPC Departmental Results Framework (DRF).

This program administers pay and benefits processes for the public service of Canada and other organizations, in accordance with collective agreements, compensation policies and memoranda of understanding. Pay and benefits administration includes the development and delivery of services, processes and systems, and the provision of compensation information, training and advice. For most departments using the government-accredited human resources (HR) system (Peoplesoft), PSPC also provides all compensation services. 

The Federal Pay Administration Program

The program is comprised of 2 key functions: compensation sector and pay services.

Compensation sector

Compensation sector pay is the largest payroll administrator in Canada. It administers pay and benefits for most federal departments, Crown Corporations and agencies including the House of Commons administration and Members of Parliament in the National Capital Region. The pay and benefits administration includes:

Pay services

Public Service Pay Centre, established in March 2012, provides pay services for 46 organizations serving over 190,000 clients, in compliance with 27 collective agreements. Compensation advisors process employee pay and benefit transactions in the pay system (hire, promotion, acting, transfer, leave, etc.), respond to employee enquiries on payment issues and provide compensation advice to clients. The pay centre currently has roughly 1000 employees (including management and support staff) servicing public service clients. The pay centre is currently located in 2 temporary locations, but will move to its permanent location once the pay centre building is completed in the fiscal year 2017 to 2018. Due to the pay issues facing PSPC and the Government as a whole, the pay centre is complemented by multiple satellite and remote offices across Canada processing pay, a Client Contact Centre providing front-line support to answer employee enquiries and a Client Services Bureau addressing hardship and complex cases.

Description of the classes of records associated with the program or activity

Pay administration (Class of record #: PSPC ABC 090)

Information relates to administrative services required for the disbursement of pay and provision of information to employees on their pay such as:

Legal authority for the activity

The legal authority for the PSPC Pay is sections 5, 12, 13 and subsection 15(b) of the Department of Public Works and Government Services Act and Orders in Council PC number 2011-1550, 2013-0624 and 2015-0647.

Description of the classes of records (CORs) associated with the program or activity
Type of program or activity Level of risk to privacy
Proposal for a new PIB (does not apply)
Proposal to modify existing PSPC PIBs (applies)
Public service compensation systems (PWGSC PCU 705, # 001375) (applies)
Central Index (PWGSC PCU 715) (applies)
No modification required for the existing PIB (does not apply) 
Proposed new standard PIB (does not apply)
Proposal to modify existing standard PIBs (applies)
Pay and Benefits PSE 904 (applies)
Employee Personnel Record PSE 901 (applies)
No modification required for the existing standard PIB (does not apply)

Summary of the project, initiative, or change

As part of the Government of Canada Transformation of Pay Administration (TPA), PSPC replaced the more than 40-year-old Regional Pay System (RPS) with Phoenix, a modern commercial off-the-shelf solution (PeopleSoft). This ensured the long-term sustainability of Government of Canada pay administration services. Phoenix was launched and rolled out in multiple phases in 2016. It includes both web-based and self-service capabilities for employees and managers.

With self-service, employees have quick access to their personal information. They can also view pay-related information, including pay statements and tax slips, submit overtime for approval, submit leave without pay requests that are less than 5 days, amend direct deposit information and adjust some voluntary deductions.

Likewise, managers in most cases, are able to approve hours submitted by employees and overtime instead of signing paper forms or using the Compensation Web Applications' Extra Duty Pay System, approve requests for leave without pay less than 5 days, as well as enter employees' schedules directly in Phoenix self-service.

Most notably, one of the biggest changes to the pay system is that it is integrated with the 32 existing human resources management systems already used by various federal government institutions. This allows transactions from HR systems to flow directly into Phoenix, thereby making the process seamless and more efficient.

To ensure the information transmitted is current, accurate and complete, several electronic data matching measures were implemented with integrated systems. PSPC is currently conducting testing to supplement data-matching capabilities with institutions that use the Government of Canada's My Human Resources Management System (MyGCHR 9.1)–PeopleSoft.

Phoenix audit trails and user account management are required to ensure system and data integrity, as well as to support system controls and fraud detection (for example, inappropriate access to personal data and fraudulent activity).

Enhanced fraud management functionalities are currently being contemplated to supplement current auditing capabilities. This new capability would allow PSPC to conduct systematic and comprehensive fraud detection reports on all business users.

Changes to collection, uses, and disclosures

This PIA has identified some new collection, uses, and disclosures of personal information.

New collection includes date of death. Both new and consistent uses have also been identified.

Biographical information such as date of birth, date of death, and gender are used to identify individuals as well as to determine eligibility of benefits.

Social insurance number (SIN) is used to identify the employee for employment insurance and taxation purposes. Other identifiers, including personal record identifier (PRI) and individual agency number (IAN), are used for required and approved data matches, accuracy, as well as to determine eligibility for pension, insurance, and/or other third party services (for example, unions). Human Resource Management Systems (HRMS) employee identification number (EMPL ID) is used as a unique identifier of the employee whose information is found in the HR system.

The PRI is also used as a main identifier for audit trails. It establishes who made a change in the Phoenix Pay System.

Lastly, new disclosures have also been identified. These include disclosures to:

Section II: Risk area identification and categorization

The following tables describe the categories of related privacy risks with corresponding risk scores.

Table A provides a description of the privacy risks associated to the type of program or activity for which the PIA is describing the program. Table A describes 4 categories of related privacy risks with a corresponding privacy risk score of 1, 2, 3, and 4. Table A also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table A: Privacy risks associated to the type of program or activity for which the PIA is describing the program
A: Type of program or activity Level of risk to privacy
Program or activity that does not involve a decision about an identifiable individual 1 (does not apply)
Administration of programs or activity and services 2 (applies)
Compliance or regulatory investigations and enforcement 3 (does not apply)
Criminal investigation and enforcement/national security 4 (does not apply)

Details: the pay function delivered by PSPC, as a common service organization, utilizes Phoenix to administer pay in order to ensure that employees receive pay for work performed.

Table B provides 4 categories of privacy risks associated to the types of personal information involved and its context, including a corresponding privacy risk score of 1, 2, 3, and 4. Table B also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table B: Privacy risks associated to the types of personal information involved and its context
B: Type of personal information involved and context Level of risk to privacy
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. 1 (does not apply)
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. 2 (does not apply)
Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 3 (does not apply)
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. 4 (applies)

Details: particularly sensitive personal information including biographical information (such as date of birth, marital status, and personal contact information), social insurance number and employment information (for example salary level, attendance, leave, banking information) is required to administer pay for Government of Canada on behalf of employers. While certain information within an employee's pay profile, such as salary, banking information, and leave status can be accessed and viewed by a limited number of business users, highly sensitive personal information such as biometrics, bodily samples, allegations, or suspicions are not collected nor associated in the Phoenix pay system.

Table C provides 4 categories of privacy risks associated to partners involved in the collection, use, or disclosure of personal information, including a corresponding privacy risk score of 1, 2, 3, and/or 4. Table C also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table C: Privacy risks associated to partners involved in the collection, use, or disclosure of personal information
C: Program or activity partners and private sector involvement Level of risk to privacy
Within the PSPC (amongst one or more programs within the PSPC) 1 (applies)
With other federal institutions 2 (applies)
With other or a combination of federal/provincial and/or municipal government(s) 3 (applies)
Private sector organizations or international organizations or foreign governments 4 (applies)

Details: personal information is required by PSPC to provide payroll services. Personal information is required by law to be shared with Employment and Social Development Canada (ESDC), such as Canada Pension Plan (CPP) and Employment Insurance (EI) contributions, and National Revenue (CRA), such as income tax data. Income tax data is shared with Quebec for employees either residing or working in the province of Quebec. Personal information is also shared with the Public Service Pension Plan under the Public Service Superannuation Plan Act.

Deduction information service providers (for example, unions, insurance providers, parking service providers, Government of Canada Workplace Charitable Campaign [GCWCC]). In cases where an employee has elected for services from a non-governmental organization, such as a credit union, the information may be shared with the organization.

Table D provides 3 categories of duration of the program or activity, including a corresponding privacy risk score of 1, 2, and 3. Table D also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table D: Categories of duration of the program or activity
D: Duration of the program or activity Level of risk to privacy
One time program or activity 1 (does not apply)
Short-term program 2 (does not apply)
Long-term program 3 (applies)

Details: this is a long term program with no planned end date.

Table E provides 4 categories of population affected by the program, including a corresponding privacy risk score of 1, 2, 3, and 4. Table E also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table E: Categories of population affected by the program
E: Program population Level of risk to privacy
The program affects certain Government of Canada (GC) employees for internal administrative purposes 1 (does not apply)
The program affects all employees for internal administrative purposes 2 (applies)
The program affects certain individuals for external administrative purposes 3 (applies)
The program affects all individuals for external administrative purposes 4 (does not apply)

Details: Phoenix directly affects current and former employees of the Public Service of Canada, including most federal departments and agencies, as well as some separate employers and Crown Corporations.

Table F provides a description of the privacy risks associated to the use of technology. Table F lists 3 questions with question 3 being a 3 part question. For each of the 3 questions asked there is a corresponding answer in the form of a yes or no. Table F also provides a narrative section for all 3 parts of question 3 providing details regarding the privacy risks. A yes response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.

Table F: Privacy risks associated to the use of technology
F: Technology and privacy Level of risk to privacy
1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? Yes (applies)
No (does not apply)
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services? (See 1 above) Yes (applies)
No (does not apply)

3. Does the new or modified program or activity involve the implementation of one or more of the following technologies:

3.1 Enhanced identification methods

Yes (does not apply)
No (applies)

3.2 Use of surveillance

Yes (applies)
No (does not apply)

3.3 Use of automated personal information analysis, personal information matching and knowledge discovery techniques

Yes (applies)
No (does not apply)

Details: Phoenix is the replacement solution for the Regional Pay System (RPS) a 40 year-old pay system that was used to administer pay and benefits for most federal public servants across Canada.

Phoenix is a PeopleSoft-based IT system providing Government of Canada employees access to their personal pay records as well as, when available, self-service administration of their benefits, overtime and personal information required for the administration of pay.

Phoenix implementation required technical changes to certain other computer systems such as HRMS, in order to enable or improve upon integration.

Audit capabilities as well as procedures to manage user access have been implemented in Phoenix. This is to ensure system and data integrity.

With regards to personal information matching, implementation of Phoenix has resulted in some new data matches. All matches, including new ones, are for data accuracy, completion, currency, and correction.

Table G provides a description of the privacy risks associated to the information technology transmission of personal information. Table G describes four categories of related privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table G also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table G: Privacy risks associated to the information technology transmission of personal information
G: Personal information transmission Level of risk to privacy
The personal information is used within a closed system 1 (does not apply)
The personal information is used in a system that has connections to at least one other system 2 (applies)
The personal information is transferred to a portable device or is printed 3 (applies)
The personal information is transmitted using wireless technologies 4 (applies)

Details: most routine transmissions occur within the Government of Canada secure network, including secure remote access. Other transmissions of personal information are transmitted to external organizations (for example, unions for union dues, insurance, United Way) using Government of Canada secure file transfer environment and protocol.

Personal information can also be shared with individuals using secure encrypted portable devices and may be printed using screen capturing applications. 

Table H provides a description of the potential risk that, in the event of a privacy breach, there will be an impact to the individual or employee. Table H describes four categories of related harm/privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table H also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table H: Description of the potential risk that, in the event of a privacy breach, there will be an impact to the individual or employee
H: Potential risk impact to the employee in the event of a privacy breach Level of risk to privacy
Injury to the reputation, finances, personal security or other interests of the employee 1 (doesn't apply)
Serious injury to the reputation, finances, personal security or other interests of the employee 2 (applies)
Extremely grave injury to the reputation, finances, personal security or other interests of the employee 3 (doesn't apply)

Details: information found in Phoenix could be used to bring serious injury to the employee including theft of identity (personal and professional), theft of assets, financial harm, damage to personal and/or professional relationships and other results of serious intrusion of privacy.

Table I provides a description of the potential privacy risk impact to institutions submitting the privacy impact assessment. Table I describes four categories of related harm/privacy risks and a corresponding privacy risk score of 1, 2, 3, and 4. Table I also includes a narrative section providing a summary description that explains and justifies the level of risk identified.

Table I: Potential privacy risk impact to institutions submitting the privacy impact assessment
I: Potential risk impact to the institution in the event of a privacy breach Level of Risk to Privacy
Managerial harm 1 (applies)
Organizational harm 2 (applies)
Financial harm 3 (applies)
Reputation harm, embarrassment, loss of credibility 4 (applies)

Details: in the event of a privacy breach, whether material or not, the impact may be Government of Canada wide or affect institutions aside from, and in addition to, PSPC. Such privacy breaches may result in Crown embarrassment, loss of public trust, and possible civil liability.

Date modified: