M365 Privacy Impact Assessment Summary
Government Institution: Office of the Commissioner of Lobbying (OCL)
Head of the Government Institution: Nancy Bélanger, Commissioner of Lobbying
Mandate of government institution: The OCL is an independent “Agent of Parliament”, responsible for regulating lobbying at the federal level. OCL’s mandate is to ensure transparent and ethical lobbying by administering the Lobbying Act and the Lobbyists’ Code of Conduct. Responsibilities include maintaining a searchable registry of information reported by lobbyists, providing education to stakeholders, and verifying that lobbyists comply with requirements. OCL employees support the Commissioner in achieving this mandate.
Government official responsible for the program or activity: François Bertrand, Executive Director, Corporate Services
Name and description of the program or activity
The Microsoft 365 (M365) is a cloud-based Software as a Service model that includes the same Office apps and services as Office 365 (Word, Excel, OneDrive, Teams) with the addition of Enterprise Mobility + Security solutions. In this model, software or applications are accessed by users though the Internet and managed by Microsoft. The Office suite of applications will be installed and available on OCL workstations or by using cloud versions of M365 through direct cloud access via their OCL-issued computers and mobile devices that will be connected to the OCL network. Mailboxes will be migrated to the Microsoft Exchange Online environment in the near future. The cloud service is hosted by Microsoft in two (2) Canadian Data Centers at present: one in Toronto and one in Quebec City. OCL will configure, implement, monitor, and report on administrator and end-user activities associated with the M365 office products and mobile device and security solutions.
The M365 project falls under the Information Technology component under the corporate services directorate. The directorate provides the OCL workforce with activities undertaken to achieve efficient and effective use of Information Technology (IT) to support OCL priorities and program delivery, increase productivity, and enhance services to the public. It also supports the efficient management of computer equipment and associated software for both institutional computer networks and employee workstations, electronic systems development and maintenance, technical assistance and support for networks, office systems and databases, including electronic mail systems and platforms, as well as software acquisition.
Implementation of this project will enable the OCL to navigate modernization decisions while also addressing current challenges while improving OCL service delivery, program delivery, and overall efficiency and delivering a more agile, flexible, and cost-effective IT services. The project will provide support services for end users and services related to sustaining the operation, maintenance, and support of the OCL IT infrastructure. M365 offers comprehensive threat prevention, detection, and response capabilities to attacks across devices, identities, apps, email, data, workloads, and the cloud. It is intended to strengthen the security posture of the organization, protect workloads against modern cyberthreats, and develop more secure applications. It also provides data loss prevention, mobile device, and application management capabilities. These solutions are intended to strengthen the security posture of the organization, protect workloads against modern cyberthreats, and help mitigate risks associated with unauthorized uses and disclosure of personal and sensitive information.
Legal authority for the program or activity
The Commissioner is empowered under the Lobbying Act, the Public Service Employment Act (PSEA), the Financial Administration Act (FAA), related regulations and orders in council, to appoint and employ officers and employees of the OCL to fulfil the Commissioner’s statutory mandate.
As a function of these statutory and delegated authorities, the OCL is authorized to collect and handle the personal information of internal employees/contractors and individuals associated with OCL institution-specific programs and activities.
The OCL has the authority to manage its own information technology infrastructure and information holdings by virtue of subsection 161(1) of the Financial Administration Act, and applicable Treasury Board Secretariat policies and directives.
Pursuant to paragraph k of the SSC Order in Council P.C. 2015-1071, the OCL is not required to receive end-user information technology services from Shared Services Canada. As such, the OCL has a memorandum of understanding with the Office of the Privacy Commissioner (OPC) to provide the hosting of the OCL Lobbyists Registration System; the OCL website and the hosting of the OCL desktop systems, servers, and support systems on the OPC IT infrastructure.
In accordance with Treasury Board Secretariat’s requirements governing the use of cloud services by government institutions, the OCL supports the cyber defence activities of the Canadian Centre for Cyber Security, a division of the Communications Security Establishment (CSE). The Communication Security Establishment Act provides the authority for CSE to provide services to help protect federal institutions’ electronic information and information infrastructures.
Privacy impact assessment objective
- Ensure that privacy is a core consideration in the initial framing of the project’s objectives and activities.
- Ensure that accountability for privacy issues is clearly incorporated into the role of project managers and stakeholders.
- Provide decision-makers with the information necessary to make fully informed policy, system design or procurement decisions based on an understanding of privacy implications and the options available for mitigating those risks.
- Reduce the risks of having to terminate or substantially review the project after its implementation in order to comply with privacy requirements.
- Provide basic documentation on the business processes and flow of personal information for common use and as the basis for consultations with stakeholders, contracts specifications, information privacy and security procedures, and communications.
- Promote awareness of the organization’s responsibilities under the Privacy Act and identify and mitigate privacy risks to an acceptable risk level.
- Serve to demonstrate how the OCL meets the legislated requirements of the Privacy Act and associated regulations and TBS privacy policy instruments.
Privacy impact assessment focus
- The information handling activities associated with each of the M365 products and services and activities performed by OCL Administrators and end-users.
- The M365 monitoring and reporting activities associated with audit and activity logs and the M365 usage and insights activities. Activities associated with information protection and data loss prevention activities.
- The creation of an OCL Microsoft Azure Cloud tenant and security baseline components and configuration settings and the security assessment and authorization report.
- The privacy and security posture at OCL.
- Microsoft’s information handling activities, configuration activities, privacy controls and security posture.
PIA scope exclusions
- The PSPC contract, the Microsoft Enterprise Service Agreement, (reliance is placed on SSC’s assessment of the MSEA); CSE Cyber Defence activities or SSC technical and operational support activities.
- The OCL Information Technology component as a whole including network monitoring activities; disaster recovery and business continuity processes; service management activities and security and operations processes and procedures.
- The information handling activities associated with the use of M365 products and services.
- Physical security and other controls associated with devices used to access services.
- Audit of the privacy and security measures implemented by Microsoft. (Reliance is placed on the information, materials and responses provided by Microsoft, which have not been verified as to the actual operation of the controls in place).
- Features and solutions identified in this PIA for information purposes or that may be implemented in the future.
Personal information banks
RDA Number: 98/001
Related Record Number: PRN 932
TBS Registration Number: TBD
Personal Information Bank Number: TBD
| Type of program or activity | Risk Level |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual Personal information is used strictly for statistical / research or evaluations including mailing list where no decisions are made that directly have an impact on an identifiable individual. |
1 |
| Administration of Programs / Activity & Services Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.). |
2 |
| Compliance / Regulatory investigations and enforcement Personal information is used for purposes of detecting fraud or investigating possible abuses within programs where the consequences are administrative in nature (i.e. a fine, discontinuation of benefits, audit of personal income tax file or deportation in cases where national security and/or criminal enforcement is not an issue). |
3 |
| Criminal investigation & enforcement / National Security Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). |
4 |
Level 2: Administration of Programs / Activity & Services
The IT program is identified under the category of administration of internal programs to provide the OCL workforce with activities undertaken to achieve efficient and effective use of Information Technology (IT) to support government priorities and program delivery, increase productivity, and enhance services to the public. The project supports the efficient management of computer equipment and associated software for both institutional computer networks and employees’ workstations, electronic systems development and maintenance, technical assistance and support for networks, office systems and databases, including electronic mail systems and platforms and software acquisition. The OCL has procured an M365 “E5” enterprise-level license for the suite of cloud-based M365 office collaboration and productivity products, enterprise mobile and security (EMS), Windows 11 licences, plus advanced security solutions through the Microsoft SaaS platform.
The implementation of this project will include the use of personal information to identify and authenticate administrators and end-users to the Microsoft cloud platform; assign role-based access controls and the principle of least privilege; to create, protect and retain information system audit logs and records to enable monitoring, reporting, analysis, investigation and implementation of corrective actions, as required in accordance with TBS requirements; to configure, monitor and enforce conditional access and data loss prevention policies to safeguard personal and sensitive information from unauthorized disclosures; mobile device and application management; and provide insight and usage reporting capabilities to senior management. Personal information may also be used to evaluate application performance, manage potential security or privacy impacts, support decision making. Personal information may be compiled to support the investigation of suspected or alleged misuse, policy non-compliance, deliberate or inadvertent impairment or compromise of government electronic networks by persons employed by the OCL or by other individuals communicating from outside the institution. The personal information collected is organized or intended to be retrieved by the name of the individual or by an identifying number, or other particular assigned to a user.
If there is suspected misuse, organizational or informational policy non-compliance, or potential compromise of the OCL’s electronic network, information collected in audit and activity logs may be used to support the OCL’s electronic network monitoring sub activity. The project does not include compliance or regulatory investigations and enforcements, however, the OCL supports CSE in achieving their mandate for Cyber Defence activities in accordance with their legislated authority derived from the CSE Act. The CSE Cyber Defence program may collect and use personal information and records for the provision of cyber defence activities to monitor government networks to detect potential cyber threats and to analyze, evaluate, mitigate, and defend against cyber activities that threaten or potentially threaten the GC infrastructure and systems of importance to the GC.
Personal information may be collected directly from the administrator, end-user or from the hardware used to access the products and/or services.
| Type of Personal Information Involved and Context | Risk Level |
|---|---|
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. For example: General licensing, or renewal of travel documents or identity documents. |
1 |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. For example: An application process with a requirement for independent verification of certain non-sensitive factual details. |
2 |
| Social Insurance Number, medical, financial, or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. For example: An individual’s name on a particular list may reveal sensitive information on the health, financial situation, religious or lifestyle choices of that individual. |
3 |
| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: Personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives. |
4 |
Personal information may include an individual’s name (first name, Login in user and/or delegate user display name, username), contact information (email addresses, email aliases, office addresses, mobile numbers), user’s role, job profile information, work location; passwords; preferred language; unique identification numbers (Client IP addresses, device identification numbers, IMEI-number, MAC address, Client ID, Message ID, Case ID, Item ID); sign in and sign out history; date and time of access, change or modification made; location data derived from hardware/devices; content of MS Teams meetings, chat history, call history, email content; images, video and audio recordings; users search history; document or email contents as the result of security scanning and threat detection; alert or incident case status, alert severity, risk score, risk factors); or a combination of the later. Personal information received or sent through the institution’s specific programs and internal services activities may contain sensitive personal information of individuals communicating with the OCL or end-users.
| Program or Activity Partners and Private Sector Involvement | Risk Level |
|---|---|
| Within the Department (amongst one or more programs within the Department) | 1 |
| With other federal institutions | 2 |
| With other or a combination of federal/ provincial and/or municipal government(s) | 3 |
| Private sector organizations or international organizations or foreign governments | 4 |
Risk Level 1 - The Microsoft products and security solutions will be configured, operated, monitored, and maintained by the OCL IT program for use by OCL end-users. The various products and security solution features will be aligned with OCL organizational, security and information management policies; the IT program will provide support services for end users. The project will utilize the Exchange mailbox migration to transition to the new environment in the near future. The IT program is also responsible for the management of security incident handling ensuring that Microsoft’s security incident management processes align with GC security expectations.
Risk Level 2 – SSC is the Cloud Service Broker (CSB) facilitating the provision of Microsoft SaaS cloud services for the OCL. SSC will manage the relationship with Microsoft, including billing and monitoring and consumption of cloud services, and will deliver the network connectivity to connect the OCL on-premises environment to the Microsoft Azure Cloud Tenant platform. SSC is responsible for the creation and maintenance of the Microsoft Enterprise Agreement (MSEA) between SSC and Microsoft Canada.
Office of the Privacy Commissioner of Canada: OCL and the OPC have negotiated a long-term arrangement for the hosting of the OCL Lobbyists Registration System; OCL website; OCL desktop systems, servers, and support systems on the OPC IT infrastructure.
Communications Security Establishment: CSE will perform assessment activities in support of OCL’s infrastructure to help identify, isolate, or prevent harm to OCL computer systems or networks.
Risk Level 4 – Microsoft is the private sector solution provider (CSP) of the M365 suite of cloud-based products and services which leverages the Microsoft Azure platform and Microsoft datacenters located in Canada. Microsoft is responsible for all the underlying infrastructure, middleware, app software, and app data located in the Microsoft’s data center and will manage the hardware, and software as well as the availability and security of the app and data.
| Duration of the Program or Activity | Risk Level |
|---|---|
| One-time program or activity Typically involves offering a one-time support measure in the form of a grant payment as a social support mechanism. |
1 |
| Short–term program A program/activity supporting a short-term goal with an established “sunset” date. |
2 |
| Long-term program Existing program that has been modified or is established with no clear “sunset”. |
3 |
The project is a long-term activity with no clear sunset date, the Microsoft MSEA ends in 2026 with an option to renew the service for three years. The duration of the use of M365 products and services will depend on how long Microsoft supports this solution and is contingent on future technology adoption trends.
| Program Population | Risk Level |
|---|---|
| The program affects certain individuals for internal administrative purposes. | 1 |
| The program affects all individuals for internal administrative purposes. | 2 |
| The program affects certain individuals for external administrative purposes. | 3 |
| The program affects all individuals for external administrative purposes. | 4 |
The use of the M365 products and service offerings are mandatory for all individuals employed or contracted to the OCL. Information is used to provision and administer the M365 product offerings, enable security solutions and perform device and application management.
Personal information may be used to identify and authenticate administrators and users; manage mobile devices and applications; enable Cloud threat protection and identify security threats and unusual behavior; threats in emails, links, attachments, and collaboration tools; manage and monitor incidents and alert policies; enable automated investigation processes. Personal information may be used to help manage data services through data government solutions; enable data security solutions to help discover and protect sensitive information including data loss prevention; information barriers; information protection; insider risk management and privileged access management.
Personal information may be used to identify risky users or sign-ins, investigate, assign a risk score; enforce role-based and risk-based access control policies; assign users to specific resources. End-users who are identified as potential risky users may be monitored, tracked, and reported to senior management. Personal information may be used in aggregate form to gain insights on how the organization is adopting the various services within Microsoft 365.
The information contained in audit logs may be compiled to support the investigation of suspected or alleged misuse, policy non-compliance, or deliberate or inadvertent impairment or compromise of government electronic networks by persons employed by the institution or by other individuals from outside the institution (refer to PSU 905). Personal information may be used by CSE to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems (refer to CSE Cyber Defence program, PPU 007).
The class of individuals affected by the M365 project includes employees of the OCL and other individuals using OCL electronic networks, including student employees; contract staff and agency personnel; members of the public; Ministerial staff; or Members of Parliament that send e-mails or attachments to individuals in the OCL.
| Risk Impact to the Department | Risk Level |
|---|---|
| Managerial harm. Processes must be reviewed, tools must be changed, change in provider / partner. |
1 |
| Organizational harm. Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources. |
2 |
| Financial harm. Lawsuit, additional moneys required reallocation of financial resources. |
3 |
| Reputation harm, embarrassment, loss of credibility. Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas. |
4 |
Impacts to the organization depends on the severity, nature of the breach, breadth of personal information breached. Whether it is an internal or external breach and impact on individuals. Impacts could include:
- Managerial harm where processes might need to be changed.
- Organizational harm if the information/data is stolen, lost, misused as a result of inadequate safeguards.
- Financial harm in the case of negligence or the disclosure of confidential information could result in a lawsuit.
- Reputation harm, embarrassment, loss of credibility; decrease on public confidence, and an increase in attention on departmental and elected officials in the event of a material breach. In the case of a data breach this would likely garner criticism from the media and ultimately may result in a further loss of credibility and trust.
This has significance for OCL due to the expectations on OCL to provide a secure cloud tenant environment while respecting the expectations of the individual where messages sent to recipients are intended to remain private. An external breach is unlikely due to the security safeguards in place by OCL and Microsoft; and the underlying assessment performed by SSC.
| Risk Impact to the Individual or Employee | Risk Level |
|---|---|
| Inconvenience. | 1 |
| Reputation harm, embarrassment. | 2 |
| Financial harm. | 3 |
| Physical or psychological harm. | 4 |
The risk impacts are dependant on the nature and extent of the breach and could reasonably be expected to cause varying degrees of injury to individuals. The personal information and records processed by Microsoft can be considered sensitive personal information and the expectations of the individual would be that messages and attachments sent between the individual and the intended recipients are private.
At the lower end of the spectrum, in the event of a potential threat, the user can experience inconvenience should the Microsoft Azure environment be compromised and become unavailable. Individuals may need to seek alternate forms of communication.
Individuals could experience reputational harm or embarrassment both on the professional and personal level. Personal information may be exposed and used for purposes other than the ones intended by the end-user or the program. A breach in privacy can expose individuals to risks such as embarrassment and can result in workplace-related consequences. Individuals could also experience financial harm related to identity theft or loss of employment or business opportunity and their ability to gain employment or further their employment in the workplace. Individuals could also experience physical or psychological harm if information related to confidential investigations or to an employee’s medical condition or workplace accommodations were disclosed through an external breach.
Should information contained with the on-premises environment be compromised, the resulting breach could negatively impact the privacy interests of individuals and the trust between individuals whose information is compromised and the federal government. Compromise of the personal information specific to Azure, i.e. information needed to authenticate to the Azure administrator portal would have a limited privacy impact on the administrator, as the personal information is limited to low sensitivity basic contact information.
Recommendations
| Privacy Risk | Risk | Risk Level | Recommendation |
|---|---|---|---|
| Accountability | The TBS Policy on Privacy Protection - section 4.2.1 - requires the OCL to ensure that employees are aware of policies, procedures, and legal responsibilities under the Act. There is no formal privacy training for end-users, individuals may not be aware of how to protect personal information or of their legal responsibilities under the Act. | Moderate |
A formal training plan should be developed to ensure that all employees are aware of the policies, procedures, and legal responsibilities under the Act. Employee training should be documented and refreshed every couple of years via communiques. |
| Accountability | The TBS Directive on Privacy Practices – section 4.2.10 - require government institutions to notify individuals of their right to file a complaint to the Privacy Commissioner of Canada regarding the OCL’s handling of the individual’s personal information. The OCL privacy policy is embedded under the Terms and Conditions on the external facing website, which was difficult to find, the policy does not include all TBS requirements for Privacy Notices. Individuals may not be aware of how their personal information is handled or their rights afforded them through the Privacy Act and Access to Information Act. | Negligible | The external facing webpage is updated to inform individuals of their right to file a complaint with OCL and/or OPC and include the process for receiving, assessing, and responding to privacy complaints. |
| Identifying Purposes | The Privacy Act - subsection 5(2) - require government institutions to inform any individual from whom they collect personal information about the individual of the purpose for which the information is being collected. The TBS Directive on Privacy Practices – section 4.2.10 – require institutions to follow the privacy notice requirements outlined in the Directive. Individuals are not provided notice of the collection and information handling activities associated with M365 and may not understand how their personal information is handled. | Moderate |
A privacy notice is developed to information individuals of the purpose for the collection and all information handling practices. The privacy notice should be provided to individuals when they sign into the Microsoft products. The privacy notice should be aligned with the TBS Directive on Privacy Practices requirements for privacy notices. |
| Safeguards | The TBS Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice - section 6.1.4 - require government institutions to perform a security assessment and authorization of their information systems or services before approving them for operation. In addition to this, the Government of Canada Cloud Guardrails indicate that departments implement, validate and report on compliance with the guardrails. The Security and Authorization assessment and GC Cloud guardrails have not been finalized. | Medium |
The results of the Security Impact Analysis and GC Cloud guardrails are assessed to identify any risks to an individual’s right to privacy. The results should be incorporated into this PIA as an addendum. |
| Safeguards | The TBS Directive on Privacy Practices - section 4.1.4 - require government institutions to ensure plans are in place with third-party entities that define the roles and responsibilities of all stakeholders, and internal procedures and communications align with the Policy on Government Security and its related directives and standards. The TBS Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice also require departments provisioning cloud-based services to establish appropriate mechanisms to respond effectively to security incidents. There is no formal security incident plan in place with Microsoft to ensure the OCL can respond to cyber security events in a consistent, coordinated, and timely manner. | Moderate |
The roles and responsibilities for security incident handling activities between SSC, OCL and Microsoft have not been confirmed. A security incident handling arrangement should be in place with Microsoft to ensure OCL meets their requirements for reporting breaches in a timely manner. The OCL-Microsoft security incident plan should identity when Microsoft should contact OCL, who should be contacted, and the definition of a security breach should be agreed upon. |
| Safeguarding | The TBS Policy on Privacy Protection – section 3.1.3 – require government institutions to ensure personal information under the control of the institution is effectively protected and managed. It is unknown if configuration activities occurring in the future will be tested to ensure adequate safeguards are in place to prevent unauthorized uses and disclosures of personal information. | Negligible |
Configuration changes occurring in the future should be tested to mitigate the risk of unauthorized uses and disclosures. Any updates to how personal information is handled should also be thoroughly tested to ensure adequate privacy and security controls are in place. |
| Accuracy | The TBS Directive on Service and Digital – section 4.3.1.9 require government institutions to protect information and data by documenting and mitigating risks and taking into consideration the protection of personal information. In the absence of a formal migration plan, there is risk of data corruption or data loss when migrating data from the current to the new environment. | Low |
A formal Exchange Online (EXO) migration plan is developed to ensure the integrity of the data. The migration plan should be tested to verify the integrity of the data. |
| Openness | The Privacy Act - subsection 10 (1) - require institutions to develop personal information banks for all personal information under the control of the institution that has been, is being used or is available for use for an administrative purpose; or is organized or intended to be retrieved by the name of an individual or by an identifying number, symbol or other particular assigned to an individual. The personal information collected through the implementation of the M365 products; security solutions and mobile device and application management is organized or intended to be retrieved by the name or an identifying number assigned to an individual. | Moderate |
The external facing website should be updated to inform foreign nationals abroad of their rights afforded them through the Privacy Act. An institution specific PIB is created and published on the OCL info source to provide evidence of the administration of the program. |
Technology
Data will be stored in the Microsoft Canadian data centers. OCL will configure, deploy and maintain the M365 OCL Cloud tenant, Microsoft will not have access to the OCL tenant without prior written approval of the OCL. The OCL will migrate Exchange mailboxes to the cloud-based solution/platform, for use with select Microsoft Office products/software and services. Access for administrators require elevating role privileges and multi-factor authentication and end-users authenticate using their current credentials. Microsoft security solutions will provide full protection for Microsoft applications by providing tools to monitor and protect the cloud app data. The OCL will leverage the following computer aided audit logging monitoring tools within the M365 suite including end-user and administrator activity and events; data loss prevention; sign-in activity; identity protection; product provisioning; usage insights; application and API transactions. M365 will have the ability to correlate information collected from various logs to understand the risk and security culture of the organization. OCL will be able to use data collected from the various data sources and logs to create and report on user product usage metrics and security and events reporting. CSE’s cyber monitoring will involve automated scanning and analysis. Data matching may occur as a result of a security incident investigation, or for the identification and correlation of past security incidents. The project will import end-user email, contacts, and other mailbox information to M365.
- Date modified: