Signet D Network

Executive Summary

A Privacy Impact Assessment (PIA) was developed for the Departmental computer network known as SIGNET–D. This network is used primarily for unsecured information processing, storage, and management as well as unsecured messaging. The SIGNET D network is nearly 15 years old and has gone through several revisions. A revised PIA has been developed and is currently being reviewed. The revised PIA does not only address the SIGNET D Network, but it also addresses the messaging and email systems which were not part of the originally developed PIA. Its Executive Summary will be posted on this website as soon as possible.

The privacy assessment report that was initially developed for the SIGNET D network provided an insight into possible risks to personal information and recommended appropriate courses of action.

The assessment was part of the Department’s commitment to protection of personal information. It also met the Management of Information Technology Security (MITS) requirements obligating departmental major services to undergo a security and privacy assessment at this point.

The overall assessment of the SIGNET–D network was that there were limited low risks found during the assessment and that these can be addressed while the network is in operation.

1. Accountability for Personal Information

   Shared Drives:

   Personal information on SIGNET is of three types:

   • Employee’s personal information collected for the purpose of network access and authentication, which provides access to corporate network and applications.
   • Programs and services collect personal information as part of their operations and mandates. Personal information collected as part of programs each have a specific purpose and management criterion.
   • Personal information stored by employees, as a result of personal activities. This personal information is stored on shared drives by employees, for personal purposes and maintained and managed individually.

   In general, shared drives represent a medium level of risk that requires additional protection and structured management. These may be achieved by the following elements:

   • Defining roles and responsibilities
   • Establishing policies and procedures
     • Regularly scheduled privacy risk assessment by various stakeholders
   • Protection of personal information on shared drives
   • Management of personal information on shared drives
     • Program related personal information
     • InfoBank related information
     • Employees personal information generated by individual use, non–related or generated by departmental
   • Training and awareness
   • Audit and compliance

   The network (SIGNET–D) is currently designated for Protected “A” information and as such, the Information Protection Center (IPC) at DFAIT has developed plans to continually scan the shared drives using special software tools and identify information such as SIN numbers, and other highly important personal information. The plan is to issue “cyber infractions” to those users who store high–risk personal information on the shared drives. All information of protected “B” and “C” nature must reside on a separate network designated as SIGNET C–5. IPC has consulted with the Departmental legal advisors at JUS, and has received a blessing to proceed with the planned initiative / mitigation.

   The above recommended mitigations approach will ensure that the personal information will be collected, stored and managed with significantly lower levels of risks.

2. Collection of Personal Information

   Adequate Privacy Notice Statement:

   Department will develop a process by which employees are provided an opportunity to review a Privacy Notice Statement (PNS) prior to providing their personal information to receive proper privileges and accounts on the network.

   DFAIT employees using the shared drives to store their own personal information must be advised regarding the nature of the shared drives and potential risks.

3. Challenging Compliance

   Oversight, Review, and Documented Accountability:

   Proper policies need to be developed as part of management of personal information on SIGNET to reflect existing roles and responsibilities, as well as accountability in alignment with TBS Management Accountability Framework (MAF). The existing Departmental policy on The Network Acceptable Use Policy (NAUP) requires enhancement as a result of this PIA and select others (e.g. Voice Messaging) that recognize that the existing policy has a security focus only. The users of the network need additional information regarding management of their own personal information as well as comprehensive privacy notice statements that inform the users of their roles and responsibilities and accountability.