CSPS Privacy Impact Assessment (PIA) Summary: Microsoft Office 365
Description of the project
The purpose of this project is to migrate and modernise the Canada School of Public Service's (CSPS) work and collaboration tools from Office 2016 to Office 365.
Why the PIA was necessary
The CSPS collects, uses and discloses personal information to maintain a database of users and to give those users access to the tools they need to fulfill their roles. Office 2016 used to be managed locally on CSPS/Shared Services Canada (SSC) servers, but since Office 365 will be hosted on servers owned by the cloud service provider Microsoft Azure, the privacy impacts need to be re-evaluated.
The PIA is intended to help ensure that the CSPS remains compliant with the Privacy Act, and to help identify and mitigate any reputational risks associated with the administrative tasks required to provide access to Microsoft Office 365 tools to the CSPS' employees. It is also intended to help raise awareness at the CSPS of potential downstream risks emanating from the use of the personal information required to maintain Microsoft Office 365 services.
PIA findings and risk summary
Privacy risks arising from the School's administration of Microsoft Office 365 are considered to be moderate to low, as they involve limited collections of non-sensitive data. This data is collected and used for administrative purposes and includes names, addresses, phone numbers, e-mail addresses and IP addresses. The data is obtained indirectly through staffing or learning programs and is shared with SSC since they are also responsible for the management of user accounts. There is no new personal information being collected when compared with Office 2016, but in addition to being stored locally, the data is now also being stored on Microsoft Azure servers. This new strategy could increase the privacy risk profile of CSPS.
While present impacts on the privacy of individuals are being adequately managed by the CSPS through legal, policy and technical measures geared at the protection of personal information, ensuring that we continue to do so is of the utmost importance. Any changes to Microsoft Office 365 that may have an impact on the privacy of individuals should be considered carefully and evaluated against the PIA.