Summary of the Privacy Impact Assessment for the Occupational Health and Safety Information System – Workplace Compensation Claims Process

Title

Occupational Health and Safety Information System, Workplace Compensation Claims Process

Description

The Fisheries and Oceans Canada (DFO) Occupational Health and Safety (OHS) program activity is responsible for supporting managers in ensuring safe working conditions and managing workplace compensation claims for its employees. This program activity is administered in accordance with Part II of the Canada Labour Code, the Government Employees Compensation Act, Part XV of the Canada Occupational Health and Safety Regulations, and section 240 of the Federal Public Sector Labour Relations Act.

As part of its modernization efforts, DFO has implemented the Occupational Health and Safety Information System (OHASIS), a centralized digital platform that supports the incident reporting and the processing of workplace compensation claims. This initiative is to enhance workplace safety for reporting, analyzing, tracking, and addressing safety incidents and hazards. The system streamlines key processes such as incident reporting, investigation, and follow-up, while also supporting emergency preparedness. By digitizing these processes, the system improves data accuracy, reduces administrative burden, and enhances operational efficiency across the department.

Why a privacy impact assessment was completed

As per the Treasury Board Secretariat (TBS) Directive on Privacy Practices, a Privacy Impact Assessment (PIA) was conducted to evaluate the privacy implications associated with the collection and handling of personal information in the context of incident reporting and the processing of workplace compensation claims, as part of the design and development of the new OHASIS digitized environment. The PIA ensures that all appropriate measures are in place to protect the personal information collected and processed as part of this initiative, while also identifying, mitigating, and eliminating, when possible, any potential privacy risks for the individuals concerned.

Additional information

As part of the PIA, three mitigation measures were identified to address potential risks of non-compliance with privacy requirements. All of these measures have already been implemented.

Risk 1
Risk of non-compliance with section 4.2.30 of the Directive on Privacy Practices, for ensuring that access to personal information is limited to individuals who hold positions or functions in the program or activity that provide a valid reason to access such information.

Mitigation
Establishing a process to ensure that access to personal information is restricted to individuals with a valid reason based on their roles and responsibilities (completed).

Risk 2
Risk of non-compliance with Privacy Act requirements to limit the collection, retention, use, and disclosure of personal information.

Mitigation
Establishing a process to ensure that only personal information necessary for internal operational purposes is collected, retained, used and disclosed (completed).

Risk 3
Risk of non-compliance with privacy requirements related to the effective management and maintenance of role-based access controls.

Mitigation
Developing and implementing controls and mechanisms to govern role-based access and ensure safeguards for the access, use and disclosure of personal information (completed).

Related personal information banks

• Occupational Health and Safety (PSE 907)
• Pay and Benefits (PSE 904)

For more information about this privacy impact assessment

Access to Information and Privacy Secretariat
613-993-3115