Privacy Impact Assessment Summary for the Workplace Communication Services

Description

The Workplace Communication Services (WCS) initiative is designed to replace legacy telephone services by providing Internet Protocol telephony (IPT) services. WCS is a fully managed service provided by TELUS to the Department of National Defence (DND) and, optionally, to other GC departments. The end-state for WCS is a secure, fully managed enterprise-level solution that delivers IPT and desktop communication services through bandwidth engineered for sharing, “no-fail” data centres, and standardized service management processes and procedures. SSC completed the Privacy Impact Assessment process for the enterprise aspects of WCS. Additional details and privacy analysis may also be available from DND.

Why the Privacy Impact Assessment (PIA) was necessary

The PIA was necessary to ensure privacy was taken into account throughout the development, testing and implementation of WCS, and to identify any potential privacy risks and lower those risks through appropriate actions.

PIA findings and mitigation measures

It is important to recognize that the majority of personal information is under the control of the individual tenant (pathfinders, partners and other government departments [OGDs]) for WCS implementation. Federal institutions should not assume that this assessment covers their privacy requirements. Therefore, it is recommended that they conduct their own PIAs, or complete addendums to cover their own privacy requirements if they determine this to be appropriate.

The PIA evaluated all components of WCS involving the collection, use, retention, disclosure and/or disposal of personal information under the control of SSC. Personal information under SSC’s control is quite limited: name and business contact information, Universal Resource Identifier, log-in status, and user credentials.

SSC identified, analyzed and assessed the personal information in WCS, its flows and privacy safeguards. The following risks were identified:

1. WCS information retention period and disposition processes have not been formally defined, approved and implemented
2. Insufficient Info Source publication
3. Unassessed privacy safeguards (Privacy Management Plan)
4. Service portal banner omits key privacy notifications
5. SSC has not formally delineated privacy expectations with OGD clients