Privacy impact assessment summary for Microsoft Office 365 cloud project
The following sections and their information requirements make up the minimum content of the core privacy impact assessment (PIA) for the Office of the Privacy Commissioner’s (OPC) project to implement the Microsoft 365 suite of cloud-based software-as-a-service applications (M365 cloud services).
The objective of a cloud services implementation projects to modernize the technology the OPC currently uses to enhance the office’s operations by providing additional functions and features beyond the OPC’s current on-premise products. This implementation will allow the OPC to achieve efficient and effective information management to support OPC program and service delivery. It also aligns with the Government of Canada (GC) cloud adoption strategy, directives and guidance.
Heads of the institution – privacy impact assessment and cloud project
- Government of Canada institution: Office of the Privacy Commissioner of Canada
- Government official responsible for the core privacy impact analysis: Sue Lajoie, Chief Privacy Officer
- Head of the government Institution / Delegate for Section 10 of the Privacy Act: Sue Lajoie, Chief Privacy Officer
- Senior official for M365 cloud implementation project: Sébastien Delisle-Côté, Chief Information Officer
Name and description of government institution
The OPC is an agent of Parliament, whose mandate is to oversee the protection and promotion of privacy rights. This includes ensuring compliance by government institutions with the Privacy Act with respect to their handling of the personal information. In addition, the OPC oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.
The OPC accomplishes its mandate through activities such as investigating privacy complaints, research, conducting audits, initiating court actions, reporting to the public and promoting public awareness through outreach initiatives. The OPC is also, as a government institution, subject to the provisions of the Privacy Act and the Access to Information Act.
Legal authority
The OPC is empowered under the Privacy Act and PIPEDA to receive and investigate complaints, carry out audits and engaged in other activities to protect and promote the privacy rights of individuals. Pursuant to these statutes, the OPC has legal authority to collect, use and disclose information including personal information to accomplish its mandate.
The OPC has the authority to manage its own information technology infrastructure and information holdings by virtue of section 161 of the Financial Administration Act, and applicable TBS directives and policies.
Shared Services Canada is authorized pursuant to sections 6 and 8 of the Shared Services Canada Act and Order in Council P.C. 2015-1071 of July 16, 2015 to provide to the OPC services related to end-user information technology (IT); services related to email, services related to data centres and services related to networks.
In accordance with Treasury Board’s requirements governing the use of cloud services by government institutions, the OPC employs the cyber defence services of the Canadian Centre for Cyber Security (CCCS), a division of the Communications Security Establishment (CSE). The Communications Security Establishment Act specifically authorizes CSE to “provide … services to help protect … federal institutions’ electronic information and information infrastructures”.Footnote 1 In addition, CSE is authorized to “carry out activities on or through the global information infrastructure to help protect federal institutions’ electronic information and information infrastructures”.Footnote 2
Personal Information Banks
The Privacy Act requires government institutions to identify, describe and report on their personal information banks and classes of personal information in order to inform the public and their employees about the personal information that the OPC collects, uses, retains and disposes of in support of the OPC’s functions and activities. M365 will store OPC’s information holdings: program and employee-related information containing personal information obtained in support of the OPC’s functions and activities. The M365 implementation involves a modification in:
- who will store the OPC’s personal information holdings (that is, Microsoft)
- where personal information will be stored (that is, at an external cloud storage location operated by Microsoft)
- the purposes for which the personal information will be processed, since Microsoft acknowledges processing personal information for its own purposes
The OPC currently has the following personal information banks:
Standard Personal Information Banks
| Program/Activity | PIB Number | Title |
|---|---|---|
| Acquisition Services | PSU 912 | Professional Services Contracts |
| Communications Services | PSU 915 | Internal Communications |
| PSU 914 | Public Communications | |
| Financial Management Services | PSU 931 | Accounts Payable |
| PSU 932 | Accounts Receivable | |
| PSU 940 | Acquisition Card | |
| Human Resources Management Services | PSE 920 | Recognition Program |
| PSE 902 | Staffing | |
| PSE 903 | Attendance and Leave | |
| PSE 904 | Pay and Benefits | |
| PSE 918 | Employment Equity and Diversity | |
| PSU 908 | Hospitality | |
| PSU 935 | Human Resources Planning | |
| PSU 933 | Canadian Human Rights Act – Complaints | |
| PSE 911 | Discipline | |
| PSE 910 | Grievances | |
| PSE 919 | Harassment | |
| PSE 907 | Occupational Health and Safety | |
| PSU 906 | Disclosure of Wrongdoing in the Workplace | |
| PSE 915 | Values and Ethics Code for the Public Sector/Organizational Codes of Conduct | |
| PSE 916 | Employee Assistance | |
| PSE 908 | Vehicle, Ship, Boat and Aircraft Accidents | |
| PSE 906 | Official Languages | |
| PSE 912 | Employee Performance Management Program | |
| PSU 911 | Applications for Employment | |
| PSE 901 | Employee Personnel Record | |
| PSU 934 | EX Talent Management | |
| PSU 917 | Personnel Security Screening | |
| PSU 910 | Relocation | |
| PSE 905 | Training and Development | |
| Information Management Services | PSU 901 | Access to Information Act and Privacy Act Requests |
| PSU 936 | Library Services | |
| Information Technology Services | PSU 905 | Electronic Network Monitoring |
| Management and Oversight Services | PSU 938 | Outreach Activities |
| PSU 902 | Executive Correspondence | |
| PSU 942 | Evaluation | |
| PSU 941 | Internal Audit | |
| Materiel Services | PSE 908 | Vehicle, Ship, Boat and Aircraft Accidents |
| Travel and Other Administrative Services | PSE 914 | Parking |
| PSU 918 | Governor in Council Appointments | |
| PSU 919 | Members of Boards, Committees and Councils | |
| PSU 903 | Business Continuity Planning | |
| PSU 923 | Disclosure to Investigative Bodies | |
| PSU 908 | Hospitality | |
| PSU 909 | Travel | |
| PSE 917 | Identification Cards and Access Badges | |
| PSU 906 | Disclosure of Wrongdoing in the Workplace | |
| PSU 917 | Personnel Security Screening | |
| PSU 939 | Security Incidents and Privacy Breaches | |
| PSU 907 | Security Video Surveillance and Temporary Visitor Access Controls Logs and Building Passes |
Institutional-specific Personal Information Banks
| Program/Activity | PIB Number | Title |
|---|---|---|
| Compliance Activities | OPC PPU 005 | Privacy Complaints and Investigations |
| OPC PPU 001 | Privacy-related enquiries | |
| OPC PPU 008 | Privacy Commissioner Ad Hoc - Complaints and Investigations | |
| OPC PPU 004 | Notifications to OPC - Public Interest Disclosure | |
| OPC PPU 006 | Notification to OPC Under PIPEDA Where Access to Personal Information Is Not Given | |
| Research and Policy Development | OPC PPU 003 | Publication Requests |
Risk area identification and categorization
| a) Type of program or activity | Risk scale |
Applicable |
|---|---|---|
| Program or activity that does not involve a decision about an identifiable individual | 1 | Yes |
| Administration of program or activity and services | 2 | Yes |
| Compliance or regulatory investigations and enforcement | 3 | No |
| Criminal investigation and enforcement or national security | 4 | No |
| b) Type of personal information involved and context | Risk scale | Applicable |
|---|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 | Yes |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 | Yes |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 | Yes |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 | Yes |
| c) Program or activity partners and private sector involvement | Risk scale |
Applicable |
|---|---|---|
| Within the institution (among one or more programs within the same institution) | 1 | Yes |
| With other government institutions | 2 | Yes |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments | 3 | No |
| Private sector organizations, international organizations or foreign governments | 4 | Yes |
| d) Duration of the program or activity | Risk scale |
Applicable |
|---|---|---|
| One-time program or activity | 1 | No |
| Short-term program or activity | 2 | No |
| Long-term program or activity | 3 | Yes |
| e) Program population | Risk scale |
Applicable |
|---|---|---|
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 | No |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 | Yes |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 | Yes |
| The program's use of personal information for external administrative purposes affects all individuals. | 4 | No |
| f) Technology and Privacy (A YES response to any of the questions posed below indicates a potential privacy risk requiring consideration and, if necessary, mitigation) | ||
|---|---|---|
| Question | Yes | No |
| Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? | X | |
| Does the new or substantially modified program or activity require any modifications to information technology legacy systems? | X | |
| Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities? | ||
| Enhanced identification method | X | |
| Surveillance | X | |
| Automated personal information analysis, personal information matching and knowledge discovery techniques | X | |
| g) Personal information transmission | Risk scale | Applicable |
|---|---|---|
| The personal information is used within a closed system (that is, no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 | No |
| The personal information is used in a system that has connections to at least one other system. | 2 | Yes |
| The personal information is transferred to a portable device (that is, USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 | Yes |
| The personal information is transmitted using wireless technologies. | 4 | Yes |
| h) Impact of a privacy breach on the individual or employee | ||
|---|---|---|
| Question | Yes | No |
| Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | X | |
| i) Impact of a privacy breach on the institution Comment | ||
|---|---|---|
| Question | Yes | No |
| Potential risk that in the event of a privacy breach, there will be an impact on the institution. | X | |
- Date modified: