Introduction
An interim implementation of Office 365 will be made available to all Statistics Canada employees to allow for effective collaboration, outside of Statistics Canada’s network, during the COVID-19 crisis. It is expected that this will be in place until October 31, 2020, after which time it will be shut down. Processes will be in place to ensure that information will be managed in accordance with Information Management practices as the interim implementation is shut down.
Objective
A privacy impact assessment for the implementation of Office 365 was conducted to determine if there were any privacy, confidentiality or security issues with this interim solution and, if so, to make recommendations for their resolution or mitigation.
Description
An interim implementation of Office 365 will be made available so that Statistics Canada employees are able to work collaboratively on documents that are not protected or classified, using their personal devices. This will reserve limited network bandwidth for mission-critical programs. The Office 365 platform will provide the means for employees to collaborate effectively through the applications that are included in the platform.
Office 365 offers a cloud-based version of the core Microsoft products, such as Excel, Word, PowerPoint and Outlook, with enhanced collaboration functionalities, such as multi-user editing of documents in real time. Office 365 also includes Microsoft Teams, a collaboration hub with integrated instant messaging, video conferencing, group channels and file sharing capabilities.
No protected information collected under the authority of the Statistics Act will be permitted in this environment. No personal information of clients and employees will be collected, used, or stored. Examples of communications that should not take place on this platform include those relating to information protected under the Statistics Act, and other protected information such as an employee’s labour relation status or compensation, memoranda to cabinet or Treasury Board submissions, options or advice to senior management on subjects of national interest, or dealings with companies which include information about their businesses.
The only exception for the inclusion of personal information is the personal profile. An employee may choose to create a personal profile and include some limited personal information, such as a description of their projects, skills and expertise, education, interests and hobbies. Entry of this information is voluntary and requires employees to actively choose to do so.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
| Risk scale | ||
|---|---|---|
| a) Type of program or activity | ||
| Program or activity that does not involve a decision about an identifiable individual. | 1 | |
| b) Type of personal information involved and context | ||
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 | |
| c) Program or activity partners and private sector involvement | ||
| With other government institutions. | 2 | |
| d) Duration of the program or activity | ||
| Short-term program or activity. | 2 | |
| e) Program population | ||
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 | |
| f) Personal information transmission | ||
| The personal information is transmitted using wireless technologies. | 4 | |
| g) Technology and privacy | ||
| The Office 365 platform comes with a variety of cloud-based applications (such as Teams, Excel, Word, SharePoint, PowerPoint, etc.) that allow employees to collaborate off the Statistics Canada network on non-protected and unclassified material. Employees will not be able to access any material on Statistics Canada’s network using this platform. No changes to existing IT systems are required. | ||
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | ||
| There is a very low risk of breach of personal information. With the exception personal profiles that may be created by employees, no personal information should be stored on the Office 365 platform. | ||
Conclusion
This assessment of the interim instance of Office 365 did not identify any privacy risks that cannot be managed using existing safeguards.