Frequently Asked Questions (FAQ) about Microsoft Office 365 Information Management in Relation to Access to Information and Privacy (ATIP)
To find out whether you can use your personal device(s) to access this solution, security implications, technical assistance, and more, please visit the Defence O365 frequently asked questions page. This FAQ will focus on Microsoft Office 365 information management in relation to ATIP.
1. What do Ineed to consider for Information Resources of Business Value (IRBV)/retention when using my personal device(s) to access my Microsoft Office 365 work account?
As many federal public servants are teleworking, institutions are reminded that they must continue to properly document their decisions as well as their decision-making processes. You must abide by these rules when using your personal device(s) to conduct work on your forces.gc.ca Microsoft Office 365 account. Likewise, you must follow these rules when you are using your personal account (e.g. gmail) to conduct work related business. Best practice is to conduct your work using your Microsoft Office 365 work account (forces.gc.ca), rather than using your own personal e-mail accounts.
When using Microsoft Office 365, any DND/CAF information asset or IRBV, in any format - including email - should be saved into the File section of Teams. Keep in mind that your One Drive should be treated as your personal Q: drive on the DWAN, and is not accessible the same way that the Teams section is.
2. Is the information ATIP-able?
All information created that is of IRBV to DND/CAF is subject to the Access to Information Act and the Privacy Act. If you use personal devices to transport DND/CAF IRBV, those information resources on the devices are subject to ATIP or legal discovery processes. Similarly, if you copy or create information resources on your home computer or other personal devices, these information resources are deemed to be under the care and control of the institution and are subject to the acts.
Best practice is to ensure all records pertaining to IRBV and/or a decision-making process are stored and retrievable from the Teams or OneDrive section of Microsoft Office 365, or are properly stored in your established record repository (i.e. GCDOCS).
3. How is the information retrieved from Microsoft Office 365 for access to information requests?
Upon receiving a formal request under the Access to Information Act or Privacy Act, a Tasking Officer in the Directorate of Access to Information and Privacy will task the relevant L1s in order to retrieve records which fall within the scope of the request. Within the L1, the Chain of Command (CoC) is responsible for retrieving the records which are under their control. The CoC is responsible for gathering all information of IRBV, which includes information saved in Microsoft Office 365 and provide it to the Tasking Liaison Officer of the L1. At the individual level, you are responsible for searching your own Microsoft Office 365 in order to gather and provide all records of IRBV (that fall within the scope of the request) to your CoC, who will put together a response that is relayed back to the Tasking Liaison Officer. Remember that you must search Microsoft Office 365, just like you would search in other electronic systems such as Outlook, GCDOCS, shared network drives, specific case management systems, etc.
4. What information would be released in response to an ATI or Privacy request?
All information that is requested that is NOT considered redactable as per the exemptions and exceptions in the ATI and Privacy Acts is subject to be released upon a request.
Best practice is to ensure emails and documents are drafted strictly to the subject matter. If subjects are mixed, information that is not relevant to the request, but not redactable, may be released.
Maintain personal email conversations separate from work related emails to ensure there is no cause for personal emails to be caught up in ATIP searches.
5. What are some additional resources that can provide further guidance and consideration on my information management roles and responsibilities while working in Microsoft Office 365?
The following links may prove helpful to you during the time you are needing to use your personal device to access the DND/CAF Enterprise Cloud Network:
Report a problem or mistake on this page
- Date modified: