Privacy Impact Assessment for the Hosted Contact Centre Service

Executive summary

The Hosted Contact Centre Service project will oversee the procurement of, and migration to, a government-wide hosted, managed and tailored contact centre service. It will allow Shared Services Canada’s partner departments and agencies to interact with Government of Canada clients efficiently and effectively.

Clients will be able to contact partner departments and agencies by:

• phone
• Centrex
• Private Branch Exchange
• Voice over Internet Protocol
• Video (in the future, upon partner request)
• text messaging (in the future, upon partner request)
• email (in the future, upon partner request)

Currently, Shared Services Canada provides service to contact centres in 435 locations by employing more than 15,000 employees using multiple technologies. Call centres are organized by the type of service or business lines supported such as old age security, service help desk, pension, debt management, taxes, and so on.

The new Hosted Contact Center Service will streamline customer service by drawing upon the Government of Canada’s vision for digital government and emphasis on cloud-based solutions. It will consolidate, stabilize, and modernize eight complex information technology and communications systems.  These systems coordinate telephone and electronic contacts between federal departments and Canadians. The Hosted Contact Center Service will be providing a solution that balances features, value for money, and business continuity requirements.

Overview

IBM will manage the Hosted Contact Center Service for Shared Services Canada and its partner organizations. IBM and government employees of the Hosted Contact Center Service will work in accordance with The Privacy Act by only collecting, using, or disclosing personal information of clients or citizens needed to administer the service.

Shared Services Canada will continue to respect the core values of Canadians by implementing measures to safeguard privacy and security as part of the framing, design and implementation of the Hosted Contact Center Service.  The authority to collect personal information for this service is from Section 6 of the Shared Services Canada Act and Order-in-Council (PC) Numbers 2015-1071 and 2016-0368.

Shared Services Canada is mandated to manage information technology infrastructure services for email, data centres, and services related to networks for its partner organizations. The records of all organizations contained in or carried on Shared Services Canada’s systems are not, for the purposes of the Access to Information Act and the Privacy Act, considered under its control. This is in keeping with sections 15 and 16 of the Shared Services Canada Act.

This privacy assessment covered the personal data that will be collected to deliver, run and manage the Hosted Contact Center Service infrastructure. Each department will have different privacy risks depending on their needs and services. They must hold their own privacy impact assessments to make sure that privacy risks will be met for their unique needs and services.

Privacy risk mitigation

The overall risk assessment rating for this Privacy Impact Assessment is medium, and an action plan was drafted for mitigation purposes.

Shared Services Canada’s Hosted Contact Centre Service will provide an infrastructure to handle and protect information designated up to and including Protected B level. The Hosted Contact Centre Service went through a full Security Authorization and Authorization process. This Privacy Impact Assessment examined all residual risks in the resulting report. Shared Services Canada must share copies of the approved Privacy Impact Assessment and other relevant documents with partners or other government institutions before beginning this service, as required. It must also respect security needs and any other confidentiality or legal consideration. This Privacy Impact Assessment is in keeping with:

• the Treasury Board Directive on Privacy Impact Assessment
• guidance from the Office of the Privacy Commissioner
• the Shared Services Canada Directive on Conducting Privacy Impact Assessments
• the Standard on the Code of Privacy Principles, and
• the ten universal privacy principles found in the Canadian Standards Association’s Model Code for the Protection of Personal Information

Shared Services Canada takes the protection of Canadians’ information very seriously. The department is committed to mitigating the medium and low residual privacy risks that were identified in this process. Before changing services or carrying out other plans that may need assessments and addendum(s) for this Privacy Impact Assessment, Shared Services Canada will consult with:

• Information Technology Security and Privacy Risk Management
• Cyber and Information Technology Security, and
• The Access to Information and Privacy Protection Division