Risk Area |
Level of Risk |
Details |
A) Type of program or activity |
3 |
Microsoft Azure is used by system administrators to manage user accounts. The platform is also used to enforce usage policies, track changes made by users on the platform and detect abnormal behavior. Actions on the platform are reviewed on a regular basis and can sometimes lead to disciplinary actions against an individual. |
B) Type of personal information involved and context |
2 |
The information required for the creation of a new user in Microsoft Azure can either be collected directly from the user, a manager or from Shared Services Canada. The information captured for the creation of a user are: work email, first and last name, work location, work phone number, and manager name. |
C) Program or activity partners and private sector involvement |
4 |
While Microsoft Azure is a cloud platform hosted on Microsoft's infrastructure, personal information is not being shared with them. The personal information used for managing user accounts is only shared with Shared Services Canada. |
D) Duration of the program or activity |
3 |
Microsoft Azure will be adopted for the foreseeable future. There is currently no end date. The duration of the program will depend on how long Microsoft supports this solution for and also depends on future technology adoption trends. |
E) Program population |
3 |
Microsoft Azure will require contact information about individuals seeking services or collaborating with the Canada School of Public Service. This includes both internal and external users and clients. The contact information required for this activity includes the name, address, telephone number and e-mail address of the individual. |
F) Technology & privacy
| 1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
|
Yes |
|
2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services? |
No |
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies:
- Enhanced identification methods
- Use of surveillance
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques
|
Yes |
Laptops have Trusted Platform Module (TPM) chips that will be registered in Microsoft Azure. Also, Active Directory Federation Services (ADFS), Single Sign-On (SSO) and Multi-Factor Authentication (MFA) will be used. |
Yes |
Some functionalities of Microsoft Azure can be leveraged to gather audit trails and to monitor activities. |
Yes |
IP addresses, user names and other network traffic data can be used to monitor connection patterns and identify potential suspicious activity. |
G) Personal information transmission |
4 |
While the servers are using wired internet connections at Microsoft data centers, users may be using wireless connections in their homes when connecting to Microsoft Azure |
H) Potential risk impact to the individual or employee in the event of a privacy breach |
Low |
The level of risk is low. In order to provide Microsoft Azure services to clients, IT system administrators only require basic contact information such as employee names, e-mail addresses, phone numbers, departmental addresses and IP addresses.
More information on Privacy Breaches is available in the Directive on Privacy Practices on the TBS website. |
I) Potential risk impact to the institution in the event of a privacy breach |
Low |
The level of risk is low. The personal information stored on the Microsoft Azure platform may be at risk. The credibility and perception of the School may be impacted in the event of a privacy breach.
More information on Privacy Breaches is available in the Directive on Privacy Practices on the TBS website. |