Email Transformation Initiative -


Table of contents


The Government of Canada (GC) launched Shared Services Canada (SSC) on August 4, 2011, with the mandate to fundamentally change how the Government delivers and manages its aging IT infrastructure. The first of three strategic priorities is to move SSC and 43 GC departments and agencies (Partner organizations) to one consolidated, efficient, secure and modern email system through the Email Transformation Initiative (ETI). To this end, SSC announced on June 25, 2013, that Bell Canada, in partnership with CGI Information Systems and Management Consultants Inc., was selected through a competitive process to deliver the GC’s new email solution.

Shared Services Canada and its partner organizations will migrate to in 2015 and 2016.


Collection and use of the personal information provided for account, is in accordance with the federal Privacy Act. On June 29, 2012, the Shared Services Canada Act received Royal Assent and is SSC’s legal authority to collect personal information for its programs. Order-in-Council (PC) Number 2015-1071 confers upon SSC the legal authority to provide services related to email. Legal authority is also embedded in sub-section 6 (a) of the Shared Services Canada Act which allows the Governor in Council to specify the services that the Minister must provide through SSC.

The Email Transformation Initiative will move 43 Government of Canada partner organizations from numerous email services to, a common, modern, consolidated, secure, more reliable and more cost-effective email system that will:

  • improve workplace efficiency and productivity;
  • eliminate costly duplication;
  • improve service to Canadians by facilitating access to the Government;
  • raise the overall level of security to better deal with cyber threats; and
  • have one government employee email directory instead of many separate organization-based directories. is based on Microsoft Exchange/Outlook. Government email addresses will be simplified to the “” suffix, thus eliminating acronyms that currently identify departments and agencies in email addresses.

Why the Privacy Impact Assessment was Necessary

A PIA is mandatory under the Treasury Board of Canada’s Directive on Privacy Impact Assessment for all new or redesigned GC programs and services. PIAs are used to identify the potential privacy risks, reduce or eliminate those risks and help create a privacy–sensitive culture. From the outset of the Email Solution, SSC determined that the initiative necessitated a PIA.

The ETI is a complex project that involves converting 63 separate email systems and three technology platforms of 43 different organizations to a new system. The PIA was prepared by a multi-disciplinary team comprised of SSC subject matter experts in IT security, IT architecture, project management and access to information and privacy across three branches: Cyber and IT Security, Networks and End Users and Corporate Services. This PIA followed a comprehensive process as outlined in the Treasury Board, Directive on Privacy Impact Assessment.

Privacy Impact Assessment Objectives

The PIA follows the components and format articulated by the Treasury Board Directive on Privacy Impact Assessment which entails a comprehensive methodology.

SSC is committed to implementing measures that respect the core values of Canadians by ensuring privacy and security are highlighted in its framing, design and implementation of new programs and initiatives. Consequently, SSC considered privacy concerns and risks from the outset of ETI. The contract set out clear and concise clauses related to how personal information was to be treated, for example, the Crown owns and controls all personal information.

SSC developed the privacy and security contracting requirements with representation from the Office of the Privacy Commissioner, Communications Security Establishment, Treasury Board of Canada Secretariat Chief Information Officer Branch and other IT, architecture, business, privacy and security experts. Not including the security provisions, there are approximately 90 privacy controls specified in the contract for provisioning email service. They encompass the control, collection, use, disclosure, safeguarding, retention and disposal of personal information, maintaining its accuracy, integrity, in addition to building a privacy management plan, and meeting audit requirements, complaints, breaches, data sovereignty and liability provisions.

Privacy Impact Assessment Findings and Risk Summary

Only SSC has the authority to collect and control personal information required to provision the email service. This personal information includes, for example, email account identifiers, user ids, password and password recovery questions and answers. Partner organizations have the authority to collect and control all other personal information related to email (i.e., email subject lines, attachments and content of the email message).

In keeping with the guidance from the OPC and the TB Directive, all of the privacy risks identified in the PIA have been aligned with the 10 universal privacy principles found in the Canadian Standards Association’s (CSA’s) Model Code for the Protection of Personal Information.

Action Plan – Risk Mitigation

Several privacy measures have been built into the design of the new email system such as encryption, username and password credentials, no data matching and extensive controls limiting access to only those who need to know.

The PIA and the accompanying privacy risk and security action plans will be monitored and updated to ensure that the documents remain relevant and form part of the ETI overall risk management framework for the initiative.

Requests for Information

Only SSC has the authority to collect and control personal information required to provision the email service. This personal information includes, for example, email account identifiers, user ids, password and password recovery questions and answers. Therefore, any requests for information under the Access to Information Act regarding the email service as well as any requests under the Privacy Act for personal information collected and used to administer email accounts should be directed to SSC’s Access to Information and Privacy Protection Division by email to

Partner organizations have the authority to collect and control all data related to email content (i.e., email subject lines, attachments and body of the email message). Since organizations are responsible for the content of their employees’ emails, requests for actual email exchanges under the Access to Information Act or Privacy Act should be forwarded to the respective Access to Information and Privacy Office.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: