TEAM application

Executive summary

On January 1, 2010, Treasury Board Ministers approved the policy on the Stewardship of Financial Management Systems (FMS). This policy took effect immediately, replacing the policy on Financial Systems and Controls dated October 1, 1996. The objective of this policy is to ensure that financial management systems deliver more accurate, reliable, accessible and timely financial information.

To achieve these objectives, the policy on the Stewardship of Financial Management Systems sets out the responsibilities of deputy heads as they relate to financial management systems:

  1. Providing leadership and strategic direction for their departmental FMS, business processes and data;
  2. Ensuring prudent investments are made in FMS that meet operational requirements and that are aligned with the strategic direction for FMS across government, in compliance with Treasury Board directions;
  3. Allocating appropriate resources to ensure a timely implementation of standardized configurations of FMS, common financial management business processes and common enterprise data requirements as defined by the Office of the Comptroller General (OCG);
  4. Assigning a departmental representative to the relevant FMS cluster group, where they will actively participate to ensure that departmental business needs are considered in that forum while adhering to OCG direction for FMS.

This report contains a Privacy Impact Assessment (PIA) for seven business functions supported by the TEAM application. TEAM provides financial and material functions for both the RCMP and Public Safety Canada (PSC). This means that the TEAM application supports the organization's responsibility for Budget Accountability, Expenditure Control, Revenue Management, Materiel Management, Earned Independence, Corporate Systems Integration (CSI), Project & Portfolio Management and Investment Planning.

Although an administrative system, TEAM provides a vital role in the managerial process of the two departments and provides the information required by the Government of Canada (GoC) in the Public Accounts and processes all financial transactions for the two departments. TEAM is an integrated system procured from SAP by the GoC through the Treasury Board Secretariat (TBS) Shared Systems Initiative.

As part of the ongoing commitment to maintain the latest versions of the SAP product suite to capitalize on shared efforts, the RCMP successfully upgraded SAP version 4.7 to latest SAP ECC 6.0 product in November 2011. As a result of this upgrade, it positioned the RCMP to support the ongoing development of the new business functions in TEAM and will support future GoC initiatives.

The subjects of this Privacy Impact Assessment are the following seven business functions that relate to personal information in TEAM:

  1. Direct Deposit (DD)
    Solution which pays employees directly to their bank accounts for travel related claims;
  2. Housing Rental Calculations (HRC)
    Solution which captures spousal and dependent information to produce housing rental calculations;
  3. Salary Forecasting (SF)
    Solution which uses employee classification and salary information to produce salary forecasts;
  4. Travel (TR)
    Solution that supports all aspects of travel authorization and claims processing;
  5. Shift Scheduling (SS)
    Solution for Members and employees which allows work shifts to be scheduled electronically;
  6. Extra Duty Pay (EDP)
    Solution for extra duty pay entitlements for Members that streamlines the approval and payment process through to the Member Pay System (MPS);
  7. Delegation Financial Signing Authority (DFSA)
    Solution to assign signature cards to select employees to grant them specific levels of financial authority.

Though the TEAM application contains limited personal data, its risk profile is significantly influenced by the number of financial-related processes that are supported and the breadth of its user base throughout the RCMP organization.

The following are the primary recommendations:

1. Personal Information Banks (PIB)

Treasury Board Secretariat has developed Standard Personal Information Banks to describe personal information that may be found in records created, collected and maintained by most government institutions to support common internal functions, programs and activities. Section 11 of the Privacy Act requires that government institutions describe their personal information holdings in the relevant section(s) of Info Source. As a result, it is mandatory that the RCMP register with TBS any missing PIBs applicable to the TEAM business functions as part of the programs responsibility.

Recommendation #1: The RCMP ensures that Standard Personal Information Bank numbers PSU 931, PSE 903, PSU 935, and PSE 904 are registered with TBS as related to TEAM, by September 30, 2015. This guarantees that the RCMP is compliant in posting up-to-date PIB information in Info Source where the creation, collection and maintenance of employee personal information is concerned. These standard PIBs support the collection of personal information by the RCMP for the purposes of the seven TEAM business functions that are the subject of this Privacy Impact Assessment.

2. Unclear control of personal information

TEAM is used to capture personal information to support the following business functions; Direct Deposit, Shift Scheduling, Housing Rental Calculations, Salary Forecasting, Delegation of Financial Signing Authority, Travel, and Extra Duty Pay. The RCMP has both custody and control of personal information while the information is resident in TEAM. The RCMP provides personal information to Public Works and Government Services Canada (PWGSC) with the understanding that the personal information provided is used directly in relation to the purposes for which it is intended and in accordance with applicable legislation or regulation. The method of sharing the information did not change with the new architecture; however this is an opportune time to formalize the confidentiality agreement between parties (i.e. RCMP and PWGSC).

Recommendation #2: Development of a formal agreement for information provided to third parties that acknowledges their legal responsibility for the protection of personal information provided to them in accordance with the Privacy Act. A plan to address all formal agreements will be prepared by March 31, 2016. All formal agreements will either be provided to the OPC or will be available on demand by March 31, 2017.

3. PIA executive summary

The Treasury Board Directive on Privacy Impact Assessments and the RCMP PIA Policy Admin Manual III. requires that an Executive Summary is posted to the corporate website to advise the general public on how their personal information is being collected, used, disclosed, retained and disposed. The summary also outlines the privacy risks linked to the collection of personal information for the purpose of TEAM as well as the mitigating measures developed by the RCMP to reduce and/or eliminate these risks. The publication of the Summary should be done considering security requirements and other confidentiality or legal considerations.

Recommendation #3: The RCMP posts a TEAM PIA Executive Summary, in both official languages, to the corporate website that explains the purpose of the TEAM PIA and outlines the mitigating measures developed by the RCMP to reduce and/or eliminate these risks by December 31, 2015.

4. Risk Mitigation Plan Implementation, Threat and Risk Assessment - TEAM

A Threat and Risk Assessment (TRA) was conducted for the TEAM system in 2014. The assessment determined the safeguards necessary to mitigate risk to the appropriate level based on the sensitivity and criticality of the assets being evaluated. The assessment is in compliance with the Policy on Government Security (PGS) and Operational Security Standard: Management of Information Technology Security (MITS), both issued by Treasury Board of Canada Secretariat. The report concluded that the business function improvements in TEAM necessitated that the TEAM system will be required to communicate with additional systems/devices beyond the existing connections. These systems are: Human Resource Management Information System (HRMIS), Fax Server, Bar Code reader, Managed Secure File Transfer Server, Solution Manager Server, Database Servers, SAP Content Server, uPerform Server, Email Server, SAP router, Production Mainframe. The TEAM system was found to be at a medium level of assessed risk. The RCMP's target risk is low as per the TRA conducted by the CIO Sector. Safeguards were recommended to lower the risk and the recommendations were prioritized. A Risk Mitigation Plan was developed and accepted by the RCMP DSO. They were as follows:

  1. Public Safety to implement Strong 2 Factor Authentication (2FA) in order to access TEAM from their network. COMPLETED
  2. Control-M agent needs to be moved within the Protected B TEAM environment. COMPLETED
  3. Bar Code credential file residing on the Telnet Server must be encrypted or properly safeguarded to prevent unauthorized access to TEAM. Status: Interim solution approved, but yet to be completed.
  4. Remote Vendor access process to the TEAM Production environment must be determined and approved. Status: Process identified, but yet to be completed.
  5. uPerform Help File Server must be moved within the Protected B TEAM environment as it is a component of the system. COMPLETED

Recommendation #4: To achieve the RCMP's target risk of low for the TEAM system; it is required that all recommended safeguards be implemented within 24 months' time as outlined in the 2014 TEAM Threat and Risk Assessment dated March 7, 2014. At this point, 3 of the 5 recommended safeguards have been implemented.

5. Notice at collection of data – TEAM self-serve portal

In completing the PIA, a gap was identified in relation to communicating with the user the purpose and authority for collection of data in this new functionality. The portal should be updated to include this information.

Recommendation #5: Additional information should be added to the self-serve TEAM portal to ensure the understanding of the purpose and authority for the collection of personal data by September 30, 2015.

Date modified: