- Section 1: Overview
- Section 2: Risk Area Identification and Categorization
- Section 3: Analysis of the Personal Information Elements for the Program or Activity
- Section 4: Flow of Personal Information for the Program or Activity
- Section 5: Privacy Compliance Analysis
- Principle 1: Accountability
- Principle 2: Limiting Collection
- Principle 3: Direct Collection and Purpose Identification
- Principle 4: Retention
- Principle 5: Accuracy
- Principle 6: Disposal
- Principle 7: Limiting use
- Principle 8: Limiting Disclosure
- Principle 9: Safeguards
- Principle 10: Openness
- Principle 11: Individual Access
- Section 6: Threat and Risk Assessment
- Section 7: Summary of Analysis and Recommendations
- Section 8: Breach protocol
- Appendix 1 – PIA Summary
- Appendix 2 – Personal Information Elements Table by Internal Service Delivery Area
- Appendix 3 – Systems Integration Table
- Appendix 4 – Privacy Notice Statement
Section 1: Overview
Responsible department: Statistics Canada
Chief Privacy Officer: Director, Office of Privacy Management and Information Coordination
Subject-matter manager: Director, IT Operations Services Division
Senior official: Assistant Chief Statistician, Digital Solutions
Legal authority: Financial Administration Act
Reference to Personal Information Bank (PIB):
Personal information collected and flowing through the Enterprise Service Management System (ESMS) is described in the standard PIB “Employee Personal Record”. The Personal Information Bank refers to personal information that is related to an individual’s employment with government institutions.
The standard “Employee Personal Record” Personal Information Bank (Bank number: PSE 901) is published on the Statistics Canada website under the latest Information about Programs and Information Holdings chapter.
Personal information collected by the internal service areas is described in their relevant PIBs and is considered out of scope for this Privacy Impact Assessment.
Project Description:
Under the authority of the Financial Administration ActFootnote 1, Statistics Canada (StatCan) is implementing a new solution for its internal services delivery.
Employees currently use internal tools to submit requests to internal service delivery areas within the organization using the outgoing SRM-HEAT-based infrastructure. SRM-HEAT was widely used throughout StatCan for managing IT operations and other corporate services. It consists of a legacy custom off-the-shelf (COTS) application (HEAT) and a custom developed Service Request Management (SRM) portal. This solution has now reached end of life and needs to be replaced.
As StatCan seeks to improve the quality of delivery of its IT services and reduce overall management and support costs, and as part of its ongoing modernization efforts, the Agency is now aligning services with the current and future needs of the business and has implemented a new Enterprise Service Management Solution (ESMS) for the organization called Helix Software as a Service (SaaS) system from the service provider BMC. This new system was chosen based on available Shared Services Canada (SSC) solutions who have approved and contracted the service from BMC for all departments within the Government of Canada (GoC).
The new solution integrates all the functions of service delivery formerly available through the outgoing systems: HEAT, Service Request Management (SRM), Self-service Hub request forms, Informatics Account Portal (IAP) and other portals and forms that integrate with the HEAT system. BMC Helix is a cloud-based SaaS, rather than the on-site hosted solutions of SRM-HEAT.
This system serves two main functions: to serve as a service request system for IT as well as a service request management system for internal service delivery areas including: HR, Procurement, Finance, Facilities and Security. For IT services, the new ESMS solution is a replacement of old, in-house built tools, which now allows for the management of internal services provisioning and the escalation of relevant service requests to Shared Services Canada (SSC). For the other internal service delivery areas, this system allows for information to be automatically entered into internal service delivery areas’ existing systems from one access point using one input interface. The solution enables StatCan to have a more responsive and innovative IT service that meets internal service delivery areas’ needs while also enhancing the employee user experience.
BMC Helix consists of many components, however only the following will be implemented and handle any personal information:
| Software | Purpose |
|---|---|
| Helix ITSM | Provides out-of-the-box-oriented IT Service Management functionality for the following processes: service request management, incident, problem, change, release, asset, service level management, and knowledge management, and configuration management. Includes Configuration Management Database (CMDB), Smart Reporting, and Smart IT. Foundation data is configured, stored, and maintained here. |
| Helix Digital
Workplace (DWP) |
A self-service web application for employee users to connect with IT and HR anywhere, any time, on any StatCan-issued work device. Includes assistance, approvals, and general broadcasts. Includes Virtual Chat and Digital Workplace Catalog. Users submit service requests using this tool. |
| Helix Business
Workflows |
BMC Helix Business Workflows is a modern case management solution that extends services for lines of business including HR, Procurement, Finance, Facilities and Security. This solution allows administrators to create and automate workflows using pre-defined functionality and leverages cognitive capabilities to eliminate manual work. |
| Helix
Administrative suite |
The BMC Helix Administrative suite is a collection of applications that are used to configure, update, and otherwise support the use of the platform. These apps include Remedy, Digital Workplace Admin, Service Catalog Administrator, Smart IT Admin, Business Workflows Case Catalog Administrator |
All services will now be provided via a unique front-end portal (DWP). The IT Service Management (ITSM) suite (incident management, work order management, change management, asset and configuration management) will be used to deliver IT services and is scheduled for implementation in December 2023. Business Workflows will be used for delivering other internal service delivery areas requiring confidentiality within StatCan, including HR, Procurement, Finance, Facilities and Security. which is scheduled for implementation in December 2023.
During the initial configuration of the Helix platform, foundation data will be loaded into the system (e.g., employee user profiles, organization and location information and support groups. See Appendix 2 for a list of all personal information elements). Employee user profile data is taken from Microsoft Active DirectoryFootnote 2 and will be updated and maintained via an automated integration with Helix. The other items will be updated via various maintenance update jobs on a determined set schedule via app integrations (see Appendix 3 – Systems Integration Table).
Integrations are used within the system by way of Application programming interfaces (APIs - e.g., REST API), secure protocols (e.g., EFT) and Security Assertion Markup Language (SAML). These integrations are used to connect to existing in-house platforms and data sources that are used by Helix, by and large for internal IT usage. These application integrations enable seamless communication and data exchange between Statistics Canada and BMC, utilizing different methods depending on the specific application (see Appendix 3 for details and list of information transmitted).
To create a service request, an authenticated employee user on a Statistics Canada issued device will open the Digital Workplace service catalogue page in a web browser, log in using the existing SSC Active Directory interface and submit a request for service to either IT or one of the other internal service delivery areas.
Employee users submit service requests via the DWP app, or they can contact IT or internal service delivery areas and the Case Agent can submit a request on their behalf. Employee users can monitor and track the status of their requests on the My Activity page within the DWP app. Requests submitted by employee users generate a work order or incident being created and the request is assigned to a Case Agent in the appropriate IT or internal service delivery support group responsible for actioning the request or issue. The IT Case Agents use the Smart IT tool within Helix ITSM to monitor and track work orders and incidents, while the other internal service delivery areas Case Agents use the Business Workflows webapp. The non-IT service area requests may involve the collection or use of personal information, depending on the request and service area. Each internal service delivery area was consulted to ensure that only personal information necessary to complete their respective requests is collected in the DWP webapp. This information is considered transitory and is only collected via this system but not retained in it. Instead, it is retained in the respective internal service delivery area’s systems (see Appendix 2 for a list of personal information collected or used by each service area).
Internal Statistics Canada Helix Administrators work in the system in a strictly administrative capacity to configure, monitor, maintain and support the system. They will not require or have any access to personal information.
As the Helix platform is a SaaS, cloud-based system, it requires BMC staff to provide support to Statistics Canada IT in a broader administrative capacity at the cloud level but they will not have any exposure to the personal information contained in any of the requests.
In addition to providing a unique front door entry for employees, additional benefits of BMC Helix include the ability to generate reports and statistics, allowing for both quantitative metrics (e.g., elapsed time) and qualitative metrics (e.g., employee user satisfaction) to be measured. This promotes continuous process improvement and provides end-to-end visibility into the IT service delivery process. Additionally, the solution offers exploratory analytics, enabling StatCan to uncover insights needed for informed IT business decisions. Lastly, the BMC Helix supports governance, evaluation, and innovation through asset life cycle management and service delivery management.
The scope of this assessment is limited to the use of this system. Internal service delivery areas’ associated collection, use or disclosure of personal information has been assessed through appropriate channels and is mentioned in this assessment for transparency purposes only.
Section 2: Risk Area Identification and Categorization
The following table evaluates the aggregate risk of the proposed initiative against a suite of standard dimensions applicable to most Statistics Canada programs and activities. The numbered risk scale is presented in an ascending order: level 1 represents the lowest level of potential risk for the risk dimension; the fourth level (4) represents the highest level of potential risk for the given risk dimension.
Applicable risk level for each dimension is in BOLD.
| a) Type of program or activity | Risk scale |
|---|---|
| Program or activity that does NOT involve a decision about an identifiable individual. | 1 |
| Administration of program or activity and services. | 2 |
| Compliance or regulatory investigations and enforcement. | 3 |
| Criminal investigation and enforcement or national security. | 4 |
| b) Type of personal information involved and context | Risk scale |
| Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program. | 1 |
| Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source. | 2 |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| Sensitive personal information, including detailed profiles, allegations or suspicions and bodily samples, or the context surrounding the personal information is particularly sensitive. | 4 |
| c) Program or activity partners and private sector involvement | Risk scale |
| Within the institution (among one or more programs within the same institution). | 1 |
| With other government institutions. | 2 |
| With other institutions or a combination of federal, provincial or territorial, and municipal governments. | 3 |
| Private sector organizations, international organizations or foreign governments. | 4 |
| d) Duration of the program or activity | Risk scale |
| One-time program or activity. | 1 |
| Short-term program or activity (include established end-date). | 2 |
| Long-term program or activity (ongoing). | 3 |
| e) Program population* | Risk scale |
| The program's use of personal information for internal administrative purposes affects certain employees. | 1 |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| The program's use of personal information for external administrative purposes affects certain individuals. | 3 |
| The program's use of personal information for external administrative purposes affects all individuals. | 4 |
| * The program’s use of personal information is not for administrative purposes. Information is collected for statistical purposes, under the authority of the Statistics Act. | N/A |
| f) Personal information transmission | Risk scale |
| The personal information is used within a closed system (i.e., no connections to the Internet, Intranet or any other system and the circulation of hardcopy documents is controlled). | 1 |
| The personal information is used in a system that has connections to at least one other system. | 2 |
| The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed. | 3 |
| The personal information is transmitted using wireless technologies. | 4 |
| g) Technology and privacy | |
|
Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? Yes. The activity involves implementation of a new, cloud-based SaaS platform that will include self-service features and functionalities available to employee users for the purpose of, for example, reporting issues, submitting service requests, and performing other general user functions. Users will log in and submit requests that may include personal information, depending on the request type, using a device issued by StatCan. The device may be directly connected to the StatCan network, or securely connected wirelessly and possibly over the internet. The ESMS software solution will be implemented to support StatCan IT and internal service delivery areas in a Software as a service (SaaS) cloud environment hosted by BMC in their Government of Canada approved Amazon Web Services (AWS) cloud. This solution will service IT as well as various corporate business clients: HR, Finance, Facilities,. BMC will also be responsible for providing support in certain capacities. Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? Yes. Given the integration of various existing systems to power and connect the incoming BMC Helix solution, there are several integrations that will either be developed or updated to fully implement BMC Helix. See Appendix 3 – Systems Integration Table for a list of the application integrations required to support connectivity from Statistics Canada to BMC. Specific technological issues and privacy Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
Yes. The implementation of the Helix system involves a modification of multiple technologies within Statistics Canada to improve internal services. Helix is a SaaS cloud-based system, which inherently allows for more access methods. It is used as a medium to communicate the existence and necessary information from a service request from an employee to the appropriate internal service delivery area for corporate services. The platform also allows for the generation of reports that will be used to assess program delivery. The potential injury level is medium, based on the Confidentiality, Integrity and Availability results in the Statement of Sensitivity (SOS). BMC has achieved Government of Canada protected B certification for their SaaS cloud environment. A full Security Assessment & Accreditation (SA&A) was conducted in accordance with the agency’s security practices and the project was approved for full authority to operate. The Canadian instance of the BMC Helix is hosted on Canadian AWS infrastructureFootnote 3 in their Montreal datacentre with failover in other Canadian data centres. The BMC SaaS Security Assessment Report has determined that the residual risk of using BMC Helix Remedy to support medium categorization of information and services is MEDIUM. The document contains a summary of the results of the Shared Services Canada assessment as to whether BMC Helix Remedy in Canada meets the IT security requirements for medium-high categorization of information and services within public cloud services. The assessment is limited to IT security requirements as defined in ITSG-33 [1]Footnote 4 and identified in the Medium Cloud Security Control Profile [2]. It considered the confidentiality, integrity, and availability requirements of GC IT services and information. A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation. |
|
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be an impact to the individual of varying significance depending on the sensitivity of the information breached. See Appendix 2, Personal Information Elements Table, for a list of the personal information. | |
| i) Potential risk that in the event of a privacy breach, there will be an impact on the institution. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be a negative impact on StatCan’s reputation as a perceived inability to safeguard employee personal information. | |
Section 3: Analysis of the Personal Information Elements for the Program or Activity
The scope of this assessment is limited to the personal information required for the system. All other personal information collected, used, or disclosed by the internal service delivery areas to conduct their programs has been assessed through appropriate channels and is mentioned in this assessment for transparency purposes only. See Appendix 2 for the list of Personal Information elements transiting through the Helix ESMS and the internal service delivery areas to which they relate.
Within BMC Helix, foundation data which contains personal information is pre-loaded into the platform and used by all case agents to facilitate the fulfillment of service requests, change requests, and incident resolution. The following is a list of the foundation data based personal information:
A - Name (First name, last name, preferred name)
During the configuration of the system prior to its implementation, employee names will be obtained from foundation data which comes from the Active Directory database. This information will be visible to both employee users and internal service delivery areas in order to facilitate the fulfillment of a request.
B – Contact information - Telephone Numbers and Email Addresses (personal and/or work)
Telephone numbers and email addresses are collected directly from employee users (or entered by a case agent) submitting service requests to facilitate communication between employee users and internal service delivery areas during the fulfillment of the requested service. Personal telephone numbers or email addresses are required when the employee user does not have access to a work phone or email.
C - Address (Site address: Street number, street name, city, province, and postal code; building, floor, section, office #)
Site addresses are used from foundation data or collected directly from employee users (or entered by a case agent) submitting service requests when required to facilitate the fulfillment of the requested service (e.g., shipping IT Equipment to an employee).
E - Various Additional Elements – Internal Service Delivery Areas
Section 4: Flow of Personal Information for the Program or Activity
Identify the source(s) of the personal information collected and / or how the personal information will be created.
Information is collected from an employee user each time a service request is submitted and/or it can be obtained from foundation data stored within the BMC Helix environment. Personal information elements are captured in service request forms, either directly from individuals, or entered by a case agent when submitted via phone call.
Foundation data consists of common data elements, such as people, organization, locations, and categorizations that can be used to satisfy different requirements and to drive business processes and rules. The foundation data in BMC Helix is linked from Active Directory and as such a goal of the ESMS Project is to regularly synchronize with this data source.
Information provided by a requestor or obtained from foundation data will be used to facilitate the fulfillment of a service request or the resolution of an incident.
Identify both internal and external sources for the personal information's use and disclosure. That is, identify the areas, groups and individuals who have access to or handle the personal information and to whom it is provided or disclosed.
Personal information originates from one of two sources: It is either foundation data that is linked from Microsoft Active Directory, or collected directly from employee users. This collection may occur when employee users access Helix via the DWP interface, or by a case agent.
The personal information listed above in Section 3 will be used internally by each service delivery area to action requests for service. The personal information that is specific to the associated service area only transits through the system and is made available for case agents through one of two interfaces: for IT Case agents, through the Helix ITSM interfaces, and for internal service delivery areas case agents through the Business Workflows webapp.
BMC Helix is a SaaS cloud-based system which will require administrative and maintenance tasks from the service provider, BMC. BMC’s employees will have no access to the employee user personal information transiting through the system.
Identify where the personal information will transit and will be stored or retained.
All personal information will transit through the BMC Helix cloud once collected via the web-based user interface for request submission. It will then be stored in the system for IT-related requests to be actioned and retained according to the retention schedule or transmitted to client systems via BMC Helix Workflows where it will reside, and the appropriate retention period will be applied outside of the platform.
Internal service delivery areas are responsible for their own systems and the application of the proper retention periods once the information has been received through BMC Helix. All transitory information lives in the system until used by the program area and put into their systems. Information is disposed of after transiting through the system.
All data, including personal information, contained in the BMC Helix cloud will be housed on BMC’s Canadian Government servers – Amazon Web Services-based location in Montréal, Québec, Canada.
Identify where groups and individuals can access the personal information
The following table lists all users and their access to the system.
| Type of Users | Employer/Division | # of Users | Role | Helix Apps accessed | Access to personal information |
|---|---|---|---|---|---|
| Employee Users | StatCan/
All Divisions |
9000 | Create service requests,
Review service requests Monitor status of their service requests. |
Digital Workplace | Yes - employee users may access their own information submitted |
| Internal Helix Administrators | StatCan/
Information Technology Operations Services (ITOS) |
5 | Responsible for the Administration of the BCM helix tool suite of products.
Maintains all aspects of the service catalog, including templates, questionnaires, services, service level agreement (SLA) policies, cost adjustments, fulfillment workflows to attach to service catalog items. Also configures service connectors and performs other system administrative functions, and maintaining foundation data such as user profiles, organization and location info, and support groups. |
Helix Administrative Suite
(Digital Workplace Admin Service Catalog Administrator Smart IT Admin Business Workflows Case Catalog Administrator) |
No |
| IT Case Agents (Support Technicians) | StatCan/
Information Technology Operations Services (ITOS) |
250 | Create work orders
Monitor work orders and incidents (for the service requests that are created by employee users) |
Helix ITSM (Smart IT) | Yes - personal information linked from foundation data and included in support requests |
| Service Delivery Area Case Agents (Non-IT) | StatCan/ HR, Procurement, Finance, Facilities, Security | 150 | Create service requests,
monitor service requests that are created by employee users. |
Business Workflows | Yes - personal information linked from foundation data and included in support requests |
| External Administrators | BMC, Shared Services Canada (SSC) | 14 | Work on various activities for implementation. Work on support requests form Internal Helix Administrators to BMC for any issues that arise in the various environments. | Helix Administrative Suite (Digital Workplace Admin,
Service Catalog Administrator SMART IT Admin Business Workflows Case Catalog Administrator) |
No |
StatCan employee users who have a user account created in Active Directory will log in to their StatCan issued device and then authenticate via SSC Active Directory to gain access to BMC Digital Workplace Portal via a webpage on their work computers. Within the Digital Workplace Portal, employee users submit requests to any of the internal service delivery areas as well as access their personal information. All requests will have personal information in the form of foundation data linked to the requests and their profiles. Where applicable and appropriate some information submitted or linked can be reviewed by employee users within this portal as well (e.g., active requests, work assets assigned to the requestor).
IT Case Agents will respond to requests using BMC Helix ITSM and can further create subsequent work orders or incidents on behalf of employee users for IT use that are only accessible within the Helix ITSM suite.
Staff from other internal service delivery areas (e.g., HR, Finance, Facilities etc.) will respond to requests using only the BMC Helix Business Workflows interface. Business Workflows is a tool in the BMC Helix Suite that is used to maintain non-IT specific case data.
Both IT Case agents from different IT support groups, as well as groups of Business Workflow case agents from non-IT internal service delivery areas (e.g., HR, Facilities, Security, Finance, etc.) will use the system to transmit the relevant information collected in the requests or from linked foundational data into their own respective systems and workflows. Internal service delivery areas set up to use the tool, will only have access to requests that pertain to their service area. There is an audit log to track changes.
Administrators will have access to information within the BMC Helix ITSM administration tool. (aka ‘Mid-Tier’)
Section 5: Privacy Compliance Analysis
As recommended by the Office of the Privacy Commissioner’s Guide to the Privacy Impact Assessment Process, this ESMS has been assessed against the following principles that are based on the Organization for Economic Co-operation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Principle 1: Accountability
Statistics Canada is responsible for all personal information under its control and has designated individuals who are accountable for the agency’s compliance with the obligations of federal departments to respect privacy rights as described in sections 4 to 8 of the Privacy Act.
The Director of the Office of Privacy Management and Information Coordination is Statistics Canada's Chief Privacy Officer (CPO) and is accountable for the department's compliance with the principles contained in this document. The CPO is also responsible for the development of Statistics Canada's policies related to information, including all aspects of information classification, control, and access and for providing advice, guidance, and assistance in the implementation of information security measures.
The Chief Security Officer (CSO) is responsible for the day-to-day operations of the Departmental Security Office, and for the development and administration of the security program for Statistics Canada.
The Information Technology Operations Services (ITOS) Division, Service Management Office (SMO), as directed by the Director General of the IT Operations Branch and the Assistant Chief Statistician of the Digital Solutions Field, are responsible for applying all relevant central Agency and Statistics Canada policies related to privacy and the protection of personal information collected and used as part of the ESMS.
Internal service delivery areas such as HR, Finance and Facilities, are accountable for their respective programs and all related personal information submitted by employee users of their requests beyond it transiting through the system.
The ESMS and IT Operations Modernization Steering Committee oversees the management and implementation of the solution and ensures prompt action on related issues. The Committee is chaired by the Director of ITOS and co-chaired by a Director from one of the internal service delivery areas. The membership is comprised of key strategic partners throughout the organization.
An individual is able to address a challenge concerning compliance by Statistics Canada with the above principles.
Complaints may be addressed to:
Chief Privacy Officer
Statistics Canada
R.H. Coats Building, 2nd floor
100 Tunney’s Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 613-951-0466
E-mail: statcan.atip-aiprp.statcan@statcan.gc.ca
In addition, under the Privacy Act, individuals may make a complaint to the Office of the Privacy Commissioner of Canada, who will undertake an investigation.
Principle 2: Limiting Collection
The authority to collect and use this information falls under the Financial Administration Act. In accordance with the Privacy Act, personal information will be collected and used only if it relates directly to IT and each respective internal service delivery area’s business. Collection of the information is included in the personal information bank “Employee Personnel Record - PSE 901”.
The direct collection of personal information in the solution is specific to the type of request the employee user is making. Each form and web interface has been customized with input from the associated internal service delivery area to collect only the information required by the service area to respond to that specific request type.
Principle 3: Direct Collection and Purpose Identification
Personal information is collected in two main ways. Employee users provide basic personal information (name and contact information) directly by phone to a case agent, or webform when submitting service requests or incidents for information, products, or services. Depending on the type of request, further personal information about the employee user will either be pre-populated into a service request form using a corporate data source (e.g.: Activity Directory attributes) so as to reduce the burden of information entry on the requestor, or entered directly by the employee as information relating to their service request.
The purpose of the ESMS project is to standardize how Statistics Canada’s internal service delivery areas handle and respond to service requests from the workforce and to incidents. This purpose has been communicated by way of corporate communications made available to all employees prior to implementation of the system, including emails and posts on the Agency’s Internal Communications Network.
Further, a privacy notice (see Appendix 4) will be presented to employee users when they first log in to BMC Digital Workplace using the system’s infrastructure, which includes an active confirmation. The system will track the date of an employee user’s confirmed acceptance.
Principle 4: Retention
BMC Helix ITSM has been configured to run an automated archival process which applies the retention period based on the request type. There are 47 different archive/deletion policies for the various forms within the system. The policies are customized based on different qualifications/conditions and number of days that we specify. The Archive Manager console is used to configure a continuous archive job and extract and delete archive data as needed.
The process runs every 24 hours and triggers a pre-specified number of days after specific requests are marked as closed, retired, or cancelled.
Once closed, the information stored in the database is only accessible via corresponding interface by designated people of the Internal Helix Administrators group. The archived information may be accessed by External Administrators group, and only by request. In either case, this access will be reduced to need-to-know access by way of policy and be operated by documented administrative requests.
The specific retention period that is applied to archived personal information collected via BMC Helix varies depending on the type of request:
The retention period for the information collected and stored by the system for IT-related service requests is set, according to IM best practices, to two years after last administrative use (e.g., archiving of IT-related requests) of that data.
Internal service delivery areas are responsible for their own retention periods. Some information from non-IT related requests is considered transitory, and lives in the system until a request is accessed and transcribed into the associated internal service delivery area’s system, and then closed. This information is not archived.
Principle 5: Accuracy
In the application of Statistics Canada's policies, guidelines and practices related to the accuracy of personal information, the IT Operations Services Division has implemented the following:
Employee users submit their own personal information directly to the system, via request, and they can submit updates for IT-related requests or further requests using the BMC Digital Workplace to the internal service delivery areas to correct information. All linked information originates from internal service delivery areas respective established systems and programs withing Statistics Canada, and each of these has its own established practices to update this information with the respective information source.
Principle 6: Disposal
Retention and disposal of collected data will be done in accordance with Statistics Canada’s Policy on Information Management and Directive on the Management of Unstructured Information Resources.
Following the end of the retention period, personal information from archived IT-related service requests in BMC Helix will be disposed of via a secure, automated process within the BMC Helix platform. This disposal was assessed by Statistics Canada as part of the Security Assessment & Accreditation (SA&A) process and was deemed secure.
Personal information and all content from requests from internal service delivery areas using the system is automatically disposed to once the request is processed by the associated internal service delivery area transcribed into the appropriate service area system.
Principle 7: Limiting use
Personal information in the system is only used to respond to requests for service submitted by employee users. For personal information collected for requests to internal service delivery areas, the information is not used by IT for any purpose, and only transits through this system to the internal service delivery area case agents for further processing and use by the internal service delivery areas.
The data and personal information contained in the system are not used by BMC for any purpose. BMC staff provide support to Statistics Canada IT in a broader administrative capacity at the cloud level, but they will not have any exposure to the personal information contained in any of the requests.
On their first login to the system, each employee user is presented with a Privacy Notice (see Appendix 4) outlining how their personal information will be used. Employee users must click through the Privacy Notice and the date will be recorded.
Principle 8: Limiting Disclosure
Statistics Canada will not disclose personal information collected from the ESMS except for disclosure as permitted by the Privacy Act. BMC staff will not have direct access to information contained within the BMC Helix system.
Principle 9: Safeguards
Statistics Canada takes seriously its legal obligation to safeguard the personal information of all Canadians. The agency has had in place a framework of policies, directives, procedures and practices to safeguard protected information, including personal information, against loss, theft, unauthorized access or disclosure; they are supported by physical, organizational and technological measures that protect all the personal information that Statistics Canada holds.
User access controls are implemented to ensure that only staff that are directly responsible for the handling of requests have access to the personal information within them. Both internal and external administrators may have access to the system for system administration purposes, but the number of staff with that level access is restricted to only those that require it. Each user is given specific permissions to control the type of system access associated to their accounts based on the employee’s job and role, the confidentiality classification level of the information on a need-to-know basis.
The Agency also has a procedure that ensures oversight of client information and privacy management. Access logs have been implemented to the service delivery side to enable audits, as required, to confirm the integrity of the system. Upon discovery of an actual or suspected privacy breach (however unlikely), the steps described in Section 8 would be taken.
In addition, internal service delivery areas users will receive training on system use and privacy practices prior to being granted access during which they will be reminded that the information in the system cannot be used for any other purpose than delivery of the requested service
Technology and privacy issues
BMC Helix is a cloud-based platform, and as such, the personal information contained within it is not stored on-site. All services being used by Statistics Canada in the BMC Helix cloud are hosted on cloud servers within Canada. The BMC SaaS Security Assessment Report, performed by the Canadian Centre for Cyber Security within the Communications Security Establishment, has determined that the residual risk of using BMC Helix Remedy to support medium categorization of information and services is MEDIUM. The document contains a summary of the results of the Shared Services Canada assessment as to whether BMC Helix Remedy in Canada meets the IT security requirements for medium-high categorization of information and services within public cloud services. The assessment is limited to IT security requirements as defined in ITSG-33 [1] and identified in the Medium Cloud Security Control Profile[2]. It considered the confidentiality, integrity, and availability requirements of GC IT services and information.
BMC Helix uses secure integrations to allow for the secure transmission of information from the Digital Workplace portal internal systems, as described in the integrations table, which has been assessed to be the most secure way to transmit the personal information from one system to the next. Once done, a secure disposal of all transitory information will take place, leaving only a record of the interaction in the BMC Helix platform.
The personal information included within the BMC Helix system will only be accessible to Statistics Canada staff who are responsible for fulfilling client service requests and incidents. BMC Helix Single Sign-On (HSSO) has been chosen to authenticate users of the system. Only authenticated users on a Statistics Canada issued device using the browser will be able to access the BMC Helix sign-on page. The user will need to logon to HSSO using multi-factor authentication, and their Azure Virtual Desktop credentials. The authentication mechanism is SAML 2.0 and will use 2 factor authentication. The system will be located in the Azure-based cloud and has been set up with an organizational structure that helps control the access to various components.
Principle 10: Openness
Statistics Canada makes readily available specific information about its policies and practices relating to the management and protection of personal information. Information regarding the use of personal information in the form of a Privacy notice can be found on the agency’s website at www.statcan.gc.ca.
Summaries of approved Privacy Impact Assessments are also available from the website, under “About us – Privacy impact assessments” (http://www.statcan.gc.ca/about-apercu/pia-efrvp/pai-efvp-eng.htm).
A Privacy notice is presented to users on first login that details the legal authority for collection, purpose of the collection of personal information, and uses. (See Appendix 4)
Contacts for further information
For further information about the ESMS Project, the contact person is:
Robert Meester, Director
IT Operations Services Division
Statistics Canada
170 Tunney’s Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 613-447-4730
Email: robert.meester@statcan.gc.ca
Principle 11: Individual Access
The collection of personal information through the ESMS is described in the standard Personal Information Bank “Employee Personal Record” - PSE 901 which is published in in Statistics Canada’s Information about Programs and Information Holdingschapter. http://www.statcan.gc.ca/eng/public/ipih/index
Upon request, Statistics Canada will provide employees with access to their personal information held by the agency.
If employees wish to make a formal request for access to their personal information under the Privacy Act, the contact person at Statistics Canada is:
Access to Information and Privacy Coordinator
Statistics Canada
R.H. Coats Building, 2nd floor
100 Tunney’s Pasture Driveway
Ottawa, Ontario K1A 0T6
Telephone: 613-951-0466
E-mail: statcan.atip-aiprp.statcan@statcan.gc.ca
Section 6: Threat and Risk Assessment
The purpose of this section is to assess the ESMS for potential threats and risks that could compromise privacy. It outlines existing Statistics Canada safeguards, the probability of occurrence of the threat, and the severity of the impact as it relates to the privacy and protection of employee information.
Statistics Canada currently employs numerous safeguards to reduce threat probabilities; these safeguards are described in agency policies, directives, practices, tools and/or techniques.
Ratings for threat probability, impact and residual risk are defined and presented as follows:
Threat: An undesirable event with the potential to compromise privacy or breach data confidentiality.
Threat probability: The likelihood that the threat will occur, given the existing Statistics Canada safeguards. The threat probability is rated numerically.
- Level 1: The threat can only come about through the use of very specialized knowledge and/or costly specialized facilities and/or a sustained effort. The threat is unlikely to occur.
- Level 2: The threat requires some specialized knowledge and/or facilities and/or a special endeavor to create or take advantage of the threat opportunity. The threat is somewhat likely to occur.
- Level 3: The threat opportunity is widely available and can occur either intentionally or accidentally with little or no specialized knowledge and/or facilities. The threat is very likely to occur.
Impact: The effect on the privacy of an employee in the event that a threat is realized and his or her information is compromised. The level or degree of impact is expressed in terms of outcome severity as it relates to individual privacy.
- Level 1: Minor injury with no or minimal harm or embarrassment to the individual.
- Level 2: Moderate injury causing some harm or embarrassment to the individual, but with no direct negative effects.
- Level 3: Severe injury such as lasting harm or embarrassment that will have direct negative effects on an individual’s career, reputation, financial position, safety, health or well-being.
Residual risk: A numeric rating is arrived at through an assessment and comparison of the threat probability and the impact to individual privacy.
Threat and Risk Assessment Grid
Enterprise Service Management Solution (ESMS)
| Threats | Existing Statistics Canada Safeguards | Probability | Impact | Residual Risk | Assessment of Residual Risk |
|---|---|---|---|---|---|
| Environment: Risk associated with the privacy of personnel within Statistics Canada | |||||
| Activity: Access to the BMC Helix | |||||
| 1. There is unauthorized access to the ESMS solution by a non-Statistics Canada employee. | Access to BMC Helix is restricted to Statistics Canada personnel, and Shared Services Canada personnel who provide services to Statistics Canada. There are physical access controls in place in all Statistics Canada buildings. Informatics security measures include protection by a firewall, configuration, and access via Statistics Canada’s secure internal network. All StatCan users have an account in BMC Helix in order to submit service requests and system access requires an account and an assigned role with defined permissions. Administrator access is limited to authorized employees from the Service Management Office (SMO) of IT Operations Services (ITOS). | 1 | 1 | 1 | Acceptable |
| 2. There is unauthorized access to the BMC Helix by a Statistics Canada employee. |
Access to the ESMS environment is limited to work devices. Mobile Device Management is used to control mobile access by Android and iOS devices to Statistics Canada’s cloud tenant. Identification and authentication for Statistics Canada users is linked to their account in Active DirectoryFootnote 5. For initial activation of the account, an @statcan.gc.ca Azure Active Directory user account will be generated for all users and linked to their on-premise Net A Active Directory account. This Azure Active Directory account will be used to login to the platform and set up a multi-factor authentication which provides enhanced login security by requiring that the user provide more than one method of identification (for example provide a password and respond to a text or telephone call). System access requires a specific username and password that is limited to authorized employees of Statistics Canada and of Shared Services Canada. The password is kept within the system and is not accessible to anyone. Employees will be reminded of their requirements to safeguard their access to the ESMS solution from unauthorized use, particularly outside of Statistics Canada’s facilities. |
1 | 1 | 1 | Acceptable |
| Environment: Risk associated with the personal information that could be stored outside Statistics Canada | |||||
| Activity: Unauthorized Access to the ESMS (BMC Helix SaaS) Solution (Vendor bmc.com) | |||||
| 3. There is unauthorized access to the BMC Helix ESMS solution by an Internet attacker. | Authenticated users who log into the StatCan network and connect to the StatCan cloud tenant are issued a Security Assertion Markup Language (SAML) v.2.0 token which is required to access the BMC Helix at statcan.bmc.com instance. Azure Active Directory populates a People Table of all active StatCan users in a periodic sync and access to BMC Helix requires the user account is found in the BMC Helix People Table and a valid SAML token issued from Microsoft Azure Active Directory. Access to BMC Helix will not be possible without an user profile in the BMC Helix people table and a valid SAML token issued by AAD in the StatCan tenant. | 1 | 1 | 1 | Acceptable |
| 4. There is malicious access to the ESMS solution from an external body or mechanism (e.g., malware, viruses) |
Access to the ESMS is strictly limited to StatCan work devices. These devices employ anti-virus and anti-malware capability and the StatCan cloud tenant employs technologies to identify and remove viruses and malware. Mobile device management will be used to control mobile access by Android and iOS devices to Statistics Canada’s M365 tenant. These devices employ anti-virus and anti-malware technology to identify, quarantine, and remove malicious software. Identification and authentication for Statistics Canada users is linked to their account in Active Directory. Authenticated users who log into the StatCan network and connect to the StatCan cloud tenant are issued a Security Assertion Markup Language (SAML) v.2.0 token which is required to access the BMC Helix at statcan.bmc.com instance. Azure Active Directory populates a People Table of all active StatCan users in a periodic sync and access to BMC Helix requires the user account is found in the BMC Helix People Table and a valid SAML token issued from Microsoft Azure Active Directory. Access to BMC Helix will not be possible without a user profile in the BMC Helix people table and a valid SAML token issued by AAD in the StatCan tenant. For initial activation of the account, an @statcan.gc.ca Azure Active Directory user account will be generated for all users and linked to their on-premise Net A Active Directory account. This Azure Active Directory account will be used to login to the platform and set up a multi-factor authentication which provides enhanced login security by requiring that the user provide more than one method of identification (for example provide a password and respond to a text or telephone call). System access for departmental users requires a specific username and password that is limited to the authorized employee. The password is kept within the on-premise active directory and is not accessible to anyone. System security controls monitor the system to detect and handle suspicious content (e.g., malware, viruses). |
1 | 1 | 1 | Acceptable |
Section 7: Summary of Analysis and Recommendations
A privacy impact assessment for the ESMS was conducted to determine if there were any privacy, confidentiality and security issues associated with the tool, and if so, to make recommendations for their resolution or mitigation.
This document summarizes Statistics Canada’s assessment of the privacy implications of the ESMS. It includes a review of the privacy principles as they apply to the tool. Also included is an assessment of the risks to the privacy, confidentiality, and security of employee’s information.
This assessment did not identify any privacy risks that cannot be managed using existing safeguards.
Section 8: Breach protocol
The ESMS meets agency standards for both IT and physical security. It includes controlled physical access to the server for authorized personnel only, password protection for access to the server and to the database/tool, configuration, and use of a firewall. For this reason, the threat and risk assessment (TRA) grid rates unauthorized access by either Statistics Canada employees or individuals outside Statistics Canada as low probability.
Upon discovery of an actual or suspected privacy breach (however unlikely), the following steps, in accordance with the Statistics Canada Information and Privacy Breach Protocol, would be taken:
- Immediate notification of the Chief Security Officer and the Chief Privacy Officer. Response could include suspending operation of the ESMS activities.
- In collaboration with Departmental Security and IT Security, there would be an internal investigation that would include recommendations to prevent any recurrence. Any investigation would document in detail the circumstances that gave rise to the privacy breach, and determine what information may have been breached, the impact of the breach, and what measures have been introduced to eliminate the risk of any subsequent breach.
- In the case of a "material privacy breach", in accordance with the TBS Directive on Privacy Practices, Statistics Canada would notify the Office of the Privacy Commissioner (OPC) and the Treasury Board Secretariat (TBS). "Material breaches" are those involving sensitive personal information and that could reasonably be expected to cause serious injury or harm to the individual.
Depending on the nature of the breach, impacted individuals would be provided with an explanation of the situation and the steps being taken to remove the information from the possession of those not authorized to have it. Individuals would also be informed that they have the right to file a complaint with the Office of the Privacy Commissioner (OPC). The OPC and TBS would be informed of the individual(s) whose information was disclosed, the investigation and what actions have been taken to prevent a re-occurrence.
Appendix 1 – PIA Summary
Enterprise Service Management Solution (ESMS)
Privacy Impact Assessment Summary
Introduction
As StatCan seeks to improve the quality of delivery of its IT services and reduce overall management and support costs, and as part of its ongoing modernization efforts, the Agency is now aligning services with the current and future needs of the business and has implemented a new Enterprise Service Management Solution (ESMS) for the organization called Helix Software as a Service (SaaS) system from the service provider BMC.
Objective
A privacy impact assessment for the Enterprise Service Management Solution (ESMS) was conducted to determine if there were any privacy, confidentiality, or security issues with this initiative and, if so, to make recommendations for their resolution or mitigation.
Description
The new solution integrates all the functions of service delivery formerly available through the outgoing systems: HEAT, Service Request Management (SRM), Self-service Hub request forms, Informatics Account Portal (IAP) and other portals and forms that integrate with the HEAT system. BMC Helix is a cloud-based SaaS, rather than the on-site hosted solutions of SRM-HEAT.
This system serves two functions: to serve as a service request system for IT as well as a service request management system for internal service delivery areas including: HR, Procurement, Finance, Facilities and Security. All services will now be provided via a unique front-end portal (DWP). The IT Service Management (ITSM) suite (incident management, work order management, change management, asset and configuration management) will be used to deliver IT services. Business Workflows will be used for delivering other internal service delivery areas requiring confidentiality within StatCan.
Risk Area Identification and Categorization
The PIA identifies the level of potential risk (level 1 is the lowest level of potential risk and level 4 is the highest) associated with the following risk areas:
| Description | Risk scale |
|---|---|
| a) Type of program or activity | |
| Administration of program or activity and services | 2 |
| b) Type of personal information involved and context | |
| Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual. | 3 |
| c) Program or activity partners and private sector involvement | |
| Private sector organizations, international organizations or foreign governments | 4 |
| d) Duration of the program or activity | |
| Long-term program or activity. | 3 |
| e) Program population | |
| The program's use of personal information for internal administrative purposes affects all employees. | 2 |
| f) Personal information transmission | |
| The personal information is transmitted using wireless technologies. | 4 |
| g) Technology and privacy | |
| The ESMS software solution will be implemented to support StatCan IT and internal service delivery areas in a Software as a service (SaaS) cloud environment hosted by BMC in their Government of Canada approved Amazon Web Services (AWS) cloud. This solution will service IT as well as various internal service delivery areas. BMC will also be responsible for providing support in certain capacities. The platform includes self-service features and functionalities available to employee users for the purpose of, for example, reporting issues, submitting service requests, and performing other general user functions. | |
| h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be an impact to the individual of varying significance depending on the sensitivity of the information breached. See Appendix 2, Personal Information Elements Table, for a list of the personal information. | |
| i) Potential risk that in the event of a privacy breach, there will be an impact on the institution. | |
| There is a low risk of a breach of some of the confidential personal information transiting through the Helix cloud. Should such a breach extend beyond StatCan, there could be a negative impact on StatCan’s reputation as a perceived inability to safeguard employee personal information. | |
Conclusion
This assessment of the Enterprise Service Management Solution (ESMS) did not identify any privacy risks that cannot be managed using existing safeguards.
Appendix 2 – Personal Information Elements Table by Internal Service Delivery Area
| Personal Information Elements | Collection method/Origin of linked data | Associated internal Service delivery area system (storage location) | Purpose of collection/linkage |
|---|---|---|---|
|
HR, Corporate Compensation, Pay, Ethics and Workforce Management Division, Corporate Services Field Requests |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems -Galaxy, Time Management System (TMS) | This information is needed for pay hiring, paid/unpaid leave and employment termination purposes |
|
Procurement, Systems and Controls Division, Corporate Strategies and Management Field. |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, SSC Onyx for cell phone info | This information is needed to contact clients. |
|
Financial Operations Division, Corporate Services Field Requests |
|||
|
Direct BMC Helix request/ Client phone request | CDFS: To connect with the Common Departmental Financial System (CDFS), the EFT (SFTP) method is used. | This information is needed to process onboarding requests. |
|
Procurement, Systems and Controls Division, Corporate Strategies and Management Field Requests |
|||
Permanent Departure process
Return to work, Temporary Departure processes
For Time Management System, Admin Portal and Salary Information Management System (SIMS) requests
|
Direct BMC Helix request/ Client phone request | BMC Helix | This information is needed for TMS, Admin Portal and SIMS activities. |
|
Facilities Management Requests |
|||
Request an ergonomic review:
Accessible Parking
|
Direct BMC Helix request/ Client phone request | BMC Helix | This information is needed to assist in providing equipment to employees for remote working, for ergonomic reviews and for accessible parking. |
|
HR - ICN - Accommodate employees with specific needs Requests |
|||
Employees requiring accommodation for medical reasons are not required to provide management with the diagnosis or intimate details of their disability but only information related to the nature of the limitation or restriction and whether such limitations/restrictions are permanent or temporary with any recommendations. The employer may enquire whether the employee is undergoing treatment or taking medications that could affect the safety of the employee or others in the work environment, or that could have an impact in relation to the accommodation measures. Only individual with a need to know have access to this information. |
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems | This information is needed from accommodating employees with specific needs. |
|
HR - ICN - Employee going on and returning from long-term sick leave Requests |
|||
An employee or manager could provide a medical certificate which outlines the employee’s medical situation and reason for the leave requested or taken or medical accommodations needed to ensure a smooth return to work following illness. |
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems - Galaxy, Time Management System (TMS), and Staffing Activity Management System (SAMS) | This information is needed to assist employees going on and returning from long term sick leave. |
|
HR - ICN - Federal student work experience program |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems - Galaxy, Time Management System (TMS), and Staffing Activity Management System (SAMS) | This information is needed for FSWEP. |
|
HR - ICN - Initiate a permanent departure Requests |
|||
Employee could provide a departure letter with personal information (email address, mailing address, reason for departure) or could provide offer letter from other department indicating new salary, home address, specific employment conditions, etc. |
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems - Galaxy, Time Management System (TMS), and Staffing Activity Management System (SAMS) | This information is needed for permanent departures of employees. |
|
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems | This information is needed for legal name or marital status change. |
|
Security - Request reliability status screening and security clearance screening Requests |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, GCdocs and only accessible by the Personnel Security team | This information is needed to assist with security screening. |
|
HR - Retirement certificate Requests |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems | This information is needed for processing employee’s retirement. |
|
HR -Specific needs training Requests |
|||
|
Direct BMC Helix request/ Client phone request | BMC Helix, HR systems | This information is needed for specific needs training. |
|
Finance Requests |
|||
Reimbursement claim of fees for tax advisory services Proof of payment,
Federal Internship for Newcomers Program
|
Direct BMC Helix request/ Client phone request | CDFS: To connect with the Common Departmental Financial System (CDFS), the EFT (SFTP) method is used. | This information is needed for claim submissions for reimbursement of fees for tax advisory services. And for hiring through Federal Internship for Newcomers Program. |
|
Information Technology Operations Services Division – Client Services Modernization Requests |
|||
|
Client phone request/Direct BMC Helix entry | BMC Helix | This information is needed to contact users and for use in the People profile. |
List of data elements captured in People table with examples:
|
Linked from Active Directory | BMC Helix | This information is needed to populate people profiles as a part of Foundation data. |
Appendix 3 – Systems Integration Table
| Name of system | Integration method used | Explanation of use | Information transmitted |
|---|---|---|---|
| Corporate Access Request System (CARS) | REST API | Integration that allows CARS to create a work order in BMC Helix for each CARS request implemented for a user so that IT technicians are aware that a user was granted permissions via a CARS request. | BMC Template (info about support group) |
| JIRA | REST API | Used to create or update tickets in JIRA. Used if a technical solution is required. | User ID |
| Azure Monitor | REST API | Used to register major incidents detected in StatCan Azure Tenant in BMC. | None. |
| BMC TrueSight Orchestrator (BMC) | REST API | BMC Technology deployed in the StatCan Azure Tenant that actions requests from BMC SaaS tenant to create an account in StatCan Network A Active directory. It will also be used to update Account attributes. Note that requests that are initiated in BMC travel over the BMC Gateway to the BMC Client Gateway (hosted in Azure) which, in turn, forwards the request to StatCan Network A Active Directory. A response from Network A Active directory is then sent back to BMC via the client gateway. It is required to support Operations such as Onboarding a new employee. | See last row in Personal Information Elements Table for information transmitted. |
| IT Product Inventory Database (ITPID) | EFT (SFTP) | An export from StatCan ITPID application is periodically sent to BMC to be uploaded. This is done to keep an up-to-date list of applications and the infrastructure hosting applications in the BMC CMDB (Configuration Management Database) | Application ID, Application name |
| Common Departmental Financial System (CDFS) | EFT (SFTP) | An export from the StatCan/Shared Services CDFS application is periodically sent to BMC to be uploaded. This is done to keep an up-to-date list of hardware assets in the BMC CMDB and to keep track of which assets have been assigned to users. | User ID |
| Cloud Infrastructure – Microsoft Azure | EFT (SFTP) | An export of a scan of hardware devices hosted in StatCan Azure Tenant including Cloud Native locations (called namespaces) is periodically sent to BMC to be uploaded into the BMC CMDB. | None |
| Departmental Financial Signing Authority (DFSA) | EFT (SFTP) | An export of the DFSA table hosted in FINDEPOT is sent daily to BMC SaaS tenant to be loaded. It is used to support approvals within the BMC workflows. | Employee name, user ID |
| BMC People Table | EFT (SFTP) | An export of records from the StatCan Network A Active Directory is sent periodically to BMC SaaS tenant to be loaded. This is done to keep an up-to-date list of StatCan employees in the BMC People Table. | See last row in Personal Information Elements Table for information transmitted. |
| Login to BMC SaaS tenant | SAML 2.0
(SSO authentication) |
Allows StatCan users to access BMC hosted in the BMC SaaS tenant. | Authentication of user is done with Shared Services Canada Active Directory.
Only a token is passed to BMC. |
Appendix 4 – Privacy Notice Statement
Privacy Notice Statement: Enterprise Service Management Solution (ESMS)
Statistics Canada values your privacy and is committed to safeguarding your personal information within ESMS.
We want you to be informed about the use of your personal information within the Enterprise Service Management Solution (ESMS) provided by Statistics Canada (StatCan). Here's what you need to know:
The Enterprise Service Management Solution (ESMS) collects your personal information under the legal authority of the Financial Administration Act. It is gathered through the ESMS to deliver IT services efficiently and as an information collection vehicle for internal corporate services.
Personal information collected by the ESMS is collected by Statistics Canada to be used by IT and corporate services. This information may include, but is not limited to, personal information such as: banking information, employee tax details (including SIN), employment confirmation, disability insurance, medical certificates, and information related to exit clearance and return to work.
Personal information collected via this system will be used by the associated program area for the purposes of service delivery and will not be disclosed or used for any other purpose. Refusing to provide necessary personal information through this system may delay or prevent certain services (e.g.: implementation of telework arrangements) from being delivered.
The personal information collected through ESMS is described in the standard Personal Information Bank (PIB) "Employee Personnel Record" - PSE 901.
You have the right to access and correct your personal information under the Privacy Act. Please contact the Information Technology Operations Services Division for more information.
If you have concerns about the handling of your personal information within ESMS, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. They can be reached at info@priv.gc.ca or by telephone at 1-800-282-1376.