CSPS Privacy Impact Assessment (PIA) Summary: Learning Management System (Brightspace) and Data Warehouse Solution
Description of the project
The purpose of this project was to examine the privacy impacts associated with the Canada School of Public Service's (CSPS) new learning management system (LMS) and associated data warehouse solution. The data warehouse solution is composed of a cloud-based data storage and processing application built upon Microsoft’s Synapse Analytics' platform, as well as Microsoft’s industry leading Power BI data reporting tool.
Why the PIA was necessary
The CSPS collects, uses and discloses personal information in the development and delivery of courses, events and other learning resources. The learning management system (LMS) is populated with data migrated from the existing legacy systems. This includes the personal information of everyone who has registered for a course with the CSPS, either directly or indirectly. The LMS assigns a unique student number to each learner, in order to improve data integrity and enhance the CSPS's reporting capability. This personal information data in turn is stored, processed, and analyzed using the new cloud-based data warehousing solution which consolidates data from multiple sources to provide a single source of truth for the CSPS’s data and business intelligence to the CSPS’s business lines.
The PIA is intended to help ensure that the CSPS remains compliant with the Privacy Act, and to help identify and mitigate any reputational risks associated with the CSPS’s new LMS (Brightspace) and data warehousing solution. It is also intended to help raise awareness at the CSPS of potential downstream risks emanating from the use of registration and learning activities information.
This project involved taking stock of the CSPS's personal information inventory related to the new LMS and understanding better how that information is currently being stored, processed, and analyzed.
PIA findings and risk summary
Privacy risks arising from the CSPS's new learning management system (Brightspace) and data warehouse are considered to be moderate to low, as they involve limited collections of non-sensitive data. For the most part, data is collected and used for non-administrative purposes.
While present impacts on the privacy of individuals are being adequately managed by the CSPS through legal, policy and technical measures geared at the protection of personal information, a number of recommendations have been formulated.
They include in the short term:
- the development of a standard privacy notice and the acknowledgement of responsibilities statement for the collection of personal information by the LMS
- the wholesale review and revision of the CSPS's LMS personal information banks (PIBs)
- the development and update of privacy documents when additional components are implemented in order to augment our system (i.e. resource management functionality)
- Secure protected B status to store, process, and analyze sensitive data within its LMS and data warehouse solution.
Medium term recommendations have also been formulated:
- Sharing learner transcript data (i.e., learner registrations and completions) with central agencies such as the Office of the Chief Human Resources Officer (TBS) or the Public Service Commission in a systematic manner may help inform and develop strategies and policies to support the training of federal public servants.
For more information on the disclosure, collection, use, retention, and disposition of personal information in relation to this PIA, please refer to the following Personal Information Banks (PIBs):