Privacy Impact Assessment Summary of the Digital Communications and Collaboration (DCC) Service

Purpose

With the Bell contract for YES email due to expire in December 2021, and the need to provide the GC workforce with integrated cloud-based tools, SSC launched the Digital Communications and Collaboration (DCC) Solution to:

1. onboard departmental clients to the tools and services of the M365 platform to ensure email service continuity;
2. provide the GC with modern integrated email, audio/video conferencing, web-accessible desktop productivity applications, as well as a range of associated digital collaboration tools; and
3. enable a smooth gradual departmental transition building on experience gained from early DCC adopters to inform the migration strategy, change management, network upgrades, identity and credential management, security monitoring and the Playbook components.

Description

Our authority to collect personal information for this service lies in Section 6 of the Shared Services Canada Act and Order-in-Council (PC) Numbers 2015-1071 and 2013-0368. 

Why the PIA Was Necessary

In reviewing the DCC Solution we found that while SSC collects minimal personal information:

• Departmental client organizations also referred to as tenants, are responsible for personal information under their control, the choice of Microsoft workloads, data elements for synchronizing to the cloud and the implementation of configuration baseline controls and features;
• The DCC Solution uses a public cloud-based solution and the Cloud Service Provider (CSP)is a multi-national global vendor, Microsoft Inc.
• Some of the Microsoft services provided are based in the US which means they are not protected by Canadian privacy legislation;

PIA Findings and Mitigation Measures

The PIA evaluated DCC as a solution (i.e., DCCP 6 pathfinders (Stream 1) and over 20 partners (Stream 2) and remaining departments (Stream 3). This covers any SSC enterprise work such as the directory related work as it relates to identity and authentication, integration with GC Cyber defence, the migration from YES/ETI, privacy review of configuration baseline for workload packages such as EXO, Teams and, Azure AD; operational privacy processes, etc.

The PIA did find privacy risks. They will be addressed through an SSC action plan  and the risks will be lowered through  the best technical solutions, security controls and appropriate  guidance.

The SSC DCC PIA and action plan is an evergreen assessment and we will address further updates through PIA addendums.