| Risk Area |
Level of Risk |
Details |
| A) Type of program or activity |
3 |
The platform is authorized for data up to Protected B inclusively. Microsoft 365's purpose is to facilitate collaboration and offer productivity tools that will help provide a better service to our clients.
ThinkOn Compass Data Protect for M365's purpose is to back up the data stored on the various M365 services to protect our data from data loss. |
| B) Type of personal information involved and context |
2 |
The information required for the creation of a new user in Microsoft 365 can either be collected directly from the user, a manager or from Shared Services Canada.
ThinkOn: The same information will be collected from M365 to be backed up on ThinkOn Compass Data Protect for M365. |
| C) Program or activity partners and private sector involvement |
2 |
While Microsoft 365 is a cloud based service hosted on Microsoft's infrastructure, personal information is not being shared with them. The personal information used for managing user accounts is only shared with Shared Services Canada.
While ThinkOn Compass Data Protect for M365 is a cloud based service hosted on ThinkOn's infrastructure, personal information is not being shared with them. The personal information used for managing user accounts is only shared with Shared Services Canada. |
| D) Duration of the program or activity |
3 |
Microsoft 365 will be adopted for the foreseeable future. There is currently no end date. The duration of the program will depend on how long Microsoft supports this solution for and also depends on future technology adoption trends.
ThinkOn Compass Data Protect for M365 will be used in conjunction with M365 for the foreseeable future. There is currently no end date. The duration of the program will depend on how long ThinkOn supports this solution, Microsoft supports M365, and also depends on future technology adoption trends. |
| E) Program population |
3 |
Microsoft 365 will require contact information about individuals seeking services or collaborating with the Canada School of Public Service. This includes both internal and external users and clients. The contact information required for this activity includes the name, address, telephone number and e-mail address of the individual.
ThinkOn: A copy of this same M365 information will be stored on ThinkOn services for the purpose of backup. |
| F) Technology & privacy
| 1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? |
Yes |
Laptops have Trusted Platform Module (TPM) chips that will be registered in Microsoft Azure. Also, Active Directory Federation Services (ADFS), Single Sign-On (SSO) and Multi-Factor Authentication (MFA) will be used.
Some functionalities of Microsoft 365 can be leveraged to gather audit trails and to monitor activities.
IP addresses, user names and other network traffic data can be used to monitor connection patterns and identify potential suspicious activity. |
| 2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services? |
Yes |
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies:
- Enhanced identification methods
- Use of surveillance
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques
|
Yes |
| Yes |
| Yes |
| G) Personal information transmission |
4 |
Microsoft 365: While the servers are using wired internet connections, users may be using wireless connections when connecting to Microsoft 365.
ThinkOn: The servers use wired internet connections, however, administrators will connect to the ThinkOn backup management platform via an internet browser from a workstations which may be using a wireless connection. |
| H) Potential risk impact to the individual or employee in the event of a privacy breach |
2 |
For both Microsoft 365 and ThinkOn:
The level of risk is considered low. In order to provide services to School employees as well as other federal government employees, IT system administrators require contact information such as employee names, e-mail addresses, phone numbers, departmental addresses and IP addresses. System administrators are not permitted to access personal and/or protected user files that are being stored on the Microsoft 365, Azure or ThinkOn Compass platforms, however they may be authorised to access this information upon request from a legal authority. |
| I) Potential risk impact to the institution in the event of a privacy breach |
2 |
For both Microsoft 365 and ThinkOn:
The level of risk is considered low. The personal information stored on the Microsoft 365, Azure or ThinkOn Compass platforms may be at risk. The credibility and perception of the School may be impacted in the event of a privacy breach. |
