Privacy Impact Assessment Summary for the IT Service Management Tool

Purpose

SSC is implementing a new ITSM tool, branded internally as Onyx, to improve upon communication and tracking of requests, incidents and changes between customers’ service desks and SSC’s Enterprise Service Desk. This tool is intended to standardize communication and establish a common way of working.

The ITSM tool will be used to track requests for service that relate to government employees but the tool will actually only be available for service desk staff (SSC and partner departments) and SSC individuals in IT support roles (that can help resolve requests for service). This is not an end-to-end tool and will not be used for the resolution of every IT ticket. Only five technology services will be requested through the ITSM tool.

Description

Enterprise ITSM Tool Project – is a multi-year project to establish an enterprise-wide state-of-the-art ITSM solution as a replacement for SSC’s current enterprise ITSM Tool, Enterprise Control Desk (ECD). This project will directly support SSC Service Management and other program initiatives by providing an Enterprise ITSM Tool Solution to be configured and deployed to production by a vendor.

Why the Privacy Impact Assessment (PIA) Was Necessary

The PIA was necessary to ensure privacy was taken into account throughout the development, testing and implementation of the ITSM and to identify any potential privacy risks and lower the risks through appropriate actions.

PIA Findings and Mitigation Measures

It is important to recognize that the majority of personal information (PI) is under the control of the individual tenant (pathfinders, partners, other departments) for ITSM implementation. These federal institutions should not assume that this assessment covers their privacy requirements and it is therefore recommended that they conduct their own Privacy Impact Assessments (PIAs), or complete addendums to cover their own privacy requirements if they determine this to be appropriate.

The PIA evaluated all components of the ITSM service involving the collection, use, retention, disclosures and/or disposal of Personal Information (PI) under the control of SSC. Personal information under SSC’s control is limited to name and business contact information.

The service will be deployed to organizations that subscribe to SSC’s Internet services, also known as, Internet subscribers. The PIA did not cover networks, infrastructures, processes or PI under the control of Internet subscribers.

The PIA found that ITSM had risks inherent related to privacy and the program is working to mitigate those risks. The risks identified relate to:

• Security Safeguards
• Info Source (Class of Personal Information)
• Potential for Over-Collection
• Retention
• Unassessed Privacy Safeguards (Privacy Management Plan)