As StatCan seeks to improve the quality of delivery of its IT services and reduce overall management and support costs, and as part of its ongoing modernization efforts, the Agency is now aligning services with the current and future needs of the business and has implemented a new Enterprise Service Management Solution (ESMS) for the organization called Helix Software as a Service (SaaS) system from the service provider BMC.
Objective
A privacy impact assessment for the Enterprise Service Management Solution (ESMS) was conducted to determine if there were any privacy, confidentiality, or security issues with this initiative and, if so, to make recommendations for their resolution or mitigation.
Description
The new solution integrates all the functions of service delivery formerly available through the outgoing systems: HEAT, Service Request Management (SRM), Self-service Hub request forms, Informatics Account Portal (IAP) and other portals and forms that integrate with the HEAT system. BMC Helix is a cloud-based SaaS, rather than the on-site hosted solutions of SRM-HEAT.
This system serves two functions: to serve as a service request system for IT as well as a service request management system for internal service delivery areas including: HR, Procurement, Finance, Facilities and Security. All services will now be provided via a unique front-end portal (DWP). The IT Service Management (ITSM) suite (incident management, work order management, change management, asset and configuration management) will be used to deliver IT services. Business Workflows will be used for delivering other internal service delivery areas requiring confidentiality within StatCan.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
| Description | Risk scale |
|---|---|
| a) Type of program or activity | |
| Administration of program or activity and services | 2 |
| b) Type of personal information involved and context | |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| c) Program or activity partners and private sector involvement | |
| Private sector organizations, international organizations or foreign governments | 4 |
| d) Duration of the program or activity | |
| Long-term program or activity. | 3 |
| e) Program population | |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| f) Personal information transmission | |
| The personal information is transmitted using wireless technologies. | 4 |
| g) Technology and privacy | |
| The ESMS software solution will be implemented to support StatCan IT and internal service delivery areas in a Software as a service (SaaS) cloud environment hosted by BMC in their Government of Canada approved Amazon Web Services (AWS) cloud. This solution will service IT as well as various internal service delivery areas. BMC will also be responsible for providing support in certain capacities. The platform includes self-service features and functionalities available to employee users for the purpose of, for example, reporting issues, submitting service requests, and performing other general user functions. | |
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be an impact to the individual of varying significance depending on the sensitivity of the information breached. See Appendix 2, Personal Information Elements Table, for a list of the personal information. | |
| i) Potential risk that in the event of a privacy breach, there will be an impact on the institution. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be a negative impact on StatCan’s reputation as a perceived inability to safeguard employee personal information. | |
Conclusion
This assessment of the Enterprise Service Management Solution (ESMS) did not identify any privacy risks that cannot be managed using existing safeguards.