Title of the PIA

Assessing Privacy Risks on INFC's Programs and Activities in the rollout of Microsoft 365, 2020

Government Institution

Infrastructure Canada (INFC)

Head of INFC or Delegate for Section 10 of the Privacy Act

Melanie Davis, Director, ATIP and Executive Correspondence

Senior Official or Executive for the New or Substantially Modified Program or Activity

Director, Operation Support, Security, Information Management, Corporate Services

Name and Description of the Program or Activity of the Government Institution

All INFC's programs and activities

Legal Authority

The legal authority for the collection depends on the type of personal information collected and can be found in the various standard Personal Information Banks (PIBs).

Personal Information Bank

The rollout of MS 365 involves all of the standard personal information banks.

Short Description of the Project, Initiative or Change

Microsoft 365 (MS 365) is the newest suite of Microsoft products. It includes collaboration software with the entire Microsoft Office product line in one integrated solution. As a cloud-based collection of online services, it consists of hosted email, social networking, collaboration tools and cloud storage. Shared Services Canada is leading the Government of Canada implementation of MS 365 and related integrated solutions by procuring licenses and making them available to all federal departments. The project consists of the rollout of:  

• Communications – instant messaging, audio and video calls, meetings, presentations;
• File sharing, collaboration and storage;
• Cloud and a collaboration-enabled Office Suite; and
• Email migration with cloud integration.

MS 365 includes the following software:

• Microsoft Office (Word, Excel, PowerPoint, Outlook, OneNote, Access and Publisher);
• Microsoft Teams (a communication platform); and
• Microsoft OneDrive (cloud storage).

Infrastructure Canada (INFC) is preparing to migrate to the Microsoft 365 transformative update that will move INFC's Microsoft Office products into the cloud. The online storage and cloud-connected features allows for collaboration on files in real time. 

Risk Area Identification and Categorization

The following section contains risks identified in the PIA for the new or modified program. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.

Type of Program or Activity

Administration of program or activity and service, compliance or regulatory investigation and enforcement and/or criminal investigation and enforcement

Level of risk to privacy: 4

Type of Personal Information Involved and Context

Social insurance number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive

Level of risk to privacy: 3

Program or Activity Partners and Private Sector Involvement

Private sector organization

Level of risk to privacy: 4

Duration of the Program or Activity

Long term program or activity

Level of risk to privacy: 3

Program Population

The program affects certain individuals for internal and external administrative purposes.

Level of risk to privacy: 3

Technology & Privacy

The use of existing and new electronic systems, applications or software including collaborative software to support the program or activity in terms of the creation, collection or handling of personal information.

Level of risk to privacy: 2

Personal Information Transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

Risk Impact to the Individual or Employee in the Event of a Privacy Breach

Inconvenience, reputation harm, embarrassment, financial harm

Level of risk to privacy: 3