Privacy Impact Assessment Summary for the Enterprise Mobile Device Management (EMDM) service

Purpose

When Blackberry decided to no longer produce Blackberry devices, Shared Services Canada (SSC) launched the EMDM service for SSC and partner organization employees. We designed and delivered this Service to:

• Introduce two new Mobile Device Platforms
• Build a service strong enough to manage all Government of Canada mobile devices

Description

Our authority to collect personal information for this service lies in Section 6 of the Shared Services Canada Act and Order-in-Council (PC) Numbers 2015-1071 and 2016-0368.

EMDM collects name and business contact information. This includes user name and password for email services. It may also include the Government of Canada (GC) PKI credentials (PIB SSC PCU 606 - Internal Credential Management Services).

Why the PIA was necessary

In reviewing the EMDM service, we found that while SSC collects very little personal information:

• Partner organizations are responsible for personal information under their control
• the mobile device collects personal information such as biometric and password data it stores in its own internal secure enclave
• EMDM users may provide personal information knowingly or unknowingly directly to third parties. Examples include IT Vendors such as Apple, Google, or by applications or “apps”, which are not subject to the Privacy Act, program legislation or government privacy policies.

PIA findings and mitigation measures

The PIA evaluated:

• the new Samsung/Android and iOS Mobile Device Platforms
• the new service infrastructure identified in the EMDM Roadmap 1.4 release

Note: We will describe future updates to the EMDM service that affect privacy in PIA addendums.

The PIA did find privacy risks. We have addressed them through a team approach and the risk has since been lowered. Together, we agreed on the best technical solutions, security controls and user guidance to put in place.

SSC will always act to reduce risks, because privacy and security are part of our continuous risk management process.