GCKey - Government of Canada Branded Credential Service

Executive Summary

The goal of Cyber Authentication Renewal is to provide end-users choice in the credentials they use to authenticate online to Government of Canada programs and services and to provide Government of Canada departments and agencies with the flexibility to determine authentication solutions commensurate with the security needs of their programs and services.

The purpose of the GCKey initiative is to develop a system that will be used to issue, manage and validate anonymous credentials for individuals that wish to make use of Government of Canada Online Services on behalf of themselves or on behalf of an organization.

The personal information that is collected and used for registering and managing GCKey will be described in the Personal Information Bank PCU 607 External Credential Management. The personal information may include username, password, password recovery questions and responses, Persistent Anonymous Identifier or Meaningless But Unique Number and Internet Protocol address. The GCKey is an anonymous external credential management service, where individuals will not be directly identifiable by the resulting credential.

Overview

Under the initial Program Activity Architecture developed for Shared Services Canada, GCKey will be a Program of the strategic outcome, “Mandated services are delivered in a consolidated and standardized manner to support the delivery of Government of Canada programs and services for Canadians”, under the Activity, “Efficient and effective IT infrastructure services are delivered across Government of Canada”. This Program Activity is further described as enterprise-wide consolidation in the areas of email, data centres and telecommunications. It improves the overall efficiency, reliability and security of IT infrastructure.

Transformation, Service Strategy and Design, Enterprise Architecture is Shared Services Canada’s branch responsible for delivering this activity but the Treasury Board of Canada Secretariat, Chief Information Officer Branch, has the lead for the Government of Canada Cyber Authentication Initiative.

The Privacy Impact Assessment approval authority resides with the President of Shared Services Canada and her designated delegate is the Director of Access to Information and Privacy.

The legal authority for Shared Services Canada to collect personal information for this program derives from Order-in-Council No. 2011-0877 made pursuant to the Public Service Rearrangement and Transfer of Duties Act. On June 29, 2012, the Shared Services Canada Act received Royal Assent and is now Shared Services Canada’s legal authority to collect personal information for its programs.

Privacy Risk Mitigation

The Privacy Impact Assessment has been prepared in close consultation with the Treasury Board Secretariat and the analysis of the risks was made against the ten universal privacy and fair information practice principles of the Canadian Standards Association Model Code for the Protection of Personal Information.  In addition, the Privacy Impact Assessment includes details on the technology such as the service design, the threat analysis and description of the technical safeguards provided to protect personal information. Shared Services Canada takes the protection of Canadians’ information very seriously and is committed to taking further action to mitigate the low residual privacy risks that were identified in the process.

To openly account for the personal information collected for this program, the proposed new Personal Information Bank 607 for the GCKey service is currently being reviewed and finalized.