Management Action Plan - Privacy Impact Assessment of the M365 Cloud Tenant
The PIA Management Action Plan is an evergreen document, the plan will be updated as measures are implemented so that progress can be tracked.
| # | Privacy Risk | Recommendation | Risk Level before | Projected Risk Level after recommendations | Management's Response | OPI | Target Date (Quarter) | Status |
|---|---|---|---|---|---|---|---|---|
| 1. | Accountability |
A formal training plan should be in place to ensure that all employees are aware of the policies, procedures, and legal responsibilities under the Privacy Act. Employee training should be documented and refreshed every couple of years via communiques. |
Moderate | Low | Information on policies, procedures and legal responsibilities under the Privacy Act will be added to the intranet. CSPS course COR502 will be added to the list of mandatory courses for all OCL employees. |
Corporate Services (Manager, Corporate Services) | March 31, 2025 | Underway |
| 2. | Accountability | The external facing webpage is updated to inform individuals of their right to file a complaint with OCL and/or OPC and include the process for receiving, assessing, and responding to privacy complaints. | Negligible | Mitigated | The OCL Website will be updated to inform individuals of their right to file a complaint with the OPC and include the process to do so. | Corporate Services (Manager, Corporate Services) | October 31, 2024 | Completed |
| 3. | Identifying Purposes | A privacy notice is developed to information individuals of the purpose for the collection and all information handling practices. The privacy notice should be provided to individuals when they sign into the Microsoft products. | Moderate | Mitigated |
OCL has developed a privacy notice which will be displayed to individuals when they sign into M365. The privacy notice is developed in accordance with TBS requirements and will be implemented in accordance with the SSC technical guidance document. |
Corporate Services (Manager, IT Operations and Systems Management) | October 31, 2024 | Underway |
| 4. | Safeguards | The results of the Security Impact Analysis and GC Cloud guardrails are assessed to identify any risks to an individual’s right to privacy. The results should be incorporated into this PIA as an addendum. | Medium | Mitigated or Mitigated to an acceptable risk tolerance level (Low) | The overall associated security impacts of the M365 migration are rated as LOW and is in congruent with stated security objectives for Confidentiality, Availability, and Integrity. The current efforts by the IT Operations team to address the requirements set out within the CSE recommended guardrails for M365 cloud services have been successfully undertaken. Security configurations in many cases have gone above and beyond the recommended baselines and as such the organization is afforded a greater protection profile. |
Corporate Services (Manager, IT Operations and Systems Management) |
March 2024 |
Completed |
| 5. | Safeguards |
The roles and responsibilities for security incident handling activities between SSC, OCL and Microsoft have not been confirmed. A security incident handling arrangement should be in place with Microsoft to ensure OCL meets their requirements for reporting breaches in a timely manner. The OCL-Microsoft security incident plan should identity when Microsoft should contact OCL, who should be contacted, and the definition of a security breach should be agreed upon. |
Moderate | Mitigated to an acceptable level (Low) | OCL will work with Microsoft to develop a security incident plan that ensure OCL meet their requirements for security incident handling and privacy breach reporting. OCL should work with SSC to ensure the MSEA defines the roles and responsibilities of all stakeholders and not just SSC and Microsoft. |
Corporate Services (Manager, IT Operations and Systems Management) / Shared Services Canada |
March 31, 2025 |
Underway |
| 6. | Safeguarding |
Configuration changes occurring in the future should be tested to mitigate the risk of unauthorized uses and disclosures. Any updates to how personal information is handled should also be thoroughly tested to ensure adequate privacy and security controls are in place. |
Negligible | Mitigated to an acceptable level (Low) | OCL will develop a plan to ensure configuration changes occurring in the future are tested to mitigate the risk of unauthorized uses and disclosures. |
Corporate Services (Manager, IT Operations and Systems Management) |
March 31, 2025 |
Underway |
| 7. | Accuracy | A formal EXO migration plan is developed to ensure the integrity of the data. The migration plan should be tested to verify the integrity of the data. | Low | Mitigated | OCL has developed the EXO migration plan in alignment with the OPC’s migration plan and Microsoft recommendations. |
Corporate Services (Manager, IT Operations and Systems Management) |
June 2024 |
Completed |
| 8. | Openness | The external facing website should be updated to inform foreign nationals abroad of their rights afforded them through the Privacy Act. An institution specific PIB is created and published on the OCL info source to provide evidence of the administration of the program. | Moderate | Mitigated | The OCL Website will be updated to inform foreign nationals abroad of their rights afforded them through the Privacy Act. |
Corporate Services (Manager, Corporate Services) |
October 31, 2024 |
Completed |
| The OCL will create an institution specific PIB and will publish it on the OCL info source following TBS approval. |
March 31, 2025 |
Underway |
- Date modified: