VidCruiter - A Candidate Assessment Tool

Executive Summary of the Privacy Impact Assessment.

Introduction

The Public Prosecution Service of Canada’s Workforce Solutions and Services (WSS) team is responsible for ensuring that staffing is carried out according to the Public Service Employment Act (PSEA). Under the Act, sub-delegated managers have been given direct responsibility for hiring and greater flexibilities to facilitate hiring people when and where they are needed. As part of the staffing process, managers should consider the need for flexibility, affordability, and efficiency.

Overview and Initiation of the Privacy Impact Assessment

Section 30 of the PSEA confirms that appointments must be made on the basis of merit, and Section 36 states that sub-delegated managers my use any assessment method it considers appropriate to determine whether a person meets the qualifications in order to demonstrate merit. The collection and use of this assessment information is consistent with the purposes identified in the Personal Information Bank PRN 920.

WSS has decided to contract with VidCruiter. The VidCruiter suite of applications records personal information in order to assess candidates with virtual staffing tools. With users’ consent, it captures an individual’s image / voice to facilitate the interview process, to be tested against the merit criteria, and to participate in video / audio recorded interviews all of which are part of the staffing process. The implementation of the software is considered to be a substantial modification to program delivery, which necessitates the completion of a Privacy Impact Assessment to examine the potential privacy risks, in compliance with the Directive on Privacy Impact Assessment.

Risk Area Identification and Categorization

The PIA has identified a series of privacy risks for the organization and included detailed mitigation strategies associated for each risk. These recommendations are part of an integrated privacy risk management approach designed to reduce the level of risk found within the operational environment.

The risks that were identified are mainly concentrated on the themes of Disclosure, Retention and Disposition of Personal Information and Safeguarding Personal Information. Below is a high-level summary that has been identified in the PIA report:

Administrative Risks

Level of risk to privacy: High

• A Security Assessment & Authorization (SA&A) is in progress but not yet completed for the PPSC use of VidCruiter.

Level of risk to privacy: Moderate

• There is no evidence that all HR Staffing and Assessment Committee Members have received privacy training.
• VidCruiter employees that provide technical support to users and thereby require access to personal information contained in the system are located at help desks outside Canada.

Level of risk to privacy: Low

• The Office of the Privacy Commissioner of Canada (OPC) has issued a “Public Sector alert” regarding video recording of interviews, which may lead to candidates being unwilling to partake in the assessment.
• The use of a personal device from board members in exceptional circumstances can increase the risk to the confidentiality of protected information stored on the platform.
• VidCruiter does not automatically delete information. It would be the PPSC's responsibility to ensure that it is removed from the system per the departmental retention or disposition schedule, or risk privacy complaints from individuals whose information is stored in the system beyond appropriate timelines.
• The automatic transcript feature for video and audio recordings sometimes lacks accuracy and would therefore not be a reliable primary source of information for assessing candidates.