Introduction
Microsoft 365 is an enterprise-level, cloud-based version of the Microsoft office productivity tools for creating documents, presentations, and spreadsheets, for internal communications, for managing emails, for work planning, and for other common administrative tasks. This integrated suite of tools supports the daily activities of Statistics Canada's employees, including collaboration within the organization.
Objective
A privacy impact assessment (PIA) for Microsoft 365 (M365) was conducted to determine if there were any privacy, confidentiality or security issues with this product and, if so, to make recommendations for their resolution or mitigation.
Description
Microsoft 365 will replace the Microsoft Office suite (e.g., Word, Excel, PowerPoint) and the current email system. It also provides other applications and products (e.g., Planner, Power Apps) that will help staff work effectively.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
a) Type of program or activity
Administration of program or activity and services.
Risk scale: 2
b) Type of personal information involved and context
Personal information may include an individual's Social Insurance Number, medical, financial or other sensitive personal information, context surrounding personal information that is sensitive, personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
Risk scale: 3
c) Program or activity partners and private sector involvement
Private sector organizations, international organizations or foreign governments.
Risk scale: 4
d) Duration of the program or activity
Long-term program or activity (ongoing).
Risk scale: 3
e) Program population
The program's use of personal information for internal administrative purposes affects all employees.
Risk scale: 2
f) Personal information transmission
The personal information is transmitted using wireless technologies.
Risk scale:4
g) Technology and privacy
M365 includes updated and new office productivity applications and software tools that will support the creation, use, and storage of personal information by employees as part of their day-to-day work.
h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
There is a risk that a privacy breach could impact an individual. Depending on the type of information disclosed, the impact could include financial harm, harm to reputation, personal embarrassment or inconvenience.
The overall risk of a privacy breach is low because of system controls and procedures in place.
i) Potential risk that in the event of a privacy breach, there will be an impact on the institution
There is a risk that a privacy breach could impact Statistics Canada. Depending on the type of information disclosed, the impact could include harm to reputation, loss of confidence by employees in the security of this tool, and inconvenience. The overall risk of a privacy breach is low because of system controls and procedures in place.
Conclusion
This assessment of Microsoft 365 did not identify any privacy risks that cannot be managed using existing safeguards.