Contract Duration: 75 days
Client: Elections Canada
Response Deadline (to the client): August 21st, 2013, 3:00 PM Eastern Standard Time (EST)
Location: Ottawa (NCR)
Per diem: TBD
YOU MUST MEET ALL MANDATORY REQUIREMENTS IN ORDER TO BE ELIGIBLE FOR THIS POSITION (M1 to M5)
M1 The proposed resource must have a completed certificate, diploma, or degree from a recognized post-secondary institution.
A CV must be submitted for the proposed resource.
The CV must detail all relevant experience, the start and end date of each assignment, the duration in months, the name of the assignment or project, the organization for which the work was performed, and description of the work performed.
M2 The proposed resource must have a minimum of five (5) years of demonstrated experience conducting/writing privacy impact assessments within the last 10 years. None.
M3 The bidder must provide two (2) detailed examples demonstrating that privacy compliance of a system was improved as a result of a PIA the proposed resource prepared. At minimum, each example must detail:
- The client organization;
- A description of the system;
- The proposed change(s) recommended in the PIA; and,
- The outcome resulting from the implementation of the proposed change(s)
Suggested length: 200-400 words per example.
M4 The proposed resource must have a minimum of five (5) years of demonstrated experience making recommendations to senior management regarding the protection of personal information. None.
M5 The proposed resource must have a minimum of five (5) years of demonstrated experience developing mitigation plans in the context of the protection of personal information. None.
4.2. PROJECT BACKGROUND
FREM is in charge of administering federal elections and referendum and as such, must prepare list of electors to be used and updated in the field during an electoral event. These lists of electors are updated using a system called REVISE which is undergoing major redesign.
The REVISE 2015 project includes all the necessary changes to the business and information technology products and services that currently support:
- the field voter registration business functions
- the use of Special Voter Rules (RO Office and external locations)
- re-engineering of voting operations (pilot project for 2015)
The core business requirements that are addressed within the scope of this project include interfaces for field users who interact with the public during revision and on polling days. REVISE 2015 is also designed to produce lists of electors and reports on various aspects of revision; keep track of electors’ voting statuses; manage polling station maintenance, etc.
Electors’ personal information is stored in the CIR in Ottawa and is updated in the field during an election using REVISE. Field staff will either receive electors’ requests in person and enter or update the electors’ personal information directly in REVISE or capture the electors’ personal information from paper forms. REVISE also interfaces with other applications that contain field staff personal information that includes other elements of information not needed for voting purposes but that are essential to the payment of these individuals.
The REVISE Privacy Impact Assessment (PIA) will allow those involved in the collection, use or disclosure of personal information to assess and evaluate privacy and security risks associated with these system and activities, and to develop measures intended to mitigate and, wherever possible, eliminate them.
The objective is therefore to develop a PIA that will be consistent with standards established by the OPC and the TBS, and also to develop program policies, procedures and guidelines with respect to confidentiality and security breaches.
5. SCOPE OF WORK
5.1. TASKS AND ACTIVITIES
The Contractor must:
1. Meet with appropriate stakeholders of the FREM directorate and others as needed to identify and gather all relevant information for the privacy impact assessment;
2. Meet with the technical authority at least every other week to properly scope and plan the PIA and review progress;
3. Analyse data including the business processes, architecture and data flows for each initiative in order to depict the personal information flows and management of personal information (i.e., collection, use disclosure, retention and disposition); and
4. Analyse REVISE and the revision systems and processes in the context of the Privacy Act and the latest TBS Policy on Privacy Protection, Directive on Privacy Impact Assessment and other related Directives, Guidelines and Standards. Support the development of a Privacy by Design based business process.
- Work plan timeline for scheduled activities including interviews with managers/employees (within 5 business days of contract date);
- Written status reports every other week;
- Outline describing scope for review by EC (2 reviews);
- Business Process and Data Flow tables for review;
- Initial draft and final PIA which must include:
o all components described in Appendix C of the TBS Directive on Privacy Impact Assessment;
o an executive summary;
o a summary of the methodology;
o separate sections on objectives and methodology, detailed findings, conclusions and recommendations;
o privacy risks and associated risk mitigation strategies;
o a recommended action plan;
o any material used in the process of the analysis will be included in the appendix; and
o a list of the specific actions required to meet compliance requirements of the Privacy Act and associated directives.
5.3. DELIVERABLE FORMAT
Draft deliverables may be accepted in electronic format depending on the sensitivity ratings of the deliverables and the availability of secure medium for transmission and exchange.
Soft copies must be delivered in following formats:
5.4. LANGUAGE OF WORK
- All deliverables must be provided in English
- All work must be completed in English
Milestone 1: Work plan and scope outline ready for review. Methodology established.
Milestone 2: Business processes and data flows ready for review;
Milestone 3: First draft of PIA ready for review;
Milestone 4: Final PIA report.
The Contractor will work from home office, except when work requires access and meetings with EC Canada staff - Ottawa or via teleconference as appropriate.