Direction on the Security Categorization of Personal Information in the Aggregate

Purpose

The purpose of this Security Policy Implementation Notice is to:

• support institutions in understanding existing TBS security policy requirements on security categorization when it comes to the aggregation of personal information; and,
• provide guidance to institutions to protect personal information while enabling the delivery of trusted digital services.   

Scope

This notice applies to personal information managed by the Government of Canada (GC) for the express purpose of delivering government programs and services to individuals. Examples may include programs and activities that deliver benefits, health information, taxation and financial information, or applications for services. Institutions with such systems are directly impacted by this notice.

Definitions

This notice should be read in conjunction with the Directive on Security Management Appendix J:  Standard on Security Categorization, wherein:  

1. Aggregation means a group of information resources or assets.
2. Protected B means information for which the unauthorized disclosure could reasonably be expected to cause serious injury outside the national interest.

Effective date

This notice is effective as of June 1, 2023.

Application

This notice applies to institutions as defined in section 2 and any other entities included in Schedules IV and V of the Financial Administration Act unless excluded by specific acts, regulations or orders-in-council.

Context

To improve the delivery of GC services to individuals, some institutions are modernizing their information repositories. New solutions can offer significant opportunities in support of the GC’s ongoing digital transformation.  This may result in the aggregation of personal information of individuals that was previously managed in separate information repositories. 

When developing new information repositories, the evaluation of information security from the perspective of injury due to aggregate disclosure or aggregate inference may cause institutions to consider enhanced security measures to address these issues.

Care must be taken by institutions to appropriately safeguard the personal information of individuals, while also delivering services consistent with the principles of digital government.     

Direction

The personal information of individuals that is used to deliver GC services and benefits should be categorized as no higher than Protected B. This is consistent with the use of such information to deliver digital services to individuals. This categorization is not affected by the degree of aggregation or by where the information is stored, including in the cloud.  Institutions seeking exceptions must request approval through the Enterprise Architecture Review Board.

This notice should not be interpreted to mean that all systems with Protected B information face the same security threats or can be protected using identical security controls.  Aggregated datasets may provide a more valuable target to malicious actors and therefore may warrant higher levels of protection and assurances. For IT systems that provide service delivery and contain the personal information of individuals receiving that service, the standard IT security profile should be reviewed by departmental IT security authorities to determine if those systems require additional safeguards.

Institutions should consult the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) for further guidance.  They should also seek advice from the Canadian Centre for Cyber Security to implement the correct combination of IT security controls to maximize the resiliency of these systems.

System Design Considerations

Institutions are not directed to either upgrade or downgrade existing IT systems in the context of this notice, notwithstanding updated risk assessments or the introduction of new requirements.  When replacing or upgrading existing IT systems, it is strongly recommended that institutions consider future interoperability between service delivery systems. There may be advantages to standardizing on a given level of protection to enable cross-connectivity in the future.

Consideration should also be given to the full lifecycle of information management within a system and how that can affect aggregation and security concerns. Options such as having transactional data reside on a system to enable service to individuals while storing long-term archives separately or offline to mitigate aggregation risk should be considered. System owners should consult both IT security specialists and privacy officials early in the process of information architecture design and system development.

Finally, aggregation can also alter the impact to individuals if the system containing that aggregated information becomes unavailable or compromised. A clear understanding of such impact should be factored into service design and delivery and business continuity management.  Institutions should consult the Guideline on Service and Digital and the Directive on Security Management Appendix D: Mandatory Procedures for Business Continuity Management Control. 

Privacy Considerations

In certain situations, the aggregation of data in systems may require a Privacy Impact Assessment (PIA). As described in the Directive on Privacy Impact Assessment, these assessments evaluate privacy risks and associated mitigation measures.  Privacy officials can assist in determining when a PIA is required.  The Digital Privacy Playbook is an interactive tool with checklists and links to material to support institutions incorporating appropriate privacy practices at the right time.

The Privacy Implementation Notice on De-Identification explains methods of de-identification which can aid in mitigating the impact to individuals in the event a system is breached.  If a privacy breach occurs, institutions should consult the Privacy Breach Management Toolkit and the Privacy Implementation Notice 2022-01: Cyber security incidents involving personal information.   

Enquiries

Individuals in institutions should contact their departmental Security group, privacy officials, and Chief Information Officer (CIO) organization for information about this notice.

Individuals in a departmental Security group may contact the Security Policy Division at TBS by email at SEC@tbs-sct.gc.ca for interpretation of any aspect of this notice.

References